Your Security Teams are Destroying Critical Evidence

Why Stopping Siloed Attacks is No Longer Enough

By Erik Randall, Security Engineer, Exabeam

Gone are the days of smash-and-grab cyberattacks: Cybercrimes are now sophisticated sequences that take place over hours or days. Resolving the attack sequences requires SOC analysts to see the complete picture. But far too many security analysts responsible for triaging events lack the understanding and tools to give them proper situational awareness to the activities of modern attacks.

Seeing the Whole Attack Chain and Destroying the Evidence

With so many alerts to handle, Tier 1 SOC Analysts need to pick the most severe cases to deal with first and get to the others when they have time. These “triage specialists” must balance volume, judgment on the severity, and like any position, performance metrics. Performance is often measured in ticket resolution rates and the median time to response (MTTR), so there is pressure to resolve quickly.

Many SOCs provide their Tier 1 analysts with runbooks—a set of standard procedures for resolving common incidents. While theoretically prudent, runbooks can have a detrimental impact: while they often aid in resolving a particular alert, they can also end up destroying evidence that might be needed to investigate a more serious security incident.

Analysts typically take action against discrete Indicators of Compromise (IoCs) then close the ticket and move on. But an attacker is not done once the machine is infected with malware; that’s just a foothold toward larger goals.

Think of a laptop infected with malware. A common SOC runbook procedure is to remove the threat by re-imaging the machine. Threat removed. MTTR low. But while the threat is gone, so too are all the artifacts that would have helped a Tier 2 or Tier 3 analyst find the source of the attack. You might even go so far as to say the analyst is helping the attacker by deleting all the evidence for them!

Uncovering a Compromised Insider

Imagine this scenario: An attacker wants to steal the source code for a new product from the leader in the market. They’re going to compromise the machine of an engineer inside the company’s network and use that as a jumping off point to search the network and find code repositories with product software.

Thanks to a new framework from MITRE called ATT&CK, we can realistically detail the techniques an attacker might use to pull it off.

First, the attacker sets up a watering hole attack, knowing that an engineer at the target organization is likely to visit the website of an upcoming user conference. Once the engineer visits the website (Drive-by Compromise), the malicious code on the webpage is triggered and executed by the browser of the engineer’s machine. At this point, the attacker achieves code execution (User Execution) to gain a foothold on the targeted machine.

After this initial execution, the attacker then covers their tracks by deleting a portion of the malware on the system (File Deletion), in an attempt to avoid detection.

Now that the attacker controls the machine, they locate an SMB share that may contain the desired data (Discovery). As it turns out, the desired data requires privileged credentials, so the attacker escalates privileges to gain access to a user account with administrator credentials (Lateral Movement). Now the attacker can access the file share and copy over the sensitive data.

Next, the attacker will steal a token from a login script that was run with a privileged domain account (Privilege Escalation), gaining access to a server in the DMZ and the ability to move data out of the network. Now the data can be copied to the server and compressed in preparation for transfer over the internet. The attacker then connects from the server in the DMZ to an attacker-controlled web server. And just like that, they’ve stolen your new product source code.

In this scenario, many of these tactics and techniques would have at some point set off alarms in most SOCs. But while the alerts may get investigated, too often the response by lower-tier analysts ends up incomplete, and the attacker has already gained deeper access into the organization’s network and systems. By the time an attacker reaches Lateral Movement, the trail often goes dark for SOC personnel, since it is very difficult to distinguish between activity driven by the real user of an account and an attacker using that account. And it is also this stage that sensitive theft is taking place.

To ensure optimal protection, security teams must change their mindset to start looking at entire attack sequences instead of individual steps. SOC teams need to be able to compare a user’s behavior to their normal patterns in order to understand if compromised credentials are being used by an attacker.

Using Behavior to Detect Complete Attack Chains

User and Entity Behavior Analytics (UEBA) allows security analysts to do just that. UEBA products take a thumbprint of what activities are normal for each user and compare that to activities the user performs in near real time. Coupling that with tactics and techniques known to be risky from ATT&CK, UEBA interfaces then highlights the activity as being both atypical and risky. The more of these tactics and techniques that an attacker uses, the higher the risk score within UEBA interfaces and the more this stands out to SOC analysts.

By tying together the behaviors identified as anomalous and risky with the techniques identified in the ATT&CK framework, responders can now trace the steps an attacker has used and predicted where they may be heading next. Only once the attack chain is fully understood can the SOC analyst then take appropriate remediation steps to preserve evidence instead of re-imaging the system and possibly destroying key evidence needed to perform an additional forensic examination of the compromised system.

Given the gravity of the compromises depicted here, every piece of evidence in this crime scene needs to be preserved for the duration of the investigation. Each incident needs to be seen as part of a bigger picture. Closing a ticket is not the same thing as solving a crime.

About the Author

Your Security Teams are Destroying Critical EvidenceErik Randall is a Security Engineer at Exabeam. He is an information security leader with proven success in implementing leading-edge technology solutions while balancing risk, business operations and innovations. Specialties include security service management, systems architecture, network design, and systems administration with extensive experience in engineering, manufacturing, services and financial industries.

May 9, 2019

cyber defense awardsWe are in our 11th year, and Global InfoSec Awards are incredibly well received – helping build buzz, customer awareness, sales and marketing growth opportunities, investment opportunities and so much more.
Cyber Defense Awards

12th Anniversary Top InfoSec Innovator & Black Unicorn Awards for 2024 are now Open! Finalists Notified Before BlackHat USA 2024...