This article is the final installment in a four-part series that examines how the X-Force IRIS cyberattack frameworks can help identify opportunities for security practitioners to increase network security and lower risk by addressing the steps an adversary typically takes to attack a network. Be sure to check out the entire series for the full scoop.
Even after an organization’s network has been compromised, the security team still has opportunities to find and dispel the attackers before they can expand their access within the network and achieve other objectives. Attackers, particularly advanced attackers who are good at evading detection, may spend a significant amount of time in a network, giving defenders time to foil their schemes.
The IBM X-Force Incident Response and Intelligence Services (IRIS) cyberattack framework helps security practitioners understand how a cyberattack occurs and provides a model to identify opportunities to lower the risk of a successful breach.
IBM IRIS Cyberattack Preparation Framework — Schematic View
Since we’ve already recommended actions to help identify and subvert attackers throughout their preparation and the early stages of an attack, we can now explore the final opportunities a security team has to thwart an attack before it can cause financial, reputational and other types of damage.
By dissecting the phases of the framework in which attackers conduct internal reconnaissance, move laterally, escalate privileges and meet their objective, security teams can determine what steps they must take to help reduce the risk of attackers moving around the network and stealing privileged data.
Beyond the Initial Compromise: Expand Access Stage
Advanced attackers often spend significant time and effort in the expand access stage, gaining the required visibility and searching for proprietary information that accomplishes their mission.
Attackers’ activities during this phase can mimic the commands and actions of typical users, and it can be difficult to distinguish the activities of the “expand access phase” from normal operations. Still, finding and mitigating against an attack at these stages represents defenders’ final opportunity to prevent further harm.
Once attackers enter the network, they may collect additional information about users and groups on the network, examine the access levels used and identify available files or databases before determining the next steps to gain greater access.
Security teams don’t always have a smoking gun to alert them to internal reconnaissance activities because attackers often use commands inherent to the operating system rather than malware, which makes this activity harder to detect with traditional controls.
However, security teams can help detect malicious activity by building a baseline for typical user behavior and threat hunting for anomalies. To enrich information about legitimate user patterns, security teams can use machine learning for behavioral biometrics and equip their logging and analysis platform with artificial intelligence (AI)-enabled applications.
Another option to help detect internal reconnaissance is to set up honeypots. A honeypot is a deceptive file or system designed to trick attackers into accessing it. A honeypot can be as simple as a file that contains false information disguised as lucrative data that an attacker would be likely to search for. It could also be a false subnetwork that an attacker might spend a lot of time filtering through.
If an attacker accesses a honeypot, the system will send an immediate alert to security teams with details regarding the activity on the honeypot, including user information and logged keystrokes. Although it is not guaranteed that attackers would ever access a honeypot even if after compromising the network, a honeypot can be both simple to implement and low-cost.
An Attacker Moves Through the Network
During the “move laterally” and “escalate privileges” phases, the attacker gains access to more resources within the compromised network by moving to additional hosts with different or greater access, such as an administration account. This process can include obtaining additional credential information, stealing public key infrastructure (PKI) certificates, and accessing privileged accounts or computers.
Impede Attackers’ Steps With the Principle of Least Privilege
The principle of least privilege can limit the attacker’s ability to easily move throughout the network. We had previously considered least privilege in terms of system access authorizations, but the principle is best applied to user account access when discussing lateral movement and privilege escalation.
Attackers often seek multiple user credential sets to gain additional access to other parts of the network. By restricting all user access to only the resources required for their daily tasks, security teams can limit what an attacker would be able to achieve with the same credentials. In addition to role-based privilege restrictions, access restrictions can also be made based on the expected context of the activity, such as restrictions on the time of day that remote access is allowed and what users from certain geographic locations are able to do.
When it comes to administration accounts and the principle of least privilege, administrators should also have a standard user account. The administration account should only be accessed for specific, required tasks with the standard account used for the bulk of daily activities.
The administration accounts should be monitored for anomalies, such as a user spending an unusually large amount of time on it. If possible, use the separation of duties and rotation principles to divide administration tasks among several accounts to limit the access that an attacker would have with one set of administrator credentials.
The principle of least privilege also applies to the network. Segment the network into logical components where trust and communication between the segments is strictly controlled. Segmenting the network is akin to creating several mini-networks under the larger network umbrella. In this sense, an attacker would need to invest the same amount of effort to compromise each segment as the initial compromise, slowing or restricting the attacker’s ability to gain access to the full environment. At the same time, defenders would have a better chance to identify the intrusion through threat hunting and other security controls.
Harden Password Policies
Finally, security teams and administrators should enforce strong user password policies. Enabling multifactor authentication (MFA) can help limit an attacker’s ability to access additional user accounts with a stolen username and password. If employees use multiple systems to perform their job duties, restrict the ability to use the same password across systems. At the administrative level, protect against pass the hash and other password-stealing methods by storing password hashes in secured locations.
The Attacker Accomplishes the Goals of the Cyberattack
By completing some or all of the phases in the cyberattack framework, attackers hope to complete their objective of the intrusion. Threat actors’ end goals can range from reconnaissance to theft of data or finances to destruction of victims’ assets.
Often advanced attackers will exfiltrate privileged information as their goal or as a step toward achieving their goal. This information can be used for espionage purposes in the case of state-sponsored cyberintelligence groups or corporate competitors or sold for a profit by financially motivated adversaries.
Look for Data in Transit
To identify attackers beginning the final stage of the cyberattack, security teams can monitor or restrict unusual data transfers, such as:
- Creation of RAR files: It is common for attackers hoping to exfiltrate large amounts of data quickly to compress and encrypt the information. To accomplish this, attackers typically convert the data into RAR files, although other archives can be used. Security teams can monitor for and inspect the creation of RAR files.
- High volume of email to external addresses: An attacker using valid employee credentials may use an employee’s email account to exfiltrate data from a network. Security teams should investigate spikes in emails to external addresses, particularly if these emails contain attachments.
- Creation of auto-forwarding rules or delegated email accounts: To steal emails, attackers may create email forwarding rules or account delegates to access emails from their own accounts. Security teams should monitor for the creation of auto-forward rules and new email delegates or prohibit this activity.
- Increase in uploads to websites: Security teams can also look for spikes in the volume of employee uploads to non-corporate websites. Attackers may use a valid user account to upload proprietary data to an attacker-controlled website or cloud storage service.
- Unsanctioned port activity: Attackers can use a variety of ports and protocols to exfiltrate data, including file transfer protocol (FTP) and Domain Name Server (DNS). Security teams can monitor for excessive traffic leaving through these protocols. To take proactive action, security teams can use dedicated servers for these protocols and close these ports on other servers.
A Defender’s Work Isn’t Over
If defenses are insufficient or unable to track and stop attackers from accomplishing their mission, the organization’s security team and business leaders still have a lot of work to do to contain and remedy the compromise.
A breached organization would likely activate its incident response team and procedures and may require additional expertise from a specialized security vendor. After a security compromise, the organization needs to explore what happened, what the damage consisted of, how to mitigate the damage and, finally, how to prevent it from happening again.
Organizations can prepare for an attack by building a dedicated team and training it to respond to security incidents. To practice relevant attack scenarios, the response team can participate in tabletop exercises or simulations that mimic a cyberattack to find shortcomings in their mitigation and remediation processes. Simulations can help security leaders establish quick-action response processes and communication policies in anticipation of a breach. Continuous training can help prepare the team to act quickly and efficiently during a real-world event.
Even after attackers have accomplished their objectives, they will often leave their backdoors in the network open to return to the environment at a later date. For this reason, an effective incident response must include finding and closing those security gaps.
Forensic analysis is part of understanding the attack and learning from it. A thorough examination of available forensics can help security teams understand details of the attack, which can aid in establishing mitigation priorities, providing data to law enforcement and planning risk reduction strategies to protect against future threats.
Learn More About the IBM X-Force Cyberattack Framework
By dissecting each phase of the IBM X-Force cyberattack preparation and execution framework, security leaders can create a prioritized and cost-effective collaborative-defense strategy that can help minimize the attack surface and reduce the risk of an attack succeeding.
To learn more, read the X-Force IRIS cyberattack preparation and execution frameworks white paper and listen to the recent SecurityIntelligence podcast episode, “Fight Back with the X-Force IRIS Cyberattack Preparation and Execution Frameworks.”