Threat actors launch attacks against organizations and the users they protect every day and at every chance they can – often during major holidays when users are less vigilant and the security operations center (SOC) teams are out of the office. High-profile breaches that result in major damages end up in the headlines. Yet, these stories typically don’t detail the breakdown of the security events and attack behaviors that would help security and IT teams strengthen their defenses.
Tapping into the world’s largest security cloud, our in-house ThreatLabz researchers receive a never-ending stream of data, categorized as signals, to analyze and share with the larger SecOps community. Using advanced techniques, including AI and ML analytics, ThreatLabz is able to identify and block more than 250 billion threat indicators daily for our customers. While a majority of threats blocked are known, for unknown threats, ThreatLabz – and Zscaler customers – use AI-driven quarantine from Zscaler Cloud Sandbox to intercept and prevent the delivery to users. Attack sequences that otherwise would play out on a device unfold in a separate and virtual environment that captures and identifies nefarious behaviors, sharing protection across all users, regardless of location.
The good news? Cyberattacks share similar patterns. With a little help from the MITRE ATT&CK matrix and a black hat mindset, you can anticipate an adversary’s next move and fortify defenses at each stage. To better illustrate this, let’s take on the role of "Alex," a Senior Security Analyst at A2Z Health Services, who has received an alert of unusual activities from the patient records system. After some quick triaging, they’ve realized that A2Z is in the midst of an attack – but there’s still time to stop further damage. Let’s take a look at the life cycle of the attack and see where A2Z’s security tools should have kicked in to save the day and where there may be weaknesses in their defenses.
Advanced adversaries will conduct a reconnaissance mission, scoping out the campaign, gathering valuable information, and creating a plan of attack. A well-conducted cybersecurity education program can help employees stay alert.
As the popular saying goes, “time spent in reconnaissance is seldom wasted.” An adversary group called Frying Pan identified A2Z Health Services as their next victim and Jim, a records and finance specialist, was their next target. Using social engineering, Frying Pan was able to gather victim identity information such as personnel emails.
2. Initial access
After identifying entry vectors, adversaries will attempt to gain initial access into the network. Common techniques like using a valid account can be thwarted with two-factor authentication or password rotations. Unfortunately for Jim, a spearphishing campaign was not caught by his email security tool. To mitigate this in the future, Alex’s team can use AI-driven quarantine from Zscaler Cloud Sandbox to analyze and block suspicious files, even when malware is delivered over HTTPS, an encrypted protocol, and from a trusted vendor or program including Google Drive and Microsoft OneDrive. By spoofing a trusted relationship with a vendor, Jim clicked on the link for an overdue invoice that prompted an Excel file containing a malicious macro to be downloaded. The endpoint detection and response (EDR) and antivirus scanner did not recognize any known signatures or behaviors.
Now that the adversaries have gotten through the doors, multiple tactics can be operated simultaneously depending on the attacker’s objectives. For Frying Pan, they want to execute malware onto Jim’s local system by having the macro prompt a download of malicious dynamic link libraries (DLLs) to be installed. A solid EDR and security information event management (SIEM) should have been activated to identify a compromise in progress and alert the appropriate teams. For Zscaler Internet Access (ZIA) users with Advanced Cloud Sandbox, the inline content inspection identifies an unknown potential threat, analyzes the contents, and terminates malicious connections.
4. Credential access and privilege escalation
To maintain continued access and evade detection, adversaries require account names and passwords. Alex and the security team have determined that Frying Pan obtained user credentials through password stores and brute force that ultimately led them to a more privileged user with domain controller access. After changing configurations that mediate and respond to security authentication requests, Frying Pan cleared the path through A2Z’s network and systems. Unfortunately for Alex and A2Z, their access management and VPN solutions were bypassed, and they did not have user to app and workload to workload segmentation or decoys to stop the spread of infection.
5. Lateral movement
With nearly unfettered access, the adversaries are now able to pivot between multiple applications, systems, or accounts to complete their mission. Since Frying Pan used legitimate credentials to perform lateral movement instead of installing their own remote access tool, they went unnoticed. For most organizations relying on next-gen firewalls (NGFW) or network segmentation, this can be a common occurrence.
A zero trust architecture is crucial at halting lateral movement. “Never trust, always verify” ensures that Zscaler Private Access (ZPA) connects only authenticated users and devices to authorized apps. Without putting users on the network, apps are never published to the internet and remain invisible to unauthorized users.
6. Collection and exfiltration
Similar to the reconnaissance stage, adversaries are searching and gathering significant information, however unlike the earlier stage, the data collected is intended to be used for other nefarious purposes, such as extortion. Cloud access security broker (CASB) with data loss prevention (DLP) can step in to prevent oversharing and block data exfiltration.
The collection stage was where Alex first noticed suspicious network activities from the patient records system, including accessing the system during non-work hours and geographic disparate locations that indicated impossible travel. After some more digging, it’s become clear that exfiltration techniques have not begun. While some adversaries stop here, intending to leave a backdoor open to collect and steal more data or intellectual property, Alex and the security team anticipate a ransomware attack and disconnect the patient data system from the network and disable access from affected users.
For unlucky victims of ransomware attack, the next steps after data exfiltration are:
7. Installing the ransomware and demanding ransom payout
The average cybercriminal or group are not creating their own ransomware strain. Instead, they are affiliates of ransomware-as-a-service creators like LockBit or Conti, paying the creators a certain percentage of the ransom payout. This allows the criminals to focus on finding and targeting victims and the creators to focus on the development of their “product”.
Security teams have it rough out there. The larger your business’ digital footprint grows, the more pertinent it is to stop threat actors from gaining initial access and performing lateral movement with patient zero protection and inline threat protection from Zscaler Cloud Sandbox, a part of the Zero Trust Exchange. Learn more about how the Zero Trust Exchange platform offers comprehensive defense against the entire life cycle of attack.