Breaking down a successful cyber-attack in its simplest form; Threat actors use computers as they were designed which is to perform hundreds of millions of operations per second based on dark but creative instructions. Ok, so somewhere on the internet there’s gotta be a disgruntled Microsoft Employee, right?
Armed with an idea, like targeting disgruntled employees, Hackers are able to use a combination of training videos, open source tools and high speed internet to harvest a username and an entry point into the target network, by scraping the internet looking for their desired human behavior in the form of text. Asking the average computer to scan through an entire website looking for a particular pattern can be done in minutes on any device including a smartphone with one line of code, like this one: Cewl -e –email_file emaillist.txt https://yourcompanieswebsite.com/.
A Web Forum where someone is using all caps or following sentences with more than one exclamation point? Disgruntled user identified! The username found on one forum might allow a threat actor to pivot to additional threat vectors such as email addresses, Facebook or LinkedIn accounts. We all use similar usernames across web services, right? Additional behaviors about the target can be profiled by the threat actor inducing more dark but creative potential exploits which focus on harvesting more potential entry points. Next, befriend this user across multiple platforms and learn about them and how they communicate to peers. Ask them through a private message for the credentials needed in a way that doesn’t raise suspicion. Access to target network achieved.
Human vulnerabilities can be turned into real vulnerabilities, and we all know humans are an unpredictable species therefore the attack surface of the human psyche is limitless.
This is how Cyber threat actors continue to demonstrate they can execute successful cyber-attacks seemingly everywhere including attacks against large organizations, like Microsoft, who leverage the most advanced Cyber Security defense systems.
Cyber Security Artifacts – Artifacts are tracks that get left behind.
When looking from afar at the details of new Cyber threats the most important question to ask is how did the analysts obtain this artifact? Action movie lovers, like myself, imagine a tactical situation where a “highspeed” S.W.A.T. team enters the Hackers location from the roof using ropes and helicopters before smashing through windows and arresting the hacker. While under an intense interrogation the hacker eventually spills their secrets and shows agents the source code. All vulnerabilities are solved this way, right? Joking aside the answer is far less action packed.
The most basic networks, including home networks, are littered with millions of artifacts or little digital footprints found inside each device. Analysts obtain details about attacks by logging into devices, pulling artifacts and eventually solve the puzzle by recreating the story by correlating artifacts from different devices.
Cyber Security Compliance
Based on my experience, artifact collection is driven by Cyber Security compliance. Cyber Security compliance involves meeting various controls usually enacted by a regulatory authority, law, or industry group to protect the confidentiality, integrity, and availability of data. The number of controls that need to be met varies by industry and the number of controls increases based on the sensitivity of the data they intend to protect.
The enforcement of asset identification and subsequent storage of asset artifacts in the form of system logs and events are common controls penetrating compliance standards across many industries.
Both control requirements work together by getting organizations, through process, to identify and document all its assets and then ensuring asset artifacts are saved to a Security Information Event Management system, or (SIEM) for short. Yes, even that dusty old, networked printer no one uses needs to push its device logs to the SIEM.
To summarize the goal of the combined controls is to push organizations to collect and store as many artifacts from as many devices as possible so when an incident occurs analysts have the best chance to identify the breach.
Incident Response and Behavior modeling
Incident Response (IR) is a set of information security policies and procedures that identify, contain and eliminate cyberattacks. A good IR plan typically includes notifying authorities when a novel incident is suspected. Organizations like the Federal Bureau of Investigations (F.B.I.) dispatch forensic analysts who immediately obtain access to an organizations SIEM dataset and begin identifying interesting artifacts. Interesting artifacts are buried next to billions of ordinary ones but include firewall connection logs, IPs connected to apps, Extended Detection and Response (EDR) events and user account activity.
Combining interesting artifacts from each device eventually leads analysts to identifying Indicators of Compromise (IoC). Flash Number: CU-000163-MW RagnarLocker Ransomware Indicators of Compromise is a recent example of the analysts work in the field.
Mined IoC’s from the field are shared digitally with a multinational community of Cyber Warriors. Sharing includes documenting Behavioral models of Novel attacks in knowledge bases like MITRE ATT&CK and then building and uploading a STIX 2.0 statement to the community which can be downloaded and used by Cyber Security defense platforms.
Choosing a Cyber Security Platform that will maximize your investment for years to come
A platform that will perform the best and provide the most value for years to come will act like a virtual field analyst working at the speed of a computer parsing streams of device artifacts. It will ingest artifacts from apps, network devices and cloud sources from any location into its own SIEM dataset effectively centralizing intelligence inside an open architecture. It will work with existing and new security layers, not in place of them. Like an analyst, it will correlate artifacts from perimeter security infrastructure and other security telemetry. It will be aware of the most current threat intelligence data by regularly retrieving STIX 2.0 statements and will scan each artifact coming into the system looking for a detail that matches something bad. The platform should push its SIEM dataset through an embedded Machine Learning system so known behaviors about the technology environment can be understood. Artificial Intelligence (AI), a tool most threat actors cannot utilize, should be used to identify, and report suspicious or anomalous behavior. AI should build stories referencing industry standards like the Mitre ATT&CK Framework to be presented to human analysts, when a string of malicious actions are identified in the network. As AI improves it will simply be pushed as a future system update.
The end results should be a platform that can consistently identify any creative dark exploits launched by threat actors. A creative dark exploit like; Finding disgruntled employee accounts that are logging into the network for the first time, outside of their normal business hours from another continent and from an IP address that’s currently flagged by an Intelligence Agency.
The platform classification as described is typically referred to as Extended Detection & Response (xDR) and not to be confused with Endpoint Detection and Response (EDR). Confusing naming convention aside, further diligence around platform log retention period is needed when an xDR platform is identified. Most xDR platforms have a non-compliant artifact retention period around their embedded SIEM datasets. The shortened period is because there are performance challenges with ML and AI when they are asked to look beyond 3 months’ worth of data so many platforms are parsing artifact data well short of the regulatory data retention periods. So, while these xDR platforms are affordable a traditional SIEM solution would also need to be implemented to meet regulatory data retention periods. Thankfully some xDR venders can extend log retention out to 7 years and therefore become truly comprehensive next gen solutions.
VP Technology Solutions
Randy is a veteran of more than 20 years in the fields of Technology development, Technology Support and Cyber Security. Prior to Seceon, Randy has spent the last 7 years working as the Chief Technology Officer where he played a key role in building the business into a nationally recognized Managed Services Provider. Randy has also held key technology focused roles in small, mid and large market firms dating back to the year 2000. At Seceon Randy provides seasoned leadership, oversees Technology Solutions and is using his wide range of experience to drive both internal and external successes.