Attackers use a vast set of methods and tools ranging from the simple email to Windows utilities and Office 365. No system is truly safe, and there is much misplaced confidence in Linux and other systems. But these attackers can be detected with the right amount of preparation and practice. These were the messages highlighted at our latest Meetup, Threat hunting with Countercept and NextSec.
Held at F-Secure’s office in London last week and hosted in collaboration with NextSec – a networking group for young professionals working in information security and students aspiring to a career in the industry – the sell-out session helped shine a light on the damage posed by those with the right mix of intention and expertise.
How attackers operate
“To tackle threat actors you need to know how they operate,” said Alex Davies, Tech Ops Lead at F-Secure Countercept. “The easiest way to get into any system is an email. It’s simple but hugely effective. Credential theft, file download, Macros, DDE – these are some of the other methods. Physical infiltration is one not enough people test for – attackers have been known to leave USB sticks in car parks, or just post them. Somebody will plug it in.”
During a standout session on the attacker mindset, Davies delved into the details of how attackers exploit the vulnerabilities in the systems upon which virtually every business and every employee rely. Even legitimate programs such as Microsoft Word or normal Windows processes can be used by attackers, both to further their aims and to hide their nefarious activities behind a cloak of familiarity.
Windows has “a huge attack surface”
“Windows is great for attackers,” said Davies. “It has a huge attack surface. You can run a binary file or use embedded content, macros, Windows utilities such as PowerShell, Rundll, memory corruption, exploitation of software vulnerabilities. There are so many ways in.”
Once an attacker has found a way in, the next step is to communicate with the desired endpoint. There are several methods to achieve this, including the use of HTTP, DNS, ICMP, or a third party such as Google or Facebook. Many of these methods are hard to detect, making them effective tools for attackers.
Access over longer time periods
Persistence mechanisms such as scheduled tasks, registry services can be used by a hacker to maintain their access over longer time periods. Stealthier techniques like DLL side-loading is a method in which DLLs can be loaded through legitimate processes, which run every time a program such as Microsoft Word or Excel is loaded. Office templates can also be used for this purpose.
Before the attacker moves onto the next computer, much can be harvested from the local system to gain information – users, groups and passwords. Tools such as DCSync and Bloodhound can be used to exploit the Active Directory. “A user behaving abnormally by downloading the entire directory is the kind of warning signal we look for at F-Secure Countercept,” said Davies.
The end of the kill chain
The final stage involves lateral movement, as the attacker moves across the network to reach their goal. This often involves jumping from one computer to another using legitimate credentials. There are many different ways to move internally, including Server Message Block attacks, Windows Management Instrumentation, RDP attacks on servers, or even Windows Remote Management attacks, in which commands can be executed on one computer from another.
“Towards the end of the kill chain an attacker starts behaving like an admin or other legitimate user,” said Davies. “Many controls can be bypassed and if an attacker uses these techniques, they will reach their end goals eventually.”
Fortunately, effective threat hunting teams can intercept and neutralize attacks before they reach their end goals. Using knowledge of the attacker mindset, skilled threat hunters are able to look in the right places based on what they would do next if they were launching an attack. Strong threat hunting teams may also include qualified incident responders who can rapidly take action to contain an attack. In this way attackers can be stopped, assets protected, and threats shut down before they can execute their plans.
This is the first of three entries from the event. Parts two and three will explore how to detect and defeat threat actors, and how to respond to a breach, respectively.