With cyberattacks on the rise, it is vital to understand the different types of attack beasts and what tools are needed to stop them or mitigate the damage they can cause. We discuss the different ways attackers enter environments and the tools needed to mitigate damage from cyberattacks.
An inside view of cyberattacks
There are four things that happen almost every time a beastly attack occurs:
- Malware dropper: Scans for vulnerable systems, sets up malware droppers based on known vulnerabilities, phishing attempts, brute force attacks, etc.
- Compromised credentials: An external actor has gained access to a device and/or user credentials via phishing, malware, or other common threats — then, creates more credentials and escalates privileges.
- Data exfiltration: Starting from unauthorized access process, command and control (C&C) system communications, unusual files moving in unusual directions
- IT works overtime: Scanning for vulnerable instances, getting patches, finding compromised credentials, reimaging machines, etc.
A beastly timeline
When a new attack beast is discovered through disclosure (responsible or irresponsible), the timeline is always roughly the same. A clever researcher discovers that some commonplace part of an operating system, firmware, website, operations, or process, can be used for a purpose other than for which it was designed. Responsible disclosure would have that person contact the organization that manufactures the software or hardware, who would then presumably respond with an update to patch the issue. What goes wrong?
- The vulnerability or email gets ignored, with no reply or something else unhelpful.
- Their vulnerability report was not fixed within a reasonable time frame. Let’s say 90-180 days to be generous. 60-90 days is more ideal.
- The person who discovers it feels that telling the public will force the organization to fix things. Ideally, every software or hardware company would have a standard methodology by which people can report bugs or potential vulnerabilities.
- What’s the lesson learned here? Public shaming always benefits the bad guys. Be responsible for your disclosures, researchers!
Meet the attack beasts
One example of an attack beast is the SpringShell beast, which affects functions that use request mappings and java objects within the Spring Framework. The POC code creates a controller (once loaded into Tomcat) that can then handle HTTP requests. What is clever here is that the attacker can then change the default access logs to a file of their choosing. The attacker can then use HTTP requests to execute commands. While the above POC depicts a command shell as the inserted code, this attack could be performed using any executable code. The vulnerability in Spring results in a client’s ability, in some cases, to modify sensitive internal variables inside the web server or application by carefully crafting the HTTP request. Here are four remediation steps:
- Check for the Spring Framework using a lightweight open-source framework for Java. In Java Development Kit (JDK) version 9.0.
- Firewall /IDS: enable TLS inspection for the specific vulnerability
- WAF: look for specific exploits against the vulnerability
- Endpoint: check for signatures/behavior
Log4j is a Java-based logging utility, part of the Apache Logging Services, a project of the Apache Software Foundation. Apache put out a patch and an exploit hit, then sent out a new patch, and then another.
There’s a long process to discover the important questions that every SOC will get asked rapid-fire from all directions by every savvy executive and security pro in the organization:
- Do we use this thing? Apache, Java. As of last year, Apache held somewhere between 25 and 35% of the market.
- What version are we on? Is it the vulnerable one?
- Can we do the mitigations today?
- Is there any evidence that someone has already compromised us?
- What do we look for to keep from being compromised today and tomorrow?
Rather than looking at singular incidents or alerts based on detections, we can actually adapt our thinking to ask key questions based on the source. Here are some examples:
- Network device
- Are there any new or abnormal connections to a new geo-location?
- Is there traffic now persisting on a new port?
- Endpoint device
- Was powershell used via cmdlets?
- Was ping used abnormally?
- First security alert for this asset?
- First security alert for this organization?
SolarWinds is an asset management monitoring software. In this cyberattack, a clever attacker infected a file at the source. Microsoft Threat Intelligence Center named the actor behind the SolarWinds compromise, the SUNBURST backdoor, TEARDROP malware, and related components, NOBELIUM. The malware was dropped at the source so when people downloaded the SolarWinds Orion Platform DLL, they got a Trojan horse inside the proverbial gates. SUNBURST launched a golden ticket attack against the AD, got super user credentials, and then spread across the network and up to Azure active directory. The Trojan laid low at first, then reached out to contact a C&C server using a subdomain generated from information gathered from the affected device, with a unique subdomain for each affected domain. It was sheer elegance in its evil simplicity for evading most antivirus and endpoint software. You had to see the traffic to the domains and identity stores and recognize that what was happening was new, unique, and undesirable. Once a C&C server has legitimate super user credentials, the network is pretty much PWNED. And, it was PWNED a long time before discovery. Once compromised, the hacker can:
- Connect to a C&C
- Send remote shell commands
- Download further payloads
- Exfiltrate data (low and slow)
APT28 and APT29
Let’s take a look at what happened in the APT28 and APT29 attack — a threat group attributed to Russia’s General Staff Main Intelligence Directorate (GRU) 85th Main Special Service Center (GTsSS) military unit 26165.
- Beasts used various reconnaissance methods to determine the best attack vector for compromising their targets. Some of these include network vulnerability scanning, credential harvesting, and using “doppelganger” domains.
- Beasts were wrapping legitimate executable files with malware (named “OnionDuke”) to increase the chance of bypassing security controls. Malicious macros in Microsoft Office files Rich Text Format (RTF) files with embedded malicious flash code.
- Beasts traditionally use spear phishing emails to deliver malicious attachments or URLs that lead to malicious payloads.
- GRIZZLY STEPPE beasts also infected pirated software in torrent services and leveraged TOR exit nodes to deliver malware since at least 2014.
- Beasts developed malware to exploit a number of Common Vulnerabilities and Exposures (CVEs). These included Adobe Flash and Microsoft Office vulnerabilities.
- Beasts leveraged several different types of implants.
- Command and control
- Beasts leveraged their installed malware through C&C infrastructure.
- Beasts are capable of utilizing their malware to conduct extensive data exfiltration of sensitive files, emails, and user credentials.
No victim blaming
Don’t hate on the victims, i.e. the people who click on links or get their identities hacked. Nearly anyone can be manipulated into giving up data they should not, from names to types of equipment used in the IT and security stacks. The truth is, you probably have most of the security stack you need to look for beasts of every size and shape.
Everything, from servers and endpoints to applications and domain controllers, has the ability to log what’s going on. Every organization has invested in security technology to monitor what’s going on, from network taps to hosts, and endpoint-based detections. Web SaaS vendors have APIs you can investigate for traffic. All of these security stack investments are key indicators or footprints as part of a beast hunters investigation. They all offer various insights as part of the hunt. However, they need to play together to see the true footprints of a beast.
Detection is the key to slaying the beast
Almost every security tool out there these days is starting to map to MITRE. The MITRE ATT&CK chain TTPs cover just about every clever technique that can be used. But keep in mind that no single vendor does it all because no advanced persistent threat (or APT) uses only one layer of attack! That’s the point of having a security stack, to increase your coverage end to end on the MITRE framework. The point of all of these detections is to arm your SOC with what they need to detect the zero-day beasts and organize them into coherent stories — because standards, methods, and processes are your friends.
The use of behavioral analytics to mitigate cyberattack damage
A recent study showed that 74% of analysts’ time is spent in detection, triage, and investigation. With the detection side, we’re constantly editing and refining false positives and keeping up with new attacks which are often missed. When we look at triage, where analysts are forced to pick alerts of key interest and ignore others and investigation, we’re taking a lot of time to pivot to the different consoles or different toolkits, to find the root cause and build a picture of what has occurred, often taking hours or days. As a result, we have inconsistent responses from analysts leading to missed and incomplete investigation remediation.
Now using Advanced Analytics, we can start to automate and use behavioral analysis to remove the overhead and tuning rules and detect unknowns. This allows us to look at risk within an environment. We can create timelines automatically showing actions for every single asset or user within the environment. Then, we can refine playbooks with minimal time and effort. When using analytics, here are some items to be aware of:
- Distribution — Users are tricked/forced to download and activate a malicious dropper/payload via an email, watering-hole attack, exploit kit, or a drive-by exploit.
- Infection — Dropper downloads an executable, then copies/stages the malicious executable to a local directory.
- Staging — Establishes persistence on the system. May communicate with C&C at this stage.
- Scanning — Enumeration occurs at both the local system and any network-accessible systems.
- Encrypt-ransomware begins to encrypt files, both local and mapped. For each file that has been encrypted, the ransomware then deletes the original file.
Using analytics can help hunters identify key behavioral patterns throughout an environment and create a holistic picture of an emerging threat and possible attack scenarios.
Understanding normal through UEBA
Knowing what our normal networks, operating systems, users, and devices look like on a day-to-day basis is critical to understanding our security posture and risks. Without this baseline knowledge, we are blind to possible abnormalities and the beasts we have understood thus far. The importance of different sources working together is imperative to provide you with a chronological timeline of events. Additionally, allowing the beast hunters flexibility to adapt to their environment and provide a platform through which customizations for automation can be achieved is key.
Beastly attacks are something no organization wants to experience. Fortunately, by understanding normal within your environment and then being alerted to deviations, you can be notified of signs of beastly attacks in near real time, and therefore mitigate damage.
How Polar SIEM Can Help
Securing data with a wide range of unintegrated security solutions causes a large volume of security reports exclusive to each, a high volume of produced alerts, and inconsistent and incorrect reports which in turn bring about attack prediction, detection and response failures. Covering all these security needs without making fundamental changes in the structure of the systems, an advanced SOC is needed to be designed to enable 7/24 monitoring and controlling the data flow in-an-outside the organization which in turn requires powerful SIEM tools.
Polar SIEM and its modules in the following is the one produced to receive, monitor and analyze the most diverse events.