Cyber Defense eMagazine May 2019
Cyber Defense eMagazine May Edition for 2019 #CDM #CYBERDEFENSEMAG @CyberDefenseMag by @Miliefsky a world-renowned cybersecurity expert and the Publisher of Cyber Defense Magazine as part of the Cyber Defense Media Group
Cyber Defense eMagazine May Edition for 2019 #CDM #CYBERDEFENSEMAG @CyberDefenseMag by @Miliefsky a world-renowned cybersecurity expert and the Publisher of Cyber Defense Magazine as part of the Cyber Defense Media Group
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
Uncovering a Compromised Insider<br />
Imagine this scenario: An attacker wants to steal the source code for a new product from the leader in<br />
the market. They’re going to compromise the machine of an engineer inside the company’s network and<br />
use that as a jumping off point to search the network and find code repositories with product software.<br />
Thanks to a new framework from MITRE called ATT&CK, we can realistically detail the techniques an<br />
attacker might use to pull it off.<br />
First, the attacker sets up a watering hole attack, knowing that an engineer at the target organization is<br />
likely to visit the website of an upcoming user conference. Once the engineer visits the website (Driveby<br />
Compromise), the malicious code on the webpage is triggered and executed by the browser of the<br />
engineer’s machine. At this point, the attacker achieves code execution (User Execution) to gain a<br />
foothold on the targeted machine.<br />
After this initial execution, the attacker then covers their tracks by deleting a portion of the malware on<br />
the system (File Deletion), in an attempt to avoid detection.<br />
Now that the attacker controls the machine, they locate an SMB share that may contain the desired data<br />
(Discovery). As it turns out, the desired data requires privileged credentials, so the attacker escalates<br />
privileges to gain access to a user account with administrator credentials (Lateral Movement). Now the<br />
attacker can access the file share and copy over the sensitive data.<br />
Next, the attacker will steal a token from a login script that was run with a privileged domain account<br />
(Privilege Escalation), gaining access to a server in the DMZ and the ability to move data out of the<br />
network. Now the data can be copied to the server and compressed in preparation for transfer over the<br />
internet. The attacker then connects from the server in the DMZ to an attacker-controlled web server.<br />
And just like that, they’ve stolen your new product source code.<br />
In this scenario, many of these tactics and techniques would have at some point set off alarms in most<br />
SOCs. But while the alerts may get investigated, too often the response by lower-tier analysts ends up<br />
incomplete, and the attacker has already gained deeper access into the organization’s network and<br />
systems. By the time an attacker reaches Lateral Movement, the trail often goes dark for SOC personnel,<br />
since it is very difficult to distinguish between activity driven by the real user of an account and an attacker<br />
using that account. And it is also this stage that the sensitive theft is taking place.<br />
To ensure optimal protection, security teams must change their mindset to start looking at entire attack<br />
sequences instead of individual steps. SOC teams need to be able to compare a user’s behavior to their<br />
normal patterns in order to understand if compromised credentials are being used by an attacker.<br />
48