This article is the third installment in a four-part series that examines how the X-Force IRIS cyberattack framework can help identify opportunities for security practitioners to increase network security and lower risk by addressing the steps an adversary typically takes to attack a network. Be sure to check out the entire series for the full scoop.
Any determined attacker has a good chance of being able to infiltrate a network. However, just because an attacker makes it through the front door, that doesn’t mean they will walk away with the organization’s proprietary data. While the first two posts in this series recommended actions to hinder an attacker’s ability to plan and launch an attack, this post will explore how to subvert an attacker already in a network.
The IBM X-Force Incident Response and Intelligence Services (IRIS) cyberattack framework helps organizations understand how cyberattackers achieve their objectives and provides a model for identifying actions security practitioners can take to lower the risk of a successful breach.
The process for defenders to find and halt the activities of attackers already in the network begins with recognizing and mitigating the initial compromise and then covers opportunities to find and track attackers as they establish a foothold in the network.
IRIS Cyberattack Preparation Framework — Schematic View
Beyond Perimeter Defense
Although the goal may be to stop an attack from occurring, the reality is that perimeter defense — such as firewalls designed to stop malware from entering the network — is not a failproof solution and cannot be relied on as the only defense. Perimeter defense has value as one of several defense layers and can be effective at stopping opportunistic attacks, those where an attacker uses known vulnerabilities, and malware against multiple organizations hoping to breach the least-prepared target.
Perimeter defense is less likely to stop a targeted attack where a persistent and adaptive attacker has tailored an attack to circumvent defenses and can adapt their tactics to changes or roadblocks.
There are countless opportunities for an attacker to breach a network and there is no single solution that will stop them from compromising the organization’s network if they are motivated to find a way inside. Instead, defenders need to consider how to prioritize controls that can increase the odds of finding and stopping an attacker from achieving their goal.
Organizations have a finite amount of resources to devote to security, and using a cyberattack framework to analyze attacker techniques can aid in finding the defensive strategy that will give the most significant return on investment.
Initial Compromise (Think: Phishing Attacks!)
The IBM X-Force IRIS cyberattack framework initiates after an cyberthreat actor has launched an attack, beginning with a successful initial compromise. The initial compromise occurs when the attacker has gained access to at least one host on the network or has otherwise gained access to the network — perhaps via logging on with stolen or brute-forced credentials.
Phishing emails are the most common threat vector for attackers to gain network access. Therefore, focusing resources to harden this initial attack surface can help reduce the risk of initial compromise.
In a phishing or spear phishing attack, a fraudulent email or electronic communication is sent to users within an organization, luring them into revealing network credentials, clicking a link or downloading a legitimate-looking attachment with hidden malware. Depending on the attacker’s techniques and goals, phishing attacks can occur with or without the use of malware.
Implementing the following security features, educating employees, and revisiting internal security and reporting processes can reduce the risk of a phishing email being successful:
- Disable macros: Windows macros are programs that are embedded within other programs to automate repetitive tasks. Although Windows’ security features now include an automatic pop-up that requires the user to enable macros in many productivity files, users can still be fooled into doing so after receiving a well-crafted phishing scam. Disabling macros as a policy can help prevent malicious attachments from running the embedded malware and reduce chances of infection.
- Enforce policies that prevent users from running untrusted code: Macros are not the only option for attackers who want to embed malicious code within phishing emails or attachments. Since attackers use a variety of other methods, preventing users from running any untrusted code can further mitigate this threat.
- Create banners that identify emails coming from external addresses: Easily identifiable banners could alert employees to typo-changed email addresses. These are designed to look like trusted emails but are actually crafted by attackers, making them hard to spot visually.
- Configure intrusion prevention systems (IPS) and intrusion detection systems (IDS) to alert on potential phishing emails: IPS and IDS solutions monitor network traffic, and can either alert (in the case of an IDS) or block (in the case of an IPS) malicious traffic. These systems can be configured to alert on known or suspected malicious emails.
Both solution types are valuable defense layers. IDS can be configured to alert on a broader set of signatures, while IPS detection signatures should be based on higher confidence of malicious activity. To enhance protection, make a point of maximizing storage and retention policies for data collected from an IDS or IPS. This data can be valuable forensic evidence for incident response teams looking to analyze, contain and mitigate a breach.
- Employ protection platforms on email servers: A malicious email detection solution implemented at the email gateway can further help defenders identify and block fraudulent emails. These services can blacklist known sources of ransomware and phishing attacks and will analyze all attachments or URLs sent via email in a sandbox before users access them. Making sure email content is “clean” means employees are less likely to fall prey to a phishing attempt.
- Ensure hosts are equipped with solutions to identify and prevent malware from running: Endpoint protection platforms (EPPs) and endpoint detection and response (EDR) platforms are additional layers that can help detect indicators of an attack and may help stop malicious files from running. They can also alert the security team to a potential attack.
In addition to phishing attacks, which target the operating systems employees use (also known as client-side attacks), cyber adversaries can also employ server-side attacks that target servers and can include web compromise or exploit a network vulnerability to infiltrate servers the organization operates. Good network hygiene — such as securing open ports, performing input validation and ensuring effective patch management — is one way to reduce the risk of server-side attacks.
Attackers Establish a Foothold and Maintain Persistence
In the next phase in the framework, the attacker establishes a foothold by ensuring access and control of at least one host or user account within the organization’s network. An attacker can accomplish this by having gained access to network credentials, installing remote control malware on endpoints or installing a backdoor on the network. Typically, attackers will establish a link to their command and control (C2) infrastructure and use it to control endpoints they have infected remotely.
To maintain persistence, an attacker will work to strengthen their foothold in the target environment by securing redundant and overlapping access to the network in case the system is restarted or rebuilt, an access point fails or stolen credentials are reset.
Often, actions to maintain persistence occur simultaneously when the attacker establishes a foothold. For example, an attacker may reference the initial backdoor in a Windows Registry location that could ensure it will run each time the host is restarted. Moreover, actions to maintain persistence can continue to occur throughout the remainder of the attack as the attacker moves deeper into the organization’s networks.
Actions taken by attackers, both for establishing a foothold and for maintaining persistence, can be visible and mitigated. In some cases, malicious activities can be flagged by an IDS/IPS platform or an EPP/EDR platform, which can be configured to search for known threats.
Defenders Go Threat Hunting
While detecting known threats is part of protecting against attacks, when it comes to threats and attacker methodologies that are not yet known, a well-established and effective threat-hunting program can aid in threat identification and mitigation. A new or existing threat-hunting program can be scoped and augmented to help reduce the operational burden on security teams — all while adding value to the overall ability of the organization to find intruders before they can do any harm.
Building a threat profile, as described in the first part of this blog series, can aid in prioritizing threat-hunting requirements around an organization’s most valuable assets and the likely threats most relevant to those assets. To scope a threat-hunting program, it can be helpful to start with a “crawl, walk, run” approach. A narrow focus can begin by examining networks for signs of specific activities of an attacker — for example, establishing a foothold and maintaining persistence — particularly if those actions are against the highest priority assets.
As a threat-hunting team succeeds in these aspects, the scope can be expanded to include more types of activities attackers are likely to take and to search across additional environments and assets.
Once an unknown threat is discovered through threat hunting, the associated indicators of the threat can be migrated as signatures into the detection and protection platforms, and any other instances will be identified automatically.
Additionally, investment in a centralized logging and analysis platform can automatically prioritize data, setting it into tiers ranging from benign activities to those likely indicating maliciousness. Understanding and labeling telemetry data that is likely due to normal business operations as benign can be just as important at identifying suspicious activity. Whitelisting and creating a baseline for normal activity, as well as performing frequency analysis, can aid in detecting anomalies. Performing this analysis, however, is difficult without some type of centralized logging and analysis platform.
Take Defensive Actions to Mitigate Risk
Examining the IBM X-Force IRIS cyberattack framework and the steps attackers take to initially compromise, establish a foothold and maintain persistence can help in identifying prioritized avenues to increase security.
The final post in this blog series will examine defensive actions that can help identify attackers as they move through an organization’s network, escalate their access and exfiltrate proprietary data.