Powered by MOMENTUM MEDIA
cyber daily logo
Breaking news and updates daily. Subscribe to our Newsletter

Countering the ‘careful attacker’

Sophistication is an overused expression when describing the aftermath of an attack – or at least, it was. Jim Cook from Attivo Networks explores.

user iconJim Cook
Fri, 03 Sep 2021
Countering the ‘careful attacker’
expand image

Every attack victim blames sophisticated attackers. While there’s considerable suspicion about whether or not this is actually the case, the statement is increasingly true.

In the past, the entry point used by attackers – such as well-timed phishing emails – may not have been overly technically sophisticated, even if they executed well.

Recent events have changed that view. State-sponsored group Hafnium’s use of a zero-day vulnerability to compromise Microsoft Exchange Servers raised expectations about the sophistication that one may now expect from future attacks.

============
============

Sophistication also extends to the tradecraft that attackers deploy once they are inside of the network.

The ability of actors to escalate the attack and establish persistence has grown in sophistication in recent times.

What’s clear is that attackers are taking considerably more care to remain undiscovered for longer periods. So-called ‘dwell time’ has progressively become a bigger problem for organisations. In one recent survey, 64% of respondents said an attacker typically spent 100 days or more in the network from entry until detection.

Giving attackers 100 days or more of undetected access within a network is an alarming and unnecessary security risk. But it also shows the care and patience that threat actors exhibit in how they approach and carry out attacks.

Ransomware 2.0

We see this play out in what security professionals have dubbed ‘ransomware 2.0’.

There’s an evident decline in traditional “smash and grab” attacks. In the past, attackers would enter the network and immediately begin stealing or encrypting any data they could find, hoping to strike gold.

Today’s attackers are much more deliberate, moving laterally throughout the network to identify the most valuable assets to target.

In a sense, they have to be. Indiscriminate ‘smash and grab’ attacks have led to government pressure and targeted takedowns of actors’ payments accounts and server infrastructure. Attackers are being much more cautious and targeted to remain ‘in business’.

But more than that, attackers have found that playing a long game pays.

Long dwell time attacks typically involve compromising Active Directory, a critical element of 90 per cent or more of corporate networks that manage authentication and authorisation processes for access to enterprise resources.

By compromising Active Directory and granting themselves progressively greater privileges, attackers can access and control new network areas that potentially contain much more valuable data. Attackers can even encrypt Active Directory as part of the ransom, forcing organisations to pay the ransom to resume normal operations.

Great minds

Employing more sophisticated detection tooling is an obvious response to what is occurring.

Ransomware 2.0 relies on the attacker’s ability to move laterally throughout the network and identify valuable assets. Detecting that movement represents a significant advantage for defenders, who can leverage concealment and misdirection technology solutions to help detect threats early and collect intelligence.

But our response as security practitioners should be broader than that.

Practitioners should aim to improve cyber hygiene across the board. In the case of Active Directory, that means validating accounts and objects, maintaining an updated list of permissions and privileges, and regular audits to limit unneeded credentials or access rights.

Continuously auditing accounts, especially those with administrative privileges, and implementing a policy of least privileges where users only have the necessary permissions to perform their essential job functions can limit escalation opportunities.

Practitioners are also trying to unpack and understand the ‘careful attacker’ mindset and apply it to securing their organisations’ environments and thinking to close any remaining risks.

Author Maxie Reynolds boils the ‘attacker mindset’ down to “a set of cognitive skills … [that] include curiosity, persistence and mental agility”. Companies can view themselves “through the lens of an attacker” and become better at detecting and covertly blocking attackers’ more careful activity and movement by employing these skills.

Jim Cook is the ANZ regional director at Attivo Networks.

newsletter
cyber daily subscribe
Be the first to hear the latest developments in the cyber industry.