Tracking Image
February 18, 2016

Preparing for an Inevitable Compromise

Categories: Blog, Integration Testing

It is often said that a defender has to find (and fix) all holes, but an attacker only has to find one. This has some merit to it but today’s reality is one where we don’t have to ask if an attacker will find a hole. It’s only a matter of time before they will and then the question becomes how well our processes and controls enable us to detect it, to control it, and to respond to it.

 

If not with a real-time, comprehensive view of our security infrastructure, how do organizations gain true understanding and visibility of their IT risk?

 

Two of the most important things to understand in preparation of an incident are how attackers behave, and whether you understand your IT infrastructure as well (or better) as your adversaries. These two things separate a security incident from a full-on data breach.

 

Understanding Attacker Behavior (The Adversary’s Playbook)

Attackers move in fairly predictable ways. It is not often that they go from running an exploit to exfiltrating your most valuable data in a single step. Many incident response reports have shown that attackers were present in the network for days, weeks, months, sometimes even years before they wreaked irrecoverable havoc. While every attack is different, there are commonly recognized phases that form what we call “the cyber kill chain” :

  1. Weaponization
  2. Delivery
  3. Exploitation
  4. Installation
  5. Command and Control
  6. Action

 

Understanding the real world aspects of these phases will help you to understand your attackers and, with that, prepare your defensive strategy to stop (or at least delay) them in their tracks. You will also gain an understanding of the blind spots in your infrastructure and tighten the controls where possible.

 

A good example of a cyber kill chain is as follows:

 

  1. Weaponization: Microsoft Office Exploits
  2. Delivery: Phishing/Spear Phishing
  3. Exploitation:  CVE-2014-4114(“Windows OLE Remote Code Execution Vulnerability”)
  4. Installation: Black Energy (various versions)
  5. Command and Control: Various European Hosting Providers
  6. Action: Theft of Intellectual Property

 

The above is an  example of a cyber kill chain for the BlackEnergy APT Group which focuses its efforts in the defense and energy sector among other sectors. Each one of the described phases is different for various threat actor types and/or groups: Script Kiddies, Criminals, Nation State, Corporate Espionage, Insiders, Hacktivists, etc. The techniques in each phase may differ per cyber kill chain.

 

The goal should be to turn what we know, and I’m avoiding the term intelligence on purpose, into relevant attack paths that can be mimicked to understand the blind spots in our infrastructure. So how do we do it?

 

We’ve already established that getting into a network is just an attacker’s first step. While this definitely constitutes a security incident, there is no irrecoverable damage just yet and you still have an opportunity to minimize the impact. All you need is an understanding of your adversary’s behavior.

 

To make progress through your network, the adversary will leverage systemic flaws (often called technical debt) in the security infrastructure. These are the result of choices you’ve made in the past and can be likened to painful but non-fatal wounds. They are often ignored or forgotten about but when recognized and addressed, significantly up the ante for your adversaries.

 

Understanding Your Own Network

Now, your adversary has compromised your network for a reason. They are after something of value. It is your task to understand what is at stake. Where are the valuable assets on your network? What is important to you  and what might an attacker be interested in? From there you can work back and identify the attack paths that are available to your adversaries, and tighten controls around those paths.

 

By applying “holistic testing” you are able to test multiple likely attack sequences as well as testing each phase as if it was a unit test against the various defenses. In this way you test every possible iteration of a cyber kill chain. Contrary to traditional testing, where the last phase of an attack might never be tested as it was assumed the first phase would be detected or prevented, now you are testing end-to-end, for all relevant adversaries, efficiently. That’s why both holistic testing as well as unit testing the various phases of an attack are important. Once attacker capabilities are tested, defensive shortcomings will become obvious.

 

Examples:

A number of our customers have improved their overall defenses by finding the blind spots in their networks by identifying high value assets and understanding attack paths to those assets.

 

  • Various attack groups such as Hurricane Panda that are known to target the aerospace, defense and technology sectors among others use a persistent backdoor technique called “Sticky Keys” that allows them access to a system command prompt. Would your defenses detect this technique? How do you know if you haven’t had a chance to allow your team to try this technique safely on your hosts?

 

  • Certain attack groups have their own modified versions of mimikatz to perform a technique called “Pass-The-Hash”, which dumps credentials from machines running Windows operating systems and enables an attacker to move laterally across the network. Are you curious if an attacker was to gain access to one of your engineering machines, would they be able to gain access to a machine in finance or your domain controller?

 

From persistence to exfiltration. Every action an attacker takes, generates logs and potential evidence in your environment.

 

By mimicking an attack safely in your network you will be able to determine if you have an overwhelming number of alerts being sent to your incident response team and tune those alerts to help them focus on and respond to what matters most. You’ll also get to test if there are any false negatives in your logging and alerting infrastructure.

 

With holistic testing, we are looking for answers to the following questions:

  • How far is an attacker able to get into your network without being noticed?
  • What attacker actions trigger what defensive alerts?
  • What is the response time for your team?

 

The answers to these questions are quantifiable and they are in your infrastructure. Holistic testing will get you the answers and while compromises are inevitable, organizations that apply these practices are able to minimize the eventual impacts, continuously.

 

“The difference between success of an attacker or success of your defenses is reliant on the resiliency of your security infrastructure and the readiness of your people, processes, products and tools to combat a persistent adversary. Test, analyze, resolve, repeat.”

About the Author

Stephan Chenette is the co-founder and CEO of AttackIQ. In this role he is responsible for the strategic and technical direction of the company.