by Mickey Bresman, co-founder, Semperis
A new report on cyber-attacks caught my attention. Carbon Black’s November 2018 Quarterly Incident Response Threat Report finds that hackers are increasingly destroying security logs to hide attacks.
Attacks that cover their tracks by disabling or destroying logs are nothing new. What is alarming is the prevalence of such attacks: according to the report, 72 percent of incident response (IR) professionals encountered this type of attack over the last 90 days.
As one IR professional remarked, “We’ve seen a lot of destruction of log data, very meticulous cleanup of antivirus logs, security logs and denying IR teams the access to data they need to investigate.”
In this new reality, the question becomes, how do you protect yourself?
Active Directory holds the keys to the kingdom
As the keeper of the keys to the kingdom, identity services are an extremely attractive target for hackers. And given Active Directory’s widespread adoption – more than 90 percent of organizations rely on it for identity services – it’s especially at risk.
Statistically speaking, your organization will be hacked sooner or later. Here is a scenario that is unfortunately becoming common:
An attacker breaches the environment by a phishing, password spray, cross-site scripting, or other type of attack (the possibilities are virtually endless and constantly changing). Through lateral movement techniques, the attacker gets access to the Domain Admin group. While that is terrible, it’s not actually the end goal.
As the next step, the attacker logs in to a domain controller, stops the auditing agent, and disables security logging. With the security camera effectively turned off, the attacker modifies accounts, groups, Group Policy Objects (GPOs), DNS records, and other AD-related objects – creating back-doors that can be used at a later stage.
The organization finds out that something is wrong within 10-15 minutes from the time the attacker logged in to the DC. They connect to the machine, terminate the attacker’s session, disable the compromised Domain Admin account, and gain back control… or do they?
The reality is the attacker was perfectly aware they were about to get exposed. So, the question now becomes, what did they do during those 10-15 minutes?
Another way that attackers can bypass security logging is to inject data directly into the Active Directory replication stream. That’s exactly what DCShadow does, making it invisible to SIEM systems and worrisome to security teams. (More on DCShadow can be found here.)
Keeping the security camera on
How do you deal with a scenario where the auditing agent was disabled, or the logs can’t help because they were never there?
The answer is having another source of data that is independent of any single machine. As you probably know, all of the information in Active Directory (excluding some event details) doesn’t stay with a single server, but is replicated across DCs and can be picked up from any DC in the domain.
This is how Semperis provides visibility of changes made even if security logging or auditing agents are disabled, or changes are made below the radar. The Semperis solution gathers changes from two independent data sources – one of them being the AD replication API.
So, in the example above, even if the auditing agent is disabled or changes aren’t logged, the hacker’s nefarious activity is captured when AD replication takes place. Changes are stored in a SQL database where the information can be used for forensic analysis and remediation. This allows you to identify and undo the unwanted changes made by the attacker – eliminating back-doors, and truly regaining control of your Active Directory.
Have you encountered hacks where attackers bypassed security logging? Are such hacks part of your risk assessment? I would love to hear about your experience and thoughts on the topic.
About the Author
Mickey is a co-founder of Semperis and leads the company’s overall strategic vision and implementation. A long-time enterprise software expert, Mickey began his technical career in the Navy computing technical unit over a decade ago. Prior to co-founding Semperis, Mickey was the CTO of a Microsoft gold partner integration company, YouCC Technologies, successfully growing the company’s overall performance year over year. Mickey holds a BA in Technical Management and a Minor in Electronic Engineering. You can learn more about Mickey, here: https://www.linkedin.com/in/mickey-bresman-1574923/