How to Look through Incident Detection to Find the Real Problems

Few attackers will settle for smash and grab scams anymore. Even if that’s their initial motivation, they’ll establish persistence in a breached network and so they can

Business Security Best Practices, Cybersecurity // 28.12.2016

I noted in my previous article that it often takes months or even years before breaches get detected. I also offered some tips on how to start detecting breaches early, and encouraged people not to be afraid of finding breaches.

But following my advice brings you to a new challenge – what to do when a breach is detected? What do you do with an attacker that’s been in your system for months or years?

The answer lies in understanding what your attackers are doing, and why.

Most attackers are opportunistic…

A typical opportunistic attacker (“common criminal”) exfiltrates information from a freshly compromised system almost immediately after a successful breach. Passwords, files of interest, and basic information about the compromised system get scooped up and uploaded to a cache server somewhere on the other side of the internet. In most instances, properly configured, updated endpoint protection software would be the best means for detecting and preventing such attacks.


By “the other side of the internet” I of course refer to the fact that the criminals make sure the servers they exploit reside in another jurisdiction, and thus out of reach for you and your friendly law enforcement agency. The criminals cleverly exploit the borderless nature of the internet – not in an effort to stay undetected, but to stay out of the law’s reach once they have been detected. Opportunistic attackers are not trying to hide as much as stay away from the long arm of the law.

Hence, being detected is not necessarily that big of a deal for an opportunistic attacker. Rather, it is regarded as a cost of doing business. For a common criminal, getting detected (and stopped) simply spells monetary losses such as “loss of future sales” and “temporary loss of assets”. That’s nothing that they wouldn’t be able to compensate for by simply going someplace else, or fix by getting back to your systems at a later stage. Besides, it is such a rare thing for normal businesses to notice anything amiss that the criminals hardly regard getting their attacks exposed as an existential threat.

…but opportunistic attackers get lucky once in a while

If the initial phase of the attack is successful, most attackers follow their quick data heist by establishing persistence within their target’s systems. After all, if an attacker is able to infiltrate their targets without setting off any alarms, why wouldn’t they put up their feet and stay a while?

Having access to victims’ computers also opens up avenues to conduct more elaborate means of fraud, such as bypassing the two-factor authentication mechanisms used in online banks and most web shops that accept credit card payments. Persistence provides access to sessions, not just data, thus enabling the fraudsters to conduct more elaborate crimes. Today’s criminals are more than happy to exploit interbank transactions to extract millions of euros instead of just settling for the measly thousands that they can extract from an average individual.

In recent years, crypto ransomware has gained popularity among criminals. It is not that the criminals all of a sudden found the joys of encryption. It’s that darkwebs and unregulated electronic currencies have finally made it possible for online criminals to pressure their victims long enough to part with their money voluntarily. The criminals probably argue they are not stealing but rather making mutually beneficial business deals with their customers.

What I’m getting at is just because opportunistic attackers rely on chance doesn’t mean they don’t pose a clear and imminent threat to your business. If you fail to detect and collect evidence fast, chances are it’ll be next to impossible to estimate what information was “touched”, and how it may hurt your business or your customers. Under the GDPR, the inability to answer such questions will not be looked at favorably.

Some attackers are in it for the long haul

More determined attackers – ones that are selective with their targets – will work harder to avoid detection. They are already exactly where their specific mission needs them. These attackers are typically nation states and those engaged in corporate espionage. A targeted attacker cannot substitute losses by conquering a similar target. Hence, they value persistence over short term gains.

After penetrating a network, attackers aiming for persistence will conduct subtle reconnaissance to get to know their new surroundings. Our auditors can tell from experience that adversaries freely engage in active reconnaissance processes such as service enumeration and vulnerability scanning without fear of being flagged, blocked or identified. Even if such attempts were seen, chances are they will be mistaken for the constant opportunistic knocking on the door, the internet equivalent of 3 Kelvin background radiation. The attackers expect that system to have antivirus protection, so they avoid using malicious software. They expect that there is probably an intrusion detection system (IDS) out there, but they can usually write those off by treading lightly, as nobody updates the IDS rules or monitors the alerts anyway.

If the host-based security software or gateway protection fails to block deliveries of attack tools into the targeted systems, attackers will (in most cases) end up with a free pass through whatever security controls are there. They secure footholds by taking over tactical beachhead positions. They’ll create a layered and resilient command and control structure that enables them to hide their communications and avoid losing the whole operation in one sweep should they be discovered.

Once inside, the attackers will no longer need to resort to malware or exploits but will simply persist by “living off the land”. By re-purposing existing business and sysadmin tools, and piggybacking on or impersonating legitimate users, the attacker becomes virtually invisible to most traditional security controls. Even if their actions are logged, attackers can safely assume that nobody will actually read the logs.

In an ironic twist, once the attackers have become “insiders”, their connections to command and control servers will even flow through the firewall, neatly encrypted, making traffic filtering and content inspection essentially useless. For convenience and performance reasons, most firewalls ‘accept’ friendly traffic without even logging it.

Other than that, attackers in this situation probably try to lay low. Adversaries of this caliber would not risk pumping out the organization’s data at full network bandwidth. Instead, these attackers patiently observe and identify people, machines and systems in key roles. At this point, they already know how the defenders and sysadmins operate, and a lot of what happens next will depend on how mindful the attacker’s are of being detected.

Attackers might plant fabricated signs of an opportunistic intrusion to frustrate defenders and misdirect investigators toward dead ends. Attackers will also set up backdoors that allow them come and go as they please, and return if they get ousted. Again, the attackers’ traffic will be appear coming from friendly sources, consequentially, tunneled right through all layers of perimeter protection.

Finally, the attackers start doing what they came in for in the first place. If they’re nice, they silently search for and steal information. If they are moderately mean, they will – at the time of their choosing – deny you access to that data and let you know about it. If they are outright mean, they will silently alter your data in a subtle fashion, and plant seeds of sabotage throughout your infrastructure to be activated later. They can of course choose to do all of the above, depending on what best suits their mission.

Bottom line: most organizations will only notice the breach when a deterministic attacker decides it is time to let the victim know about it.

Choosing to ignore the warning signs

I have personally witnessed sysadmins brush off evidence of targeted attacks and simply “clean” compromised computers.  It’s really a form of denial. Any evidence of commodity crimeware is enough to allow defenders to tick the “opportunistic attack” box and avoid the trouble of investigating what actually happened and what the root cause was. I’m constantly surprised that not everyone gets pleasure from chasing cyber spies and foreign powers – most actually prefer to carry on with their business during business hours!

what's the defender's dilemma?

Figure 1 Remember the discussion of defender’s and attacker’s dilemmas that I talked about in the previous blog post?

Our own penetration testers have told me stories of assignments where they have had to virtually put digital post-it notes on sysadmins’ screens to let the defenders know that attackers are in and doing their worst. So, there is an assumption among the attackers that once in, you can do pretty much anything without being detected.

This is the sad state of affairs that we currently live and work in.

And to make matters worse, targeted attackers cooperate with other online criminals. There is an aftermarket for selling access to previously compromised servers and computers in corporate and governmental networks. If a targeted attacker wants to hide their actions and make attribution harder, there is no better way to do that than piggyback on the efforts of “common criminals.”

They are persistent, but we are relentless

This all might sound overwhelming. But thankfully, big data analytics and threat intelligence are two things you can use to your advantage. When used effectively, these can flag any anomalies in your networks without weighing you down with false positives. Both are staples of effective managed detection and response (MDR) services. Our own MDR offering adds in the benefit of having a team of experts monitoring the situation 24/7. Many organizations do not have the resources to dedicate a team of people to this one aspect of their operations, making the service component an invaluable benefit to overworked IT admins.


In my next post I’ll discuss how companies can create a hostile environment to make lives difficult for attacks intruding in your network.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s