Forget what you see in movie: attacks aren’t fast operations. The adversaries don’t swoop into an IT environment, quickly find the data they’re looking for and swiftly exit. In reality, attacks are long, slow operations that take weeks, if not months, to achieve their goal and require multiple steps.
While the thought of the bad guys lurking undetected in a network for several weeks may cause security professionals to break into a cold sweat, lengthy, complex operations actually provide defenders with an advantage. Each stage of the attack lifecycle and each move the adversaries make provide security professionals with an opportunity to detect malicious activity and expose the entire operation. This approach does away with the mentality of only building better, taller walls to guard your assets. Motivated attackers, whether they’re a nation-state hungry for intellectual property or a well-financed cyber-crime group, will eventually find a way around your defenses.
Using behavior-based detection models to find the signs of an active cyber attack
Instead, you’re pairing a strong defense with behavioral detection to discover adversaries who are already in your network. Like the name implies, behavioral detection entails looking for attacker behavior instead of malware hashes and other traditional indicators of compromise, which can be easily changed to avoid detection by firewalls and antivirus software. With behavioral analysis you’re looking for the attacker’s tools, techniques and procedures (TTPs).
TTP development is a long and expensive process and, like developing any piece of software includes steps like research and development, prototyping, beta testing and quality assurance. Given how complicated TTPs are to produce, they’re very challenging or impossible to modify. Detect a TTP and you’ve found the adversaries’ most coveted assets. Detect enough to TTPs and you’ll likely see how the entire attack operation has unfollowed, possibly forcing the bad guys to pause the campaign and regroup or even stop the operation. In one operation discovered by Cybereason, attackers suspended their operation after the PowerShell infrastructure they were using to carry out fileless malware attacks was detected and shut down. After a four-week hiatus, they returned with tools that allowed them to bypass the PowerShell execution restrictions that the company implemented.
Every attack won’t contain each phase of the attack lifecycle. In fact, in some attacks phases of the attack lifecycle could be repeated. The takeaway is that each phase of the attack provides the defenders with a chance to discover facets of the operation. For example, here’s how defenders can detect lateral movement by looking for excessive port scans.
Looking for excessive port scans to discover lateral movement
When attackers move on to the lateral movement phase of the attack, they’re scanning the network to learn what other machines are on it and what protocols they’re using. They’re looking for open ports that can be used later for exploits and lateral movement.
To obtain this information, the attackers will enumerate all the ports of another machine. For instance, let’s say that there’s a machine with the IP address 10.00.17. Attackers will try every port on that machine until they find one that’s open. If the attacker discovers that port 443 is open, for example, they’ll check to see if they have vulnerabilities or exploits that can be used on the open protocol.
Look for excessive port scans, which could indicate that attackers are conducting reconnaissance and attempting to map out your network. Intrusion detection tools can detect port scanners, but, admittedly, determining what’s legitimate scanning and what’s reconnaissance is tricky. Networks are filled with computers and applications that are constantly talking to each other so you have to filter out the noise, which can take awhile. But you can discover anomalies that indicate an attack if you know how many ports and destination the devices on your network typically access. Identifying port enumeration across machines can lead to detecting the early stages of internal reconnaissance and prevent the attack from spreading to other machines.
