This past year has been chock-full of high-profile cyber attacks, so it seems timely to now explore some common evasion techniques attackers use to fly under the radar of even the most modern of security systems. If the U.S. Army, U.S. Government, a prominent cyber security vendor and those we trust to keep our credentials secure can't keep attackers out, it is clear that every organization is potentially at risk.
It is important to realize that much of an attacker's evasive maneuvering doesn't involve malware and even if observed, could be mistaken for legitimate activity without further context. Let's take a look at some examples:
- User account hijack
- Going native to move laterally
- Grab and go Using ill-gotten privileged access and their ability to connect to in-house databases or shared document repositories, attackers can fetch data of interest, accumulate it in a staging area, encrypt it and then exfiltrate it over a covert channel to an external server, using methods such as DNS tunnelling, FTP and HTTPS. These techniques are carefully selected since attackers know they'll likely allow them passage out through the perimeter firewalls.
Whether it be through the usage of rainbow tables, "pass-the-hash", mimikatz or old fashioned social engineering, there are many ways an attacker can hijack a user account. After doing so, they are highly likely to take the next step of acquiring domain admin credentials, the equivalent to getting the keys to the kingdom.
But attackers will rarely be content with just that, and increasingly seek to also obtain VPN access so they can connect remotely on-demand, rather than have to rely on covert backdoor channels (e.g. VNC, reverse SSH) which may be a single point of failure for them. This enables them to be more persistent, methodical, cautious and impactful in conducting their activities.
In order to reach high-value assets (file servers, databases, domain controllers), attackers figured out long ago that built-in Windows capabilities give them much of what they need to get their job done. While attackers previously leveraged Windows commands such as net and at, they're increasingly migrating to more modern, powerful and flexible alternatives such as WMI and Powershell, which enable them to remotely execute code without writing to disk, performing searches and manipulating audit logs. An extended set of freely and readily available tools (such as PsExec, Nmap and Metasploit) may also be utilized.
What do all the above techniques have in common? They all involve network communication at some point. Even though we can fully expect attack techniques will continue to evolve and change, network communication will remain a critical element. Of course, effective information security is multifaceted. It is about people, process and technology combining to deliver in-depth defense. In short, there is no silver bullet solution. The game is really about how much you can stack the odds in your favour. Many companies recognize this and are increasing investment and strategic focus on their ability to detect and respond to attacks.
We believe full visibility into network data, in real time and retrospect, can dramatically change the odds and enable security incident investigators to more rapidly detect and piece together the bigger picture of evasive attack activity. Here are the key reasons full network visibility makes for such an advantage:
- Authoritative source of truth
- Zero performance impact Domain Controllers, Network Attached Storage and Databases have native auditing capabilities but can be basic and are rarely enabled, since they can degrade performance. Full network visibility can provide superior auditing (based on decoded messages and packet capture) by simply listening to "conversations" passively. This approach has the added bonus of providing a centralized, single, vendor independent audit log of all network activity.
Attackers continue to remain resident within company networks for extended periods before being discovered. This reminds us that you can't detect what you don't know to look for -- the unknown unknowns. A historic record of all network traffic is critical in the form of statistics, decoded messages and full packet data. This enables investigators to spot deviations from baseline norms and retrospectively piece together the bigger picture of attack activity, including through a user-centric lens.
If an attacker has compromised hosts within your network, can you really trust what the operating system and agents on those hosts are telling you? Network data is an independent, authoritative source of truth, providing rich detail on the machine-to-machine "conversations" occurring within your environment.
Achieving full network visibility is not trivial -- it involves technology that can reliably capture and decode high volume traffic, present it in a way that is actionable and integrates with your existing infrastructure and workflows. There is certainly a cost associated, but the ROI far outweighs this -- bottom line is given the potential cost of a data breach, can you afford to not have full network visibility?