Dave Shackleford is a SANS Analyst and serves on the Board of Directors at the SANS Technology Institute. This post was originally published on the EdgeWise Networks site. EdgeWise was acquired by Zscaler in May 2020.
The cyberthreat landscape continues to grow progressively worse by the day. More and more sophisticated attacks are spotted in the wild, and security teams are scrambling to keep up. There are many new types of issues we face—advanced phishing attacks are proving all too successful, and ransomware is a common form of malware organizations seem helpless to protect against. In addition, the number of endpoints that need protection is too big and the endpoints themselves too widespread, and attackers use this reality to target insecure end users.
Yesterday’s signature-based detection tools are failing us more often than ever. Traditional antivirus signatures are proving less effective as more advanced attackers are capable of morphing their code and indicators of compromise to evade signature-based methods. Furthermore, signature-based detection is always a “race condition,” where vendor analysts need to develop signatures and push them out to customers to meet a deadline. Last but not least, many attacks don’t leverage malware at all—savvy attackers may move laterally within network environments from host to host, and attackers use well-known system tools like PowerShell to avoid detection.
The kill chain model
Once a compromise has occurred, attackers attempt to maintain a persistent presence within the victim’s network, escalate privileges, and move laterally to extract sensitive information from locations under the attacker’s control. The Lockheed Martin “Kill Chain” is an industry model for an attack lifecycle that includes the following stages, with examples that illustrate how a real attack could actually take place:
- Reconnaissance: in this phase, attackers begin looking for vulnerabilities in security posture at the target organization, often anonymously from online sources. The breadth of reconnaissance activities may encompass threat actors studying the social media profiles of intended victims, using online tools like Shodan to find possible technology weaknesses in use at the organization, or searching for exposed credentials and assets like encryption keys on GitHub (perhaps accidentally left embedded in code by development teams) or exposed AWS S3 buckets that contain sensitive data. As an example, an attacker may discover the Facebook, LinkedIn, or other social media account of a privileged user who works in the target IT organization, and through online searches discover the user’s email address, then use that address to send a phishing email.
- Weaponization: weaponization is the development and assembly of exploits and malicious code targeting the intended victim. Depending on the planned method of attack, this may consist of configuring exploitation frameworks like Metasploit, developing phishing email content that includes a malicious attachment or embedded link which directs the user to a malicious online site, and so on. In our phishing example, an attacker might craft a custom email that is purportedly sent from a well-known conference the intended victim might be interested in attending. The email includes an attached document offering an agenda, discounts, or something else enticing. The goal is to get the victim to open the document which contains an embedded exploit.
- Delivery: delivery of exploits via email, web, or other vectors is the true beginning of the attack itself. In our example, the attacker sends the spear-phishing email with the attached PDF file to the victim.
- Exploitation: exploiting a vulnerability to execute malicious code on a victim’s system(s) is the initial step for an attacker. The exploitation could be remote code execution on a server, SQL injection on web application vulnerabilities, or a social engineering victim clicking a link or opening a malicious file. In our scenario, the victim opens the PDF document to check the conference agenda/discounts, and embedded code silently executes on the victim’s system.
- Installation: installation of malware or code on a victim asset occurs after the exploitation phase completes. The usual goal for an attacker during this stage is to set up a “beachhead” that allows for more control plus a location from which the attacker can initiate later objectives in a campaign. In the scenario we’re describing, the code that executes from the malicious PDF file installs a local remote access trojan (RAT) which allows the attacker to remotely execute commands on the victim’s system.
- Command & Control: after installation of malware or other malicious code, attackers may “phone home” to an online server/service to receive commands oriented toward attack objectives. If the attack involves additional automated malware, this step is usually done automatically after the installation is complete. For interactive attacks, an attacker may simply execute commands or fetch additional tools to aid in later activities. In our scenario, the attacker’s malicious code executes automatically after the PDF is opened. The installed RAT then sends the attacker a notification of successful compromise and allows the attacker to assume control of the system.
- Action on Objectives: with full control and access to victim systems, attackers begin to carry out the individual stages and goals of their campaign. These will vary by attacker based on their motivations and skill, but these phases usually include gaining access to credentials, sensitive data, and more. In our scenario, the attacker might look to extract the user’s credentials, move laterally to another target, access internal file shares, or any other number of nefarious activities.
The ATT&CK model
Another well-documented industry model that describes an attack campaign and its phases is MITRE’s ATT&CK, which focuses on the specific internal mechanics of an attack beyond the reconnaissance and weaponization phases of the kill chain, and includes the following:
- Persistence: Setting up backdoors and methods to retain access over time on the system.
- Privilege Escalation: Dynamic-link library (DLL) injection using set user ID (setuid) and privileged account access, and more, with the intention of elevating privileges on the local system to gain thorough control.
- Defense Evasion: Defense evasion attempts to avoid host defenses like intrusion detection, malware prevention, logging, etc. Examples include clearing shell history and logs, token manipulation, obfuscating files, and more.
- Credential Access: Classic account attacks that include brute force attacks against usernames and passwords, sniffing, private key compromise, and dumping credentials from memory can assist attackers in gaining access to new systems or furthering access in existing systems or applications.
- Discovery: In a nutshell, the discovery phase is when attackers look for other juicy pieces of information they can leverage. This may include users, privileges, devices, applications, services, and data.
- Lateral Movement: At this phase, attackers look to migrate from one compromised host to others in the environment. Techniques employed here may include “pass the hash” with credentials, remote admin and access tools, remote services, and logon scripts.
- Execution: Execution is the stage where attackers use various tools or methods to gain additional access in the environment, often leveraging tools like PowerShell, scripts, service-based vulnerabilities, and many more.
- Collection: Attackers invariably want to collect data from compromised systems, which may include clipboard info, input from the keyboard and other devices, screen/video captures, and more.
- Exfiltration: Attackers interested in compromise for profit, as well as those with very specific goals, will always look to exfiltrate data from the environment. Doing so may involve encrypting the data, setting up different types of network channels and protocols for moving data out of the network, and scheduling data transfer, as well.
- Command and Control: For longer-term attack campaigns, attackers will seek “always on” control over compromised systems. Establishing a command and control mechanism on these hosts may involve custom protocols, encapsulated and tunneled content, use of encryption, and more.
Stopping attack progression
Given that we know the basics of attack progression, why are we not catching and stopping attacks seen in the wild today? In short, attack methods are constantly changing but our tools and approaches aren’t. To understand why, it’s helpful to break down indicators of compromise (IOCs). For organizations trying to leverage signatures and typical IOCs, security detection and prevention is a constant game of “whack-a-mole” if the usual simple indicators are used alone. An attacker can very easily modify code to communicate with a different IP address or domain, leverage a different local port, or present a different cryptographic hash value. By changing the name and/or value of a specific registry key on a Windows platform, attackers can very simply bypass some of the endpoint detection technologies in use today.
In contrast, behavioral aspects of attacks are by far the most valuable in preventing and detecting compromise scenarios, but they are much more difficult to create and describe. Behavioral indicators will often include multiple elements; for example, a specified IP address is accessed, retrieves a known ZIP file, unpacks and drops certain files, and installs software that opens a port or creates a new registry key. This process is at the heart of defensive knowledge and understanding around Tactics, Techniques, and Procedures (TTPs) that are much more difficult for attackers to modify, but also very challenging for security teams to look for and identify.
Tackling today’s attacks with modern techniques
All this being said, we need new ways to detect and defend against sophisticated attack scenarios like those laid out in the Kill Chain and ATT&CK models. A hardened approach to preventing any of the internal aspects of these attacks, like lateral movement from host to host or credential attacks against file shares, is to leverage more authoritative policy-based approaches like zero trust and microsegmentation. Preventing all reconnaissance, delivery, and exploitation attempts is likely unrealistic — we should keep trying, of course, but we should also be pragmatic and assume that eventually some initial attack stages will succeed. With a more focused effort on isolation and monitoring/control over trust relationships between assets internally and in the cloud, however, we can limit these attacks from ever getting much further.