In our previous post, we made clear how the current threat landscape is changing. From a situation where frequent hit-and-run mass malware seems to do the most harm, we expect more targeted attacks to show up during coming years. After penetrating into the network, the first aim of the cybercriminal is to gather access to multiple systems to gain some redundancy in case some systems become unaccessible later on. Or, tries to execute additional tools, access specific information or files or access to additional credentials.
However, before an attacker gains power it has to overcome various barriers.
Computer scientists at Lockheed-Martin corporation presented a model to concretize the various phases a cyberattacker has to run through before ultimately succeeding. The so-called Cyber Kill Chain.
Although an attacker may overleap a phase, the layered model gives a perfect opportunity to build up confidence detecting the various attacks passing by. The idea is, that these phases are involved in a cyber attack:
1 - Initial Reconnaissance: In this phase, reseach is done to identify vulnerabilities and weak spots
2 - Weaponization: Here, the attacker tailors a dedicated piece of malware, possibly exploiting multiple vulnerabilities
3 - Delivery: making sure the specilized weapon is available at the right place / spot (via e-mail attachments, websites or USB drives)
4 - Exploitation: trigger the malware to become active, starting an attack utilizing packed intel or expoiting various systems' vulnerabilities
5 - Installation: foot on the ground; installing backdoors / ways to connect to the target network comfortably and unnoticed
6 - Command and Control: At this stage, backdoors are in place an C2 traffic is clearly applicable; attack is imminent.
7 - Actions on target: Attacker takes action to meet his objective(s), such as data exfiltration, data destruction, or encryption for ransom.
In phase 3 - 5, we have the best chance detect some devaint behaviour on our network indicating an attack is in the making.
In fact, detecting the lateral movement attack phase represents the single most important differentiator between a simple attack or a sophisticated targeted and strategic attack.
We will now present some steps you may want to set up to detect lateral movement, which enables you to take action.
A. Know default behaviour and utililized techniques of your network administrator (team)
Don’t fool yourself, but be sure an attacker has done its’ homework preparing an APT and knows very well which default tools are active and used by the network administrators. These are the tools, techniques and services ideally used by the hacker to stay under the radar. Two things are key here:
A1. Know which logging is available and see if you can dump these various logs to a convenient location, from where you can work with this data.
A2. Know what behaviour is expected. You can automate behavioural detection (AI) or can manually create a list of this.
Ultimately, here you want to detect deviations on this default behaviour.
B. Use login logs as a pre-attack indicator
You should analyze login information from differen locations (AD sites) and have a method to cross reference these data. If, for example, you encounter a typical credential failing login over multiple systems and/or sites, you are on to something. If you encounter failing logins during non-working hours you have another indication. So, search for methods to analyze this data – automated or manually – since it really is a strong indication of the pre-attack, lateral movement, phase.
C. Analyze login information on authentication frequency
This point has some overlap with point B. You should not only know which credentials are used, but an even better indication is the frequency in which a certain credential set is used throughout the network. When lateral movement occurs, an attacker is in search of jewels and already has valid access. However, he/she does not have that much credentials in this phase. So, the attacker will have to reuse the same valid credential(s) frequently when moving laterally through the network.
Find that characteristic and you gained another strong indicator!
D. Know your file servers’ activity
Here, again, we want to analyze the utilization of File Servers. Hackers do often persist confidential data (encrypted and hidden) to a file server before transferring these jewels to their own C2 server. File servers are also often target for ransomware attacks or may simply harbor some of the jewels the attacker is fighting for. This results in deviance behaviour on the file server(s).
So again, focus on log aggregation and analyze them heavily!
Windows systems generally have hidden network shares that are accessible to (network) administrators and provide the ability for remote file copy and other administrative functions; take measures to log access to especially these locations - C$, ADMIN$ and IPC$. Windows has special GPO’s to log these access moments, but you need to invest in tooling / time to aggregate these logs.
After an attacker succeeds in transferring binaries (malware) to a certain computer, most times remote execution methods are utilized short after to activate the (stealthy?) malware.
Don’t underestimate the value of SMB logging and analysis; they could be a very very strong indicator / detector. First take measure to gather all logs to a comfortable place, then invest time and build knowledge to interpret and aggregate these logs.
Shared files on these network shares
An attacker may taint files and executables (content) on a network share. Since a multitude of users will execute or open these files, a file infected or tainted to run malicious script / code / macros will have a large impact. Since the attacker wants to stay stealthy, he has to carefully plan this kind of tricks. So, frequently scan your files on your fileserver and keep track on anomalies.
E. Command and Control activity detection
Certainly, you may have some great tools in place like firewalls doing protocol inspections. Downside of these appliances is – however they give a big plus to your overall security set – they are often behind on threat intel. This latter is certainly the case when you face an APT. Here, your effort to analyse DNS logs may give you strong hints. Try to detect non-human hostnames / domainnames; the ones randomly generated may be of interest.
F. Port scanning
You have to be aware of port scanning activity within your network. True, some legit applications may do a scan or may be classified as a port scanning application. However these applications may have a static behaviour and only scan for certain ports or ranges. A port scan set out by a cybercriminal and its’ tools will – if noticed – probably always differ from known behaviour!
Make sure you analyze this utilizing
G. Exploiting vulnerabilities
Most of the time, an attacker needs to gather knowledge about systems exposing known vulnerable services. The attacker utilizes network service scanning software or home brewn methods and software to discover these unpatched services. An attacker may also search for patch history in which case a safe assumption can be done on which systems and services to exploit.
So, it is of uttermost importance to patch all software continuously. Then, invest time in knowing which techniques attacker use during this phase and build intel about the traces these may leave, enabling you to monitor and detect this kind of traffic.
H. Keep an eye on RDP
Lately, many attacks ‘simply’ encompass the use of RDP to take over a certain system, drop malicious code and executing it. The attacker may also just enable legit features to have the ability to control the computer more stealthy. Know your group policies, track for anomalies.
With this summation, we hope to give you some inspiration on the various attack vectors and techniques involved with a stealty lateral movement attacks. We deliberately avoided giving advice on various commercially available (open source) tools en software suites. But, of course we like to give you advice on these software. We can also advice on several free / value for money solutions. Just send us an e-mail. We will deliver.
Greetings from the CyberTense team.
Regards and keep up,