Page 82 - Cyber Defense eMagazine - October 2017
P. 82

Establish control
               Once an attacker has gained entry to another system, they need to gain control over it.
               However,  the  credentials  providing  initial  authentication  may  not  have  elevated
               privileges on this new endpoint, which means attackers often repeat some of the same
               work from the first two steps in the kill chain, as well as use native and downloadable
               hacking tools to gain access as a local admin on each endpoint.

               Establish stealth
               Attackers  see  each  compromised  endpoint  as  a  foothold  from  which  they  can  propel
               deeper into your systems. So, to keep from being detected, threat actors “live off the
               land”  by  using  native  tools  that  naturally  don’t  attract  very  much  attention  from  IT
               administrators. They stealthily deliver payloads directly to memory to avoid running exes
               that may raise suspicion, and even redirect malicious traffic over allowed ports.


               Establish persistence
               Throughout each point in the kill chain, hackers modify an endpoint’s configuration to
               maintain access — just in case someone in IT detects the intrusion. Using similar tactics
               to malware, attackers run scripts on system reboots or user logons, putting malware,
               tampered files,  scheduled tasks, malicious services,  registry  entries,  and  any  created
               accounts  back  into  place,  essentially  repeating  all  the  work  done  up  to  that  point  to
               ensure the hacker can persistently access the endpoint.

               Stopping actors in the intrusion kill chain
               Before  you  can  stop  an  attack,  you  need  to  be  able  to  detect  one.  But  most
               organisations are poor at breach detection — on average it takes 146 days to detect a
               data breach, by which point it’s much too late to mitigate the damage.

               So what can you do about it? The first thing is to understand the one action that occurs
               in every single part of the chain of events I’ve described above — a logon. To obtain
               credentials other than via phishing, attackers must log on as an admin to a machine. To
               authenticate,  attackers  use  multiple  logons  of  varying  types.  To  establish  stealth,
               attackers log  on  with  elevated  access  privileges  to  live  off  the  land.  And  to establish
               control and persistence, attackers need to log on locally as an admin.

               Next you need to keep an eye on all logins and any possible anomalies, like logons at
               strange  times  of  day,  logons  from  strange  geographical  locations,  logons  that  occur
               concurrently, or logins that occur for the first time on a particular endpoint.


               Keeping on top of all logon information though is difficult to do manually, but simple with
               technology  that  exists  today.  This  kind  of  technology  pieces  together  contextual
               information about any particular logon and builds up a profile of the person attempting to
               log on. It then flags anything out of the ordinary, like a logon from a strange location or



                    82   Cyber Defense eMagazine – October 2017 Edition
                         Copyright © Cyber Defense Magazine,  All rights reserved worldwide.
   77   78   79   80   81   82   83   84   85   86   87