Page 81 - Cyber Defense eMagazine - October 2017
P. 81

Identify the “intrusion kill chain” to stop data breaches in their

               tracks
               By François Amigorena, CEO, IS Decisions


               To  fight  a  cybercriminal,  you  have  to  think  like  a  cybercriminal.  If  you  know  how
               attackers  work,  how  they  think  and  how  they  act,  you  stand  a  better  chance  of
               predicting what their next move is going to be — and stopping it before it happens.

               The  good  news  is  that  most  attacks  today  follow  a  similar  pattern.  Attackers  gain
               undetected  entry  by  getting  their  hands  on  an  employee’s  login  credentials,  before
               slowly but surely expanding throughout your network until they find some data of value.
               In fact the act of obtaining logins is now so valuable that compromised credentials are
               used in 75% of data breaches today.

               But  if  you  understand  exactly  how  attackers  conduct  themselves  at  each  part  of  this
               “intrusion kill chain”, you can put a stop to it. So, here’s the pattern cybercriminals will
               often follow.

               Obtain credentials

               The  more  endpoints  a  cybercriminal  can  access  —  i.e.  smartphones,  desktop
               computers, laptops, tablets — the more likely they are to come across data of value.
               Gaining  access  starts  with  a  successful  login,  the  credentials  for  which  are  often
               obtained by cybercriminals through phishing, often through pure patience using a key
               logger that monitors the key strokes of a user with elevated privileges.

               The  end  goal  is  to  reach  an  endpoint  that  has  local  admin  access,  and  once  a
               cybercriminal has that, there are a number of credential artefacts found in the endpoint’s
               memory that attackers can make use of. This can include password hashes (for use in a
               pass  the  hash  attack),  Kerberos  tickets  (which  can  be  cracked),  logon  session
               credentials  (which  are  stored  in  clear  text),  and  domain  credentials  (which  can  be
               cracked).  Cybercriminals often  turn to  tools like mimikatz  (which  requires  local admin
               privileges) to search through an endpoint’s memory to find and obtain these artefacts,
               enabling  the  hacker  to  use  the  credentials  with  other  hacker  tools  to  establish
               authentication to additional systems.

               Authenticate
               Once  a  cybercriminal  has  gained  entry  (or  enough  credentials  to  facilitate
               authentication), the next step is to move laterally within the network, from endpoint to
               endpoint,  usually  via  SMB  (to  access  file  systems),  remote  desktop,  PowerShell
               remoting, and even WMI and RPC.






                    81   Cyber Defense eMagazine – October 2017 Edition
                         Copyright © Cyber Defense Magazine,  All rights reserved worldwide.
   76   77   78   79   80   81   82   83   84   85   86