The staff in Perception labs is asked one question more than any other by our customers and analysts alike, “What’s the most likely way a cyber-attack is going to occur?” Realistically we don’t know since the answer to the question is based on a myriad of factors, but we can always say there is a way of breaching any system without being detected. Our engineers, researchers, and analysts are constantly trying to discover these methods so that our products stay ahead of the attacker’s next move.
Simon Miles, an engineer in Perception labs, was kind enough to describe a hypothetical attack on a mid-size corporate network that would breach the typical security setup of most businesses today. It’s worth noting that while we have seen the component parts of this attack in the wild, this is not a description of any real-world attack on a business, nor does it represent the security measures of any Perception clients.
Data Exfiltration Scenario
1. A Threat actor (Hacker) performs some initial background research using a mixture of social media and web research to identify a suitable person of interest within the organisation to be targeted. The identified user is going to be the target of a social engineering attack that will be used to compromise their machine and eventually obtain confidential information that will be used for ransom or other means.
2. The identified user is sent a tailored spear phishing email that references something of specific interest to this person that builds trust with the end user and coaxes them to open an attached excel spreadsheet (e.g. Enhanced_Bonuses_For_Next_Year.xlsx spoofing the managing directors email). The spreadsheet contains a macro which downloads a malware dropper payload. The payload uses obfuscation techniques ensuring that it is unique; rendering existing signature based defences such as AV, IDS and IPS ineffective and also prevents analysis in a sandbox environment.
3. The macro contained has the ability to detect virtual machine environments using time based analysis to avoid detection in sandboxing
4. The dropper installs and sets up a Remote Access Trojan (RAT) which will leave a small footprint on the user’s device. The RAT has been encrypted using paid for tools that are easily downloadable online that makes it fully undetectable (FUD) by the users anti-virus. The RAT runs in memory and is persistent.
5. The RAT is configured to establish a Command and Control (CnC) channel back to its control server using DNS port 53 as the control channel. DNS is often overlooked by security appliances as a method for CnC
6. The RAT is configured to beacon home periodically to get more commands and actions to perform
7. The RAT uses Domain Generation Algorithm (DGA) when performing the DNS lookup for the C&C server to avoid any domain name being blacklisted and to reduce the likely hood of detection by blacklisting.
8. The RAT is instructed to perform some reconnaissance activities on the network to allow the attacker to identify potential targets of interest, e.g. fileservers, databases etc
9. The RAT performs a sweeping port scan (‘low and slow’ to avoid detection), identifying a few hosts and services of interest
10. The attacker has determined that there is a server running an FTP service and they would like to investigate further as this may hold company information.
11. Using common usernames, the attacker initiates a brute force password attempt against the FTP server to gain access to the information. This attempt fails due to the hacker using a username that is not valid on the FTP server.
12. After failing to brute force the password on the FTP server, the attacker needs to gain valid credentials from a user who has a valid login. To do this the malware modifies the system settings in such a way as to generate a configuration fault with the victim’s machine.
13. The initially exploited user then contacts their IT department to raise the fault with their machine. An IT admin shortly arrives and uses their own credentials to log in to the machine at which point a software key logger (installed by the RAT) is used to obtain these credentials. The configuration fault on the victim machine is rectified by the IT admin, however the malicious applications remain operational.
14. The Attacker now has further domain information to retry the brute force access against the FTP server.
15. The Attacker successfully establishes a connection with the FTP server and has full access to its data.
16. The attacker now has what they were after and can then exfiltrate the sensitive data out of the network via the victim machine. The attacker sends out 1GB of files over an 8 hr period to a cloud service they have access to. This data is sent using port 443 HTTPS and is encrypted preventing detection by many security products.
There are many different variants that could be implemented using Twitter as the CnC Channel for example or using exfil by USB stick, however the general process of the attack would stay largely the similar.
The important thing to take away here is that aside from restricting all user’s behaviours on a network, there is little network admins can do to limit malicious network behaviour. However, while attackers get better, prevention gets more difficult and detection becomes more important. It is important that Information Security personnel understand the need for the network monitoring layer.
Whilst we can’t speak for other network monitoring products, Perception would:
· Identify the misuse of the DNS protocol in step 5
· Identify the CnC beaconing behaviour in step 6
· Identify the use of a DGA in step 7
· Identify the port scan surveillance in step 9
· Identify the brute force attempt in step 11
· Identify the egress of data from the network in step 16
The genius of modern malware is that none of the steps described above alone are something to be alarmed by on any network, in fact they are normally a result of typical network behaviour. The flaw that modern security systems have is that without knowing what the user is thinking and legitimately wanting to achieve, the system can’t differentiate between legitimate user behaviour and software-based malicious activity.
In the example above, Perception would alert the analyst that the above information, taken individually, is not indicative of an attack. However, by mid-way through the attack, the system would look at the evidence collected so far and start to alert the analyst that the network behaviour, in that order, is
· potentially dangerous,
· and worth quarantining then investigating