In today’s world, understanding threats and how to avoid them are critical to a business’s success. Last year, we saw an evolution in malware and attacks. Ransomwares like WannaCry made their debut; featuring worm-like attributes that allowed ransomware to self-propagate through a network, exploiting vulnerable machines and continuing the damage. We started to see attackers using more advanced automation in their malware and shiftier distribution methods to thwart defenses. In September 2017, we saw a supply chain attack against download servers that added a Trojan virus within versions of the popular CCleaner PC utility software. The download was undetected for almost a month and it is estimated that over 2 million users had installed it.
According to the US government, cyberattacks reportedly cost the US economy a $57-109 billion-dollar loss in 2016. Cisco reported in 2017 that 53% of cyberattacks resulted in damages of over $500k or more; 8% had damage totals over $5 million per incident. While costs are skyrocketing, so is the average timeframe for detecting cyberattacks. Multiple studies over the last several years have found businesses are averaging a three to eight-month time period before even detecting a cyber-attack.
We know the threat is real and the costs of a cyberattack can be exorbitant, so what can we do with all this information? As an MSSP, something we always recommend to our clients and prospects is practicing a multi-layer defense approach within their network. Multiple layers of security are an important part of detecting, preventing, and minimizing a business’s exposure to a cyberattack. So many times, we have heard “I have good anti-virus and an expensive firewall; I don’t need any other defenses.” Unfortunately, that is no longer the case. Preventive security is no longer enough; organizations must build a strong defense and use offensive practices to proactively head off potential intrusions.
In today’s blog, we share with you a real-life experience and what we did to mitigate the threat by building a strong cybersecurity strategy.
Tale from Our SOC
Several years ago, we helped a client implement managed security services. The client’s priorities were never focused on security, until they had hired a consulting company to perform a simulated cyberattack. The exercise shed light on their security shortcomings. It highlighted how the current controls they had in place failed during the simulated attack and what methods were missing from their environment, including: incident response, security awareness and systems capable of detecting these acts.
The Simulated Attack
When the simulated attack was started, they only used the organization’s name. The first step was reconnaissance about this organization, where common tools like Google and LinkedIn were used to search for user email formats, website, and domain information. As the discovery phase progressed, IPs for VPN server access and email servers were identified. Based off the information they discovered, user lists were built, and a phishing campaign was prepared. The attacker ran vulnerability scans and methodical brute force tests to identify any weaknesses within the external services they had already identified.
The next step in the simulated attack was the phishing campaign. Now that the attacker had built a list of potential emails, they fired a phishing email off to the targeted employees. Many users happily signed into a deceptive website and entered domain credentials for a chance to win an iPad from HR – which made the attacker’s job that much easier. Within about 15 minutes of work, they already had information that would let them dig deeper, without even attempting exploits against vulnerabilities that they had found during the discovery phase. The phishing website that was used was also packed with an exploit kit that allowed the attacker to obtain reverse shell access via PowerShell on users’ computers – a popular tactic used by threat actors. Since a few users had connected the attacker into the environment, they were free to investigate the machines they now controlled.
As the attacker was unaware of who might have mentioned a suspicious email to IT, they had to act quickly. A simple reboot would kick the attacker out since the exploit was neither persistent nor installed. When the credentials were obtained, the attacker also used them to connect into the network via the organization’s remote access VPN they had already discovered.
The remote access VPN had no additional authentication challenge other than a valid set of domain credentials. Working with the machines they had PowerShell access to, they eventually identified that one of users had local admin access to the workstation and there were at least six additional users who had signed into this workstation at some point. Utilizing their PowerShell access, several popular tools were used to determine encrypted cache passwords for a brute force attack.
Since the domain password policy only enforced six characters, they successfully decrypted all six accounts. Having no idea if these were current or expired passwords or what level of access these accounts held within the network, they started testing them against other machines that were identified from the remote access VPN. It was determined they had obtained at least one domain administrator account from the list. At this point the rest was history; the attacker was now free to move around to any device on the network with minimal resistance.
How to Prevent This Attack
So, what could have been done to prevent this from happening? What if this was a real attacker who had installed ransomware or some other type of malware? In this scenario there are several security practices that could have detected andor prevented this:
Let’s start with the most obvious issue, the users. In this scenario and so many other experiences we have seen, organizational Security Awareness training is lacking. We have seen businesses wire tens of thousands of dollars to attackers via C-Level spear-phishing attacks to phishing attacks that leads to an intrusion. Keeping your staff aware of what to look for is very important. Another solution in this scenario would have been to use a spam filtering system capable of identifying phishing emails and flagging external emails. Providing a visual cue to a user such as [EXTERNAL] in the subject field can help head off many phishing attacks.
During the exercise, vulnerabilities were also found in some of their externally facing services. While the attacker did not need to exploit these, performing proactive Vulnerability Scanning would have identified missing patches and a hole within an existing patch procedure. Patch Management is an important practice that was also neglected here. While many companies practice patch management, having a patch procedure documented will keep you aware of what services are externally facing. Keeping those systems free from known vulnerabilities can lessen your chances of becoming a target.
During the simulated attack the threat actor utilized a remote access VPN to access the network. Multifactor Authentication (MFA) has become a standard for securing internet facing applications. If the attacker had faced a MFA enabled VPN, even with the known credentials it would have made it very difficult for them to continue with the attack without finding a more challenging method in.
Once the attacker was inside the environment they discovered that the client had a poor password policy and all users had local admin credentials to their workstations. The IT department was also using their own accounts which had domain administrator rights to perform basic setups and troubleshoot workstation issues. Since they had no password expiration and strong passwords were not enforced, their credentials were cached on the machines, which the attacker exploited.
While the client had data backups, it is important to note that if an attacker had used ransomware with data encryption abilities the client may have suffered a significant data loss. Having a robust and efficient Data Backup and Disaster Recovery system is an important layer of defense.
The main piece missing from this customer’s arsenal of tools was a Managed Detection and Response (MDR) solution. A tool like AlienVault’s Unified Security Management (USM) coupled with a knowledgeable MSSP would have enabled the logging and correlation required to identify many of the shortcomings in the tale above. I can never stress enough how important logging and correlation is. There have been countless times where we’ve seen clients who have had an intrusion; however they have no means of determining how the attacker got in or where an attack might have spread.
Following the exercise, company ownership made security a top priority. The organization worked with a consultant to implement security awareness training for their user base while assisting in building compliance-based policies and procedures that are now followed. The organization also now performs table top exercises in conjunction with our team to review scenarios and how they should respond.
Over the next year, we assisted in implementing numerous changes within the client’s environment. We implemented our MDR solution (USM Anywhere) pulling logs from every corner of their network. We worked with them to install next generation firewalls that run malware, IPS, URL, DNS and geographically blocking. We implemented group policy changes to enforce stronger password and enabled the client to separate user accounts from admin accounts.
The Second Wave
Once all of these changes had been implemented, another simulated cyberattack was performed. During the exercise, several users did input credentials that provided the attacker access, however with the improved security implementation; the attacker was forced to attempt an install of a tool on the client. The next generation firewall detected this intrusion and blocked it. Since this was unsuccessful for the attacker, they attempted to connect to the remote access VPN. The client had not yet implemented MFA, so the attacker connected again successfully. The difference here was the MDR solution was enabled and actively monitored. During the exercise we received three different alarms:
- Brute-force attack alarm from a VPN user IP.
- Alarm generated by the IPS, identifying a hacking application was blocked.
- Several additional alarms related to the user’s PC where anti-virus and logging identified an application attempting to be installed.
We executed the incident response plan: killing the VPN access, disabling the users’ accounts and then escalated the information to the internal team. They were able to pull the affected machines off the network and the incident was contained. While the attacker had still gained access, quick response kept the incident from going any deeper. Over the next several weeks MFA was enabled on all external facing applications.
The simulated attack exercise is a great example of how an attacker can easily slip by traditional defenses and why layers of defense are required in your cybersecurity strategy. Each solution discussed above would have played a pivotal part in detecting and/or stopping the original attack. As we saw in the second attack, the newly added layers of defense were key in slowing down the attack, which ultimately kept the attacker from gaining any sensitive information.
Matt Kimpel is the Director of IT Engineering at Magna5, his trade is network security. Magna5 is a certified AlienVault Partner. Check his company out at http://www.magna5global.com/managed-security/