SOC Tool Kit v2.1: Building an Effective Cyber Defense Line in Organizations
Chapter 1 — Understanding the Enemy’s Footsteps
Even successfully organized cybersecurity capabilities cannot protect a business from advanced attacks. However, when you design a strong security line, you will be able to prevent, detect, stop and overcome targeted cyber attacks.
I will share the research I have done with you based on the books and articles written on this subject in recent years and the research written by other researchers. Resources that I find particularly helpful and recommend include:
- Zero Trust Networks: Building Secure Systems in Untrusted Network s( https://www.amazon.com/Zero-Trust-Networks-Building-Untrusted-ebook/dp/B072WD347M/ref=sr_1_1?dchild=1&keywords=zero+trust&qid=1585852028&sr=8-1)
- Cybersecurity and Cyberwar: What Everyone Needs to Know (https://www.amazon.com/gp/product/B00GJG6ZB2/ref=dbs_a_def_rwt_hsch_vapi_tkin_p1_i3 )
- Enterprise Cybersecurity: How to Build a Successful Cyberdefense Program Against Advanced Threats ( https://www.amazon.com/Enterprise-Cybersecurity-Successful-Cyberdefense-Advanced/dp/1430260823 )
- Building an Effective Cybersecurity Program ( https://www.amazon.com/dp/B07ZL2SPRT/ref=cm_sw_r_tw_dp_U_x_XzCGEbQ9SXH6Y )
I will also share some of the chapters and theories described in these books in my reviews.
To activate corporate lines of defense, an organization must understand the attackers’ methodology and devise tactics to thwart their strategy.
Attacks are 3 steps away from you!
Attackers target a single endpoint computer within the corporate target network. From this targeted end-user, attackers exploit some common vulnerabilities and configuration errors to gain administrative privileges over the portion part of the corporate network. Attackers then use these administrative privileges to access, modify or destroy their targeted data.
Attackers will achieve their goal in three basic steps as follows.
1. Compromise a computer
2. Get administrative privileges
3. Steal data at will!
Every corporate cybersecurity team aims to prevent and make it difficult for all attacks targeting the organization to achieve its goals. To create an effective cyber defense line, we need to examine how attackers achieve their goals. Then we have to design a blocking method for each path. Finally, in the last step, we should try to make this system sustainable and automated.
As we can see in the 5-step intrusion table, we can categorize the steps taken by the attackers by estimating. Even if attackers sometimes follow these steps forward, they can move backward between the steps. For example, sometimes attackers escalate privileges before establishing command and control or move laterally before escalating privileges. If command and control do not work, the attacker can move laterally and establish command and control while on a different system. For this reason, let’s not forget that there can be forward and backward movements in each chain.
Attack Step : Establish Foothold
In the intrusion steps, the first step is to establish a baseline of the attack attempt at the victim. Next, attackers will organize their attacks by focusing on a sensitive or incomplete defense point after an institution’s active and passive scanning reconnaissance. When we examine the compromise systems, one or more of the following methods can be the starting point of the attack;
- The victim can be targeted with Email messages containing Malicious files and phishing attacks.
- A server with Internet access can be attacked due to misconfigurations, vulnerabilities, and missing patches.
- An attacker accessing a network without authorization will take advantage of other machines’ vulnerabilities and configuration errors on that network.
- Attackers can also perform denial of service attacks by preventing other users from accessing a system.
- Servers in an organization that an attacker breaches and customers can access will also endanger and harm customers.
Attack Step : C&C
The attacker may not constantly be in the network during or after attacks. For this reason, it can carry out transactions in the corporate network by sending its orders from a server outside the corporate network, thanks to the malicious software it has created.
- Attackers can communicate with their external C&Cs via SSL or TLS encrypted outbound web access. Since the communication is encrypted, tools that control network traffic, such as IDS and IPS cannot provide detection.
- A website web shell is a web page attached to an existing website that allows attackers to execute commands on the web server. Since web shells are usually embedded in websites with complex and large structures, web shells are difficult for institutions to detect.
- Protocol tunneling is a process used by attackers to avoid being caught by the Firewall to export commands and useful output or to communicate with C&Cs. Almost any protocol can be used for tunneling; common ones are done over DNS, ICMP, and SMTP.
- Internet-facing user accounts can also be used to control Internet-oriented web services. This technique is most commonly used to command and control Cloud services and web-based systems such as email and Internet banking.
Attack Step: Escalate Privileges
If the attacker has taken command and control, their next move will be to escalate privileges on the servers and endpoints where the targeted data is located. Therefore, the target accounts; There will be endpoint administrators, domain administrators, or enterprise administrator accounts. Some of the basic principles that the attacker will use to elevate their rights are as follows;
- Session hijacking can be accomplished by using the user’s authentication method to connect to remote systems, spoofing one’s session, and elevating rights.
- Password keyloggers are malicious files used to capture the passwords of the target user or administrator based on the location of the owner of the machine when logging on to compromised devices. Through these passwords, attackers can escalate privileges.
- Pass the hash or ticket; Attackers can use it to escalate their privileges on the network using credentials hashes or authentication tickets. It is pretty dangerous as it allows attackers to bypass multi-factor authentication.\
- Harvest credentials; Privilege escalation can be achieved by obtaining credentials from applications, memory, and hard drives on compromised machines.
- Exploit vulnerabilities aim to escalate privileges by exploiting vulnerabilities in the targeted system’s operating system or application software.
- Maintain persistence is privilege escalation aimed at built-in persistence every time a server or endpoint is powered on by embedding malware into the operating system or hard drive through the session running the malware.
Attack Step: Move Laterally
Attackers move from machine to machine simultaneously to take control of additional servers, endpoints, and user accounts, including other privileged accounts. This way, it can move forward in the network and expand the attack point to quickly access the information it wants.
- Network mapping is a roadmap for switching machines by learning the location of subnets, endpoints, and servers for easy attacker movement.
- Remote desktop enables it to connect to target systems using administration credentials captured by attackers in previous stages.
- Share enumeration allows the attacker to proceed by collecting information by enumeration of shares.
- A remote shell usually works using different ports and protocols than a remote desktop.
Attack Step: Complete the Mission
Let’s consider this breach, which occurred from the first stage to the last, within the scope of the CIA triangle. But, first, let’s categorize the parts violated in these three steps, which are the basis of information security. These three points, each of which forms the basis of information security, will give us information about what an attacker can do in the last step.
- If we think about Confidentiality, Violations at this step allow us to find actions taken to steal login credentials, critical internal communications, credit card numbers, or financial accounts of victim businesses.
- When we think of integrity, the attacker changes the records in the victim’s systems with processes such as changing the data. This process is more destructive because changing the data would require more strenuous and extensive work to get it back.
- If the attacker made the data inaccessible or managed to destroy the data, we can assume that this affects availability. In this case, the institution remains in need of the aggressor.
In my next article, I will discuss the more detailed steps and detection methods of these vectors. Thank you for reading :)