Detecting advanced threats in an age of sophisticated cybercrime

Businesses face an increasingly challenging task in detecting advanced security threats. In 2017 alone, Cryptojacking attacks exploded by 8,500%, software update supply chain attacks increased by 200% and variants of mobile malware surged by 54%, according to Symantec’s latest Internet Security Threat Report.

These common attack methods demonstrate how crucial it is to ensure measures are in place to understand, detect and negate cybercriminals’ sophisticated methods and movements. It was this evolving threat landscape that led us to recently share the results of a ‘red-team exercise’ that we performed on our own environment – essentially hacking ourselves – which you can read about here.

Below we’ll explore a few of the common attack methods our ‘hackers’ used to exploit our systems, and how businesses can enhance their defences in order to prevent them.

Poorly performing passwords

Passwords continue to be a particularly perilous issue for all businesses as cybercriminals operate increasingly ingenious methods of cracking them. However, far too often people just make it too easy for their adversaries.

Our research shows that a whopping one-third of passwords (32%) begin with a capital letter and end in a number. Furthermore, nearly a third of people use a number at the end of their password, with 6% of passwords ending in one number, one in eight (15%) ending with two numbers and one in 11 (9%) ending with three numbers. Another common theme is dates, with nearly one in five passwords containing either a month (6%) or a year (12%).

Adopting these widely used formats simply plays into the sophisticated cybercriminal’s hands. They are now armed with a plethora of password data from publicly disclosed breaches, from which they have built templates that form the basis of their highly targeted attacks. For example, in the attack on our own systems, our attacker was able to derive that the password in use was eight characters long and included capital letters, numbers and punctuation marks.

Beware of the attachment

A long-favoured attack method for cybercriminals has been the use of emails that contain attachments loaded with macro links. If downloaded, these macros can wreak havoc on enterprise systems. In the case of our controlled experiment, an email attachment containing an embedded DDE object was used as the original point of attack to evoke an external payload.

This sort of attack would present the end user with a series of common Microsoft Office error message boxes and queries about whether they want to enable editing, but no explicit security warnings. Upon hitting ‘yes,’ these trigger the download and execution of a PowerShell script that provides the attacker with full command and control of the machine. It’s a devastatingly easy and effective form of attack.

However, it is possible to defend with the right threat detection in place. We were able to detect a change in the administration registry that indicated a machine was being targeted, then detect that the machine was attempting to ‘talk out’ to a suspicious external source. We could also detect the use of PowerShell to communicate with the command and control system, as well as identifying the attacker’s lateral movement through common techniques and tools like port-scans, brute force attacks and the use of Mimikatz.

Targeting end users

Business employees are a vital tool for any accomplished cybercriminal. Once our ‘attacker’ had gained access to a machine within our network, they progressed laterally within the business using open source employee information, such as LinkedIn, to build a list of potential ActiveDirectory user IDs.

A similar approach was also used in a Kerberoasting attack we carried out on our systems. This technique abuses service tickets on Kerberos, the business’ network authentication protocol, then reuses them to gain access to the targeted service.

The attacker uses online sources like LinkedIn to compile a list of people possibly working for the company, which is used to determine whether a particular account exists and the company’s email naming scheme. This enables the attacker to launch a horizontal brute force attack using password cracking tool THC Hydra. Once authenticated to the domain they can use their Kerberos access to request tickets for specific resources then retrieve cleartext passwords for administrators and launch an offline brute force attack.

Detection of this is not easy, as it could generate many false positives within the organisation due to the legitimate use of service tickets. But this can be decreased significantly by implementing specific filters and discarding other benign requests.

Need for a new approach

While cyber-attacks increase in volume and sophistication, businesses are lagging behind in their ability to defend them. More than two-fifths of businesses suffered a cybersecurity breach in the previous 12 months and nearly three quarters (73%) still don’t have a formal cybersecurity policy in place, according to the UK Government’s latest Cyber Security Breaches Survey.

Bucking this trend requires significant human and financial resources. It not only requires rare, difficult to find and costly to acquire expertise, but also the right processes and technologies to be in place. Businesses, therefore, require a new approach.

They need around-the-clock, real-time visibility into the behaviour and performance of their entire IT estate and to be on the front foot rather than waiting for attackers to strike. That way, it’s possible to intercept and disrupt threats before they cause damage, downtime or data loss – even if an attacker manages to bypass traditional security controls.

But of course, doing all this themselves is extremely difficult and too expensive for businesses to manage internally. Instead, it can be hugely beneficial to work with a Managed Security Services Provider (MSSP), which offers the appropriate level of skills and experience to make the right choices and counter security threats. However, this approach may require a significant paradigm shift.

When working with an MSSP, transparency is key. It helps ensure that you know exactly what your provider is doing, how they’re doing it and what results they are achieving. Once that’s guaranteed, MSSPs can then build a level of trust that is absolutely crucial to their customers.

Seizing back cyber control

It’s commonly assumed that attackers have the upper hand as they only need to get lucky once, whereas defenders have to remain lucky all the time to prevent their breach attempts. By looking for clues in the right places, however, defenders can use their unique knowledge of their own environments so that they also only have to get lucky once.

This is reliant on spreading the net wide and using a range of logs that alert to specific kinds of behaviour or activity that could be indicators of attempts at unauthorised access to systems. It only requires detection of a single sign of a breach to trigger a threat hunt or incident response at various stages of the attacker’s ‘kill chain.’

Managed threat detection

A full Managed Threat Detection and Response service performs iterative, active pursuit of potentially malicious presences within networks. This enables deeper, further-reaching visibility into events that, when stitched together, escalate potential indicators of an attack.

These are received from network and security devices against open-source and ‘Dark Web’ threat intelligence sources, proprietary knowledge gained during penetration tests, ongoing research into the broader threat landscape and intimate awareness of the latest tactics being used by malicious actors. It also includes incident response from a team of advanced ethical hackers and responders, mitigating confirmed attacks and performing root cause analysis up to and including reverse engineering of zero-day malware, if required.

For more information on how SecureData can help your business detect and prevent the latest, most advanced security threats visit our Managed Threat Detection page.

  • Share