With cyberattacks on the rise, it is vital to understand the different types of attack beasts and what tools are needed to stop them or mitigate the damage they can cause. We discuss the different ways attackers enter environments and the tools needed to mitigate damage from cyberattacks.
There are four things that happen almost every time a beastly attack occurs:
When a new attack beast is discovered through disclosure (responsible or irresponsible), the timeline is always roughly the same. A clever researcher discovers that some commonplace part of an operating system, firmware, website, operations, or process, can be used for a purpose other than for which it was designed. Responsible disclosure would have that person contact the organization that manufactures the software or hardware, who would then presumably respond with an update to patch the issue. What goes wrong?
One example of an attack beast is the SpringShell beast, which affects functions that use request mappings and java objects within the Spring Framework. The POC code creates a controller (once loaded into Tomcat) that can then handle HTTP requests. What is clever here is that the attacker can then change the default access logs to a file of their choosing. The attacker can then use HTTP requests to execute commands. While the above POC depicts a command shell as the inserted code, this attack could be performed using any executable code. The vulnerability in Spring results in a client’s ability, in some cases, to modify sensitive internal variables inside the web server or application by carefully crafting the HTTP request. Here are four remediation steps:
Log4j is a Java-based logging utility, part of the Apache Logging Services, a project of the Apache Software Foundation. Apache put out a patch and an exploit hit, then sent out a new patch, and then another.
There’s a long process to discover the important questions that every SOC will get asked rapid-fire from all directions by every savvy executive and security pro in the organization:
Rather than looking at singular incidents or alerts based on detections, we can actually adapt our thinking to ask key questions based on the source. Here are some examples:
SolarWinds is an asset management monitoring software. In this cyberattack, a clever attacker infected a file at the source. Microsoft Threat Intelligence Center named the actor behind the SolarWinds compromise, the SUNBURST backdoor, TEARDROP malware, and related components, NOBELIUM. The malware was dropped at the source so when people downloaded the SolarWinds Orion Platform DLL, they got a Trojan horse inside the proverbial gates. SUNBURST launched a golden ticket attack against the AD, got super user credentials, and then spread across the network and up to Azure active directory. The Trojan laid low at first, then reached out to contact a C&C server using a subdomain generated from information gathered from the affected device, with a unique subdomain for each affected domain. It was sheer elegance in its evil simplicity for evading most antivirus and endpoint software. You had to see the traffic to the domains and identity stores and recognize that what was happening was new, unique, and undesirable. Once a C&C server has legitimate super user credentials, the network is pretty much PWNED. And, it was PWNED a long time before discovery. Once compromised, the hacker can:
Let’s take a look at what happened in the APT28 and APT29 attack — a threat group attributed to Russia’s General Staff Main Intelligence Directorate (GRU) 85th Main Special Service Center (GTsSS) military unit 26165.
Don’t hate on the victims, i.e. the people who click on links or get their identities hacked. Nearly anyone can be manipulated into giving up data they should not, from names to types of equipment used in the IT and security stacks. The truth is, you probably have most of the security stack you need to look for beasts of every size and shape.
Everything, from servers and endpoints to applications and domain controllers, has the ability to log what’s going on. Every organization has invested in security technology to monitor what’s going on, from network taps to hosts, and endpoint-based detections. Web SaaS vendors have APIs you can investigate for traffic. All of these security stack investments are key indicators or footprints as part of a beast hunters investigation. They all offer various insights as part of the hunt. However, they need to play together to see the true footprints of a beast.
Almost every security tool out there these days is starting to map to MITRE. The MITRE ATT&CK chain TTPs cover just about every clever technique that can be used. But keep in mind that no single vendor does it all because no advanced persistent threat (or APT) uses only one layer of attack! That’s the point of having a security stack, to increase your coverage end to end on the MITRE framework. The point of all of these detections is to arm your SOC with what they need to detect the zero-day beasts and organize them into coherent stories — because standards, methods, and processes are your friends.
A recent study showed that 74% of analysts’ time is spent in detection, triage, and investigation. With the detection side, we’re constantly editing and refining false positives and keeping up with new attacks which are often missed. When we look at triage, where analysts are forced to pick alerts of key interest and ignore others and investigation, we’re taking a lot of time to pivot to the different consoles or different toolkits, to find the root cause and build a picture of what has occurred, often taking hours or days. As a result, we have inconsistent responses from analysts leading to missed and incomplete investigation remediation.
Now using Advanced Analytics, we can start to automate and use behavioral analysis to remove the overhead and tuning rules and detect unknowns. This allows us to look at risk within an environment. We can create timelines automatically showing actions for every single asset or user within the environment. Then, we can refine playbooks with minimal time and effort. When using analytics, here are some items to be aware of:
Using analytics can help hunters identify key behavioral patterns throughout an environment and create a holistic picture of an emerging threat and possible attack scenarios.
Knowing what our normal networks, operating systems, users, and devices look like on a day-to-day basis is critical to understanding our security posture and risks. Without this baseline knowledge, we are blind to possible abnormalities and the beasts we have understood thus far. The importance of different sources working together is imperative to provide you with a chronological timeline of events. Additionally, allowing the beast hunters flexibility to adapt to their environment and provide a platform through which customizations for automation can be achieved is key.
Beastly attacks are something no organization wants to experience. Fortunately, by understanding normal within your environment and then being alerted to deviations, you can be notified of signs of beastly attacks in near real time, and therefore mitigate damage.
Securing data with a wide range of unintegrated security solutions causes a large volume of security reports exclusive to each, a high volume of produced alerts, and inconsistent and incorrect reports which in turn bring about attack prediction, detection and response failures. Covering all these security needs without making fundamental changes in the structure of the systems, an advanced SOC is needed to be designed to enable 7/24 monitoring and controlling the data flow in-an-outside the organization which in turn requires powerful SIEM tools.
Polar SIEM and its modules in the following is the one produced to receive, monitor and analyze the most diverse events.