The recent worldwide increase in the use of digital tools for work, play and leisure has underscored cybersecurity’s importance like never before. Threat actors use a combination of tactics, tools and procedures to gain a foothold on a target system or network and then leverage lateral movement to get to the crown jewels of that target organisation. In this era of ‘assume breach,’ it is not a matter of if an attack or incident will occur but when. Just as in the case of a real-world attack on a person or group of people, first aid can go a long way to save lives until professional help arrives.
In the same vein, this series looks at the immediate actions and mitigations that can be activated in the case of a cyber incident.
It will focus on three main areas:
The first part will address the important technical actions needed in the immediate aftermath of an incident. Next, I will address the non-technical aspects of a cyber event, like incident reporting and impact assessments. And finally, the last part will look at possible lessons learned from the response as a whole.
Part 1: Technical Response
Part 1 of this three-part series will focus on the Technical Response in the immediate aftermath of a cybersecurity incident. It is important that your organisation’s security team rapidly contains the incident and preserves any useful evidence for a root cause analysis, such as logs, malware files and other operating system artefacts for root cause analysis.
Here, we will focus primarily on a Windows environment and use a common attack type as an example: spear-phishing that results in business email comprise (BEC) that leverages lateral movement and leads to a data breach. The visual representation of this flow is shown below.
For most attacks that subsequently lead to an infection and breach, attackers will usually:
attack a soft target, such as a user and their machine, typically via a phishing attack
compromise their account and computer
leverage the compromised account and computer to discover the rest of the network
escalate privileges to facilitate lateral movement in order to compromise other systems
locate high-value assets, or crown jewel systems, and exfiltrate data
Depending on their motive, the threat actor may want to stay and move undetected for as long as possible. Or they may want to cause some disruption to the network, as is shown in ransomware attacks. As you know, although MITRE ATT&CK or Cyber Kill Chain may map out threat actors’ tactics and techniques, they do not play by the rules. So you should not make any assumptions during incident response – you should consider only solid evidence that you can corroborate. It’s also important to keep an eye out for decoys, as everything may not be as it seems. With this in mind, you’ll want to examine the different stages of this attack flow.
The initial phase of the attack will typically involve some social engineering, like phishing or malvertising, mostly through digital communication channels such as email or a website. This may also land the threat actor on their first infected machine, otherwise known as ‘patient zero.’
At this early stage of post-incident detection, some of the following steps can be taken.
Identify the infected user account (email / computer).
Isolate the affected email accounts.
Block affected email account from sending out email.
Check if there are any email forwards to any external email accounts.
Retrieve all sent items from their inbox over the last 7 to 14 days, to begin with.
Audit for sent and deleted mail.
Check for any custom forms (Outlook) loaded onto the account profile.
Check connected devices for the affected email account.
Check for legacy protocol use (e.g., POP3).
Check Azure AD logs for authentication information.
Check for randomly named scripts and other CLI utilities in temp locations (especially in the case of fileless attacks).
In this phase, attackers have leveraged social engineering to gain access to systems. In the example, a phishing email from an account takeover (ATO) attacker is used to send a fake email quote in a Microsoft Word document. The document contains a malicious macro and, once opened, will launch the next phase of the attack.
Multi-factor authentication (MFA) and strong email security defences combined with user awareness training should be a good first line of defence against initial entry attacks. Email security solutions should have anti-phishing, AI and URL resolution and detection capabilities as a minimum. Also very important are alerting capabilities on things like email forwards, redirects, and template creation. Users of cloud email like Office 365 can run services such as Microsoft Office 365 Secure Score to find weakness in email posture.
At this point, the attackers have executed a successful attack and gained access to a legitimate user account and or system. The pivot machine becomes the point machine for the threat actors to attempt to discover and move around the rest of the network.
Isolate the infected computer / laptop immediately from the rest of the network.
Disconnect the machine from the Internet.
Disable the affected user's domain account in Active Directory.
Disable any remote access for this account e.g. VPNs, OWA or other remote logins.
Check for signs of malicious persistence – Registry, Startup and Scheduled Tasks.
Check for the presence of tools such as mimikatz, psexec, wce and remanent files (where possible, machines should not be rebooted in the case of memory-only attacks).
Typically, this will involve some user falling for a phishing attack and opening a malicious link or email attachment, leading to the use of legitimate system tools, such as powershell.exe, for malicious purposes. Checks such as suspicious processes, network share access, account logs and downloaded files should be administered. One of the important processes in the case of Windows for authentication and possible privilege escalation is lsass.exe (Local Security Authority Subsystem Service). Check for any unusual process names, locations or account access.
Often, the pivot machine gives the threat actor a foothold to the rest of the network. It may not be the main target, but a means to an end. As a result, you should be mindful of:
Decoys designed to distract
Fileless or memory-only malware may mean loss of original evidence
Deletion of files to remove evidence
IT may not always be able to locate the original patient zero machine or even the pivot machine, but whatever compromised system is located first should be isolated and investigated accordingly. For deeper analysis, perform:
File system analysis
System log forensics
Several forensic tools (native, open source and commercial) exist and can help to retrieve as much information as possible when analysing systems and networks after a cyber incident.
Discovery and Lateral Movement
In most cases, the initial machine is seldom where the threat actor wants to be. They will therefore need to move around until they reach their ultimate target systems.The aim is to leverage the compromised pivot machine to discover the rest of the network and map it out to facilitate an effective way to move laterally. The network facilitates the actual application access end goal. An example of this includes NTLM credentials theft in pass-the-hash or Kerberos credential theft in pass-the-ticket attacks and ports (network level) to achieve lateral movement.
First Aid – Discovery
Check for evidence of port scans.
Check frequently used applications.
Check command history e.g. Powershell and WMI command history.
Check for malicious scripts.
First Aid – Lateral Movement
Check for remnants of remote access & deployment tools – RDP, VNC, psexec, mimikatz.
Check for the use of windows accounts on servers especially File Servers, DNS Servers and Active Directory Servers.
Some useful Windows event logs to check.
Verify the patch level of commonly used movement methods – Browser, Adobe, Microsoft Office and OS (most exploits leverage vulnerabilities).
Detecting East-West movement may be another challenging task without the right tools in the first place. Also, here, threat actors will typically employ native tools and ‘live off the land’ techniques to prevent alerts and avoid detection. In some cases, they may employ other techniques to escalate their account level privileges to facilitate the ability to move laterally undetected. During the discovery phase, similar to the subsequent lateral movement phase, the threat actor would prefer to remain silent and avoid early detection. This means that they are likely to employ native tools rather than introduce external or custom tools. Most operating systems have various native tools to facilitate actions during this phase such as Powershell and WMI in Windows. As far as threat actors are concerned, lateral movement can be particularly easiest in environments with little to no segmentation at all or where only traditional segmentation methods like subnets, VLANs and zones are used. This is because there is usually a lack of visibility, overly complex security policies and no host-based separation within subnets or VLANs.
The image above shows an example of a visibility and analytics tool (Illumio’s application dependency map, Illumination) that enables the visualisation of a discovery and lateral movement attempt. A view similar to that shown above enables the clear representation of various application groups and the workloads contained therein and the resulting network communication mapping between workloads. Such a view allows for quick and easy identification of anomalous network behaviour between workloads in the same or different application groups.
The crown jewel systems and data are what the threat actors are usually after, especially in the case of clandestine and non-ransomware attacks. This is where any main data exfiltration activity is likely to occur.
Check for the use of admin accounts on database servers, AD servers, file servers.
Check web access history looking for suspicious connections.
Check anti-botnet defences for botnet related communication.
Check for data exfiltration - DNS tunnelling, protocol abuse, data encoding.
Check for excessive data transfer rates on the system and corresponding NICs.
Useful Windows event logs:
Windows Event 4672 for admin account logins
Windows Event 4624 for successful logons
It is essential to effectively segment your systems that hold important or sensitive data from the rest of the network. One of the best ways is the use of host-based micro-segmentation which provides both visibility into network communication and the ability to enforce firewalling directly on the hosts. By visualising the traffic going into and out of your crown jewel systems in relation to the rest of the network, you can receive timely visualisation and alerting capabilities to detect, prevent and isolate any anomalous communications quickly.
Since malware may get in and get a foothold through vulnerabilities, especially inherent system vulnerabilities, it is also important to deploy an up-to-date vulnerability and patch management solution. Threat actors usually try to clean up after themselves so they may delete system events, files and registry data. It is therefore especially important to have a central repository for system and network logs and events such as SIEM (Security Information and Event Management) and security analytics tools.
In conclusion, you must take the right succession of actions in the immediate aftermath of a cyber incident, as this will lead to the other key parts of how the incident is handled on the whole. Irrespective of the size and stature of an organisation, technical preparedness and response should be a key part of the overall strategy as shown here, but should also include non-technical responses such as incident report and impact analysis. I will discuss this in more detail in the next iterations of this series.