Over the last year, we’ve noticed numerous cyber adversaries change tactics, debuting new attack vectors and methods, as well as finding new ways of using existing ones.
In combination with COVID-19 and mass remote working, this presents a new challenge for organizations as their current cybersecurity practices and strategies may not be suited to cope with these methods and, as a result, defenders are having a harder time protecting their organizations. To address this, security teams need to exercise an awareness of what methods are becoming newly popular among bad actors and what measures they can implement to defend themselves.
Malware Free: A security teams peril
CrowdStrike’s Global Threat Report noted that malware and malware-free intrusions were observed in almost equal numbers over the last year. In 51 percent of the intrusions investigated by CrowdStrike Services malware-free techniques were used, while 49 percent were malware-based.
More interesting is that in 22 percent of the cases investigated, malware-based and malware-free techniques were both used simultaneously. Included among these malware-free methods is ‘credential dumping’ and its related practice ‘account discovery’.
Attacks using these methods aim to gain access to a network through legitimate credentials and escalate their privileges. With these enhanced privileges, bad actors can move laterally through the network while disguised as a legitimate user or administrator. This method poses a particular challenge for security teams as legitimate credentials are far more difficult to identify than other methods.
Often these attacks, known as ‘living off the land’ (LOTL), appear as legitimate activity performed by actual users. Addressing this threat is contingent on real-time visibility and recording metadata with EDR technologies. Without properly applying next-generation tools and tactics, the adversary can remain unseen within your networks for long periods of time. These technologies provide essential context to ongoing analysis to distinguish legitimate from illegitimate LOTL activities.
Big Game Hunting: Today's Most Dangerous Cyber Game
Big Game Hunting (BGH) has been another notable trend among adversaries that has gained steam in the last two years. BGH techniques focus on identifying high-value, business critical assets within organizations and targeting them for ransom - which is a change tactic from the traditional ‘spray and pray’ approach which used to be popular. BGH operations create a large incentive for victims to pay as they are typically unable to function without these assets.
As noted above, these attacks are largely realized by a combination of malware-based and malware-free tactics. It is notable that many of these attacks use malware-free techniques and then move laterally through the network to identify targets. Through targeted ransomware efforts, adversaries have found a new and novel way to secure larger payouts from victims.
In the last year, BGH attacks were not only becoming a more popular attack vector in 2019 but the size of the ransom demands grew considerably larger. CrowdStrike’s Global Threat Report identified that some of these demands were even reaching as high as $10,000,000,such as with Pinchy Spider’s REvil demands.
Another trend over recent years has been an increase in dwell times. This describes the length of time an adversary is able to hide their activities from defenders. While this increase is cause for concern in itself, what is more pressing is that CrowdStrike identified adversaries who had penetrated networks several years before discovery. This underlines the need for organizations to focus on proactive threat hunting and improving visibility.
Organizations that rely on legacy systems in particular will find themselves the most at risk. Long dwell times can be particularly damaging as they allow adversaries time to search networks for backups, providing them further leverage in ransomware attacks. These dwell times directly contradict the 1-10-60 rule whereby organizations should aim to detect malicious intrusions in under a minute, understand the context and scope of the intrusion in ten minutes, and initiate remediation activities in less than an hour. Adherence to this rule goes a long way in mitigating the damage of potential intrusions.
Cyber Hygiene: Proactive & Essential Measures
To deploy security controls that adequately protect against these new threats, organizations need to review each attack technique individually and see if their broader strategy addresses it. That being said, a secure cybersecurity foundation - one that includes people, process and technology - goes a long way against the ever-evolving threats posed by bad actors. Even as new strategies develop, these essential practices are invaluable:
- Multi-factor authentication is a key component of any security strategy. It prevents unauthorized access to employee data and credentials via traditional methods such as brute forcing or phishing. However, this additional layer of security also has value in protecting against more sophisticated attacks such as credential dumping or account discovery, which leverage employee credentials.
- Network segmentation is another key solution that prevents damage once adversaries have entered the network. By segmenting the network, lateral movement is prevented. Moreover, each of the separate networks can be separated by subsidiaries or domains and then by organizational units within each domain. Segmented and controlled networks greatly reduce the potential attack surface and increase the difficulty for threat actors trying to move within an environment.
- Anti-virus and anti-malware may sound like basic considerations but organizations need advanced endpoint protection agents to monitor their environments. As demonstrated by the rise in dwell times in the last year visibility is an important consideration overlooked by some organizations. Instead of using multiple agents, which can often be functionally little more than bloatware, a single, intelligent agent should do the job. An intelligent agent using machine-learning which can perform heuristics are particularly useful in identifying the types of anomalies worthy of the security team’s attention. With both comprehensive detection and prevention, security teams will be able to spot suspicious events before they become a threat.
- Another major consideration is log analysis. Aggregating and analyzing security-relevant logs in a security incident and event management (SIEM) tool allows security teams to develop a more complete picture of what is occurring in their environments. SIEM is useful for catching all the events that need attention from the security team but may not be picked up by AV tools. SIEM is also a boon to any investigation into incidents that the security team may subsequently perform following an occurrence.
- While technology is evidently a critical component in any cybersecurity defense strategy, it is ultimately the end user who is an essential piece of an effective response strategy as employees are often the front lines of defense and key in thwarting cyberattacks. An organization is only as strong as its users. As such, user awareness programs are a reliable method for defending against the continued threat of phishing and related social engineering techniques. Training, testing and implementing crisis management and incident response plans help to familiarize employees with the threats they are most likely to encounter.
Threat adversaries and the tools they use evolve at a rapid pace: staying one step ahead of them is a near impossible task for most organizations. Instead, a more realistic approach is to build a solid cybersecurity foundation which prepares organizations for rapid threat response and limits damage once a compromise has occurred. Doing this requires organizations to remain aware of what trends are popular amongst threat actors and to ensure their strategy develops accordingly.