The Enemy Inside Your Network

If companies would catch breaches within minutes or hours (rather than months) the intruders wouldn’t have enough time to acquire the data they are after. What are the goals and actions of an attacker within a company network and how can they be detected?

Author: Taija
Date: 26.03.2018
Read Time: 6 Minutes

It takes approximately 191 days for companies to identify that they have been breached.* How is it possible for attackers to stay hidden for such a long time? What goes on inside the mind of a cyber criminal?

 

F-Secure’s ethical hacker, Tom Van de Wiele, helps answer these question with his unique perspective on how the attackers work. Tom is a professional in red teaming. A red team test’s goal is to simulate the most advanced attacks and to provide guidance and recommendations to the defenders.

 

“The attacker only has to find one thing as a way in, while the defender has to defend everything. But the attacker must get everything right while the defender only has to detect one part of the attack”, says Tom.

 

Let’s find out, what might happen after the initial intrusion.

 

f-secure, tom van de wiele
Tom Van de Wiele’s vast experience in red teaming helps understand what happens during a cyber attack.

 

Quick Wins versus Long-Term, Persistent Foothold in the Company Network

 

Phishing attacks by e-mail or phone and Wi-Fi phishing are common examples of attack vectors. The attacker’s goal is to steal credentials of the target employees, access the same services they are using and establish an initial foothold in the company network.

 

“Once a certain level of access has been obtained, several aspects need to be balanced: persistence, stealth, and freedom of movement versus losing access, being detected and being contained. The attacker might choose to get to the target as fast as possible or obtain as persistent access as possible to stay within the network for intelligence gathering for later attacks. The continuous trade-off for an attacker is how, and how fast, do I want to move versus what are my chances of getting detected, contained or stopped”, Tom explains.

 

Lateral Movement to Compromise More Systems

 

Next, the attacker seeks to access more systems by abusing the access obtained to certain services: e-mail systems, remote access solutions such as helpdesk related software, corporate VPN or virtualization services. If the attacker is looking for a persistent access, he might investigate internal networks and other systems for lateral movement.

 

“The attacker could try to blend in and add an account to a system, looking just like any employee. Without proper audit mechanisms, it would be very hard to detect him. He might obtain passwords and private keys and re-use them against systems to maintain access either internally or for cloud-based services outside the company”, says Tom.

 

The attacker can lay low for months and collect information about the network traffic such as infrastructure, broadcast and multicast traffic. Impersonation, i.e. spoofing techniques, can be used to fool other systems into disclosing vital information and authentication tokens, i.e. password hashes. These can then be reused against other systems. If the attacker chooses to risk being detected, they might use port scanning to find other systems and services that might be available.

 

Tom points out: “Using any kind of off-the-shelf technique or method is a prime way of getting detected.”

 

The attackers’ goal at this stage is to escalate privileges to an administrator role to be able to access any system within the network. Once they gain administrator access, they can move freely within the network.

 

Get Ahead of the Attackers with Behavior-Based Detection

 

Most companies fail to detect breaches fast enough. The longer it takes to notice the breach, the more severe the damage, the bigger the cost and the more complex the investigation will be.

 

The only way to get ahead of the attacker is behavior-based detection. Intruder’s activity may appear like an authorized user’s, which makes detecting it very challenging.

 

“Security detection mechanisms rely on finding anomalies in the network, system and application behavior, trying to find anything out of the ordinary”, Tom says. “To ensure you do not get detected as an attacker, you want to “live off the land” as much as possible and re-use the infrastructure the organization is using. That means you do not want to introduce any technology or services that might seem foreign to the people responsible for defending the organization.”

 

When it comes to seeking out anomalies and malicious behavior, you should look for patterns of unusual user behavior. For example, a single non-administrator user attempting to log into multiple servers at once, one machine attempting to log into a server under many different accounts, brute force methods such as thousands of login attempts in a suspiciously small time frame, activity that appears to happen at odd times, or an SSH connection originating from a non-technical user’s machine.

 

Sophisticated attackers know how to evade common detection methods. It takes a combination of well-configured analytics tools and the keen, trained eyes of human experts to catch them.

 

f-secure rapid detection center, detection and response
F-Secure’s experts in action at the Rapid Detection Center.

 

In Search of the Unknown

 

The experts at F-Secure’s Rapid Detection Center specialize in catching breaches early. Their key promise is to inform the customer within 30 minutes from detection. Kamil Donarski from Rapid Detection Center says:

 

“We are able to detect an attack at a very early stage. The hardest thing is to search for the unknown. Every day, new threats are coming. It’s constant development trying to figure out how we can detect such behavior and how we can protect our customers.”

 

The human factor is extremely important because no matter how sophisticated machine learning we use, only humans can understand the customer organizations and their normal behavior. Only experienced analysts can make the judgment, what activity is normal and what is not.

 

Linda Liukas, the host of our documentary series Adventures in Cyberland, recently visited the Rapid Detection Center to find out how to detect breaches and how the center operates:

 

 

Getting Cyber Security Right Comes Down to Speed

 

When it comes to breaches, speed is of the essence. Since you can’t stop every perimeter breach, your focus needs to be improving the speed with which you react to issues. If companies would catch breaches within minutes or hours (rather than months) the intruders wouldn’t have nearly enough time to acquire the data, they are after. Speed’s also about making sure you plug similar holes before an intruder tries again.

 

This may sound like a mission impossible, but there’s hope in winning the race against the bad guys. They are after a certain goal – we just need to catch them before they reach it.

kamil donarski, linda liukas, rapid detection center, f-secure
Linda Liukas discussing detection and response with Kamil Donarski.

 

In F-Secure’s new video series, Linda Liukas goes on a journey to discover the answers to some of the most burning questions in cyber security. Linda meets the brightest minds in the field of cyber security to learn what type of cyber threats are out there and why modern breaches are so difficult to stop. She agrees to let our cyber security experts hack her, finds out how to detect and respond to breaches and how cyber security can benefit from artificial intelligence and machine learning. Watch the previous episodes here.

 

* 2017 Cost of Data Breach Study, Ponemon Institute LLC (sponsored by IBM Security)


Post Comment

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

w

Connecting to %s