Defence in depth: how a layered approach to security can inhibit cyber attackers
MWR InfoSecurity's Donato Capitella examines how to limit the impact of a cyber attack
In the first article, we looked at how attackers are commonly exploiting networks to exfiltrate, modify data, or carry out denial of service (DoS) attacks. A range of defensive measures were then identified which can be effective in preventing the vast majority of attacks.
However, it is simply not realistic to assume that all possible attacks can be prevented. Eventually an attack may succeed simply because of human error, device misconfiguration, or perhaps as a result of a new and previously unseen exploit of software for which there is no patch available (the zero-day exploit).
Therefore, it is reasonable to assume that at some point in time a remote attacker will gain a presence in your network. In this article we will look at measures which can be implemented to prevent an attacker's ability to move laterally and compromise more systems.
When attackers gain an initial foothold on one system inside a compromised network, they need to work to expand his influence. This will typically involve gaining credentials and privileges which will enable him to move to other systems.
As an attack progresses, more systems are compromised and more credentials are gained along the way. Eventually the attacker will gain access to a high value, high privilege account and the victim network is now effectively 'owned' by the attacker.
So, what factors will hinder the progress of an attacker on his way to becoming domain admin and stealing all of the corporate secrets?
Check your privilege
The first thing to consider is the privilege level of the attacker when the first system is compromised. If the attacker has landed on a system with a user account running with a high level of privilege then it will be a simple matter for the attacker to use the credentials of that user to make connections to other systems.
For this reason, it is highly advisable to configure all users to run with the minimum level of privilege required to perform their job - and no more. A typical attacker will want to run a tool such as Mimikatz or Gsecdump in order to steal credentials or dump hashes out of memory. This will not be possible while running in a restricted user account, so the attacker will now require a privilege-escalation attack on the compromised host, which gives defenders another chance to notice the attack occurring.
Another important factor is the design of the network itself. An attacker can only compromise those systems which he is able to communicate with over the network, so network segmentation will be a big factor in preventing lateral movement.
The most effective way to achieve this is through the use of routing and switching, which implements VLANs to segregate groups of systems logically, and with appropriate firewall rules or access control lists to filter traffic flows between those systems.
An important factor to realise is that attackers will use whatever tools are available to them to achieve their objective. If they discover network enumeration tools, port scanners or password cracking utilities on a system then they will likely use them against you.
[Please turn to page two to read about software restriction policies, multi-factor authentication, and the importance of actually examining log files]
Defence in depth: how a layered approach to security can inhibit cyber attackers
MWR InfoSecurity's Donato Capitella examines how to limit the impact of a cyber attack
Many system administration tools (especially Sysinternals) can also be abused in this way, so best practice would be to remove such software if it is not required. Attackers are also particularly adept at using scripting languages, such as Perl or Python, to develop their access. So, again, if these are not required on a system then remove them. The same applies to system management tools, such as RDP or VNC, which attackers will use if available.
Limited availability
Implementing "software restriction policies" or AppLocker will also cause a potential headache for any attacker trying to move around the network. Restricting the applications that can run on workstations will limit the options available for lateral movement. If a typical user does not need to make RDP connections for example, it should be disallowed.
Also, consider putting multi-factor authentication in place for systems/applications of high value, which could prevent an attacker from reaching the corporate crown-jewels if he is unable to authenticate. This is especially relevant for VPN connections, which should always be configured with tw-factor authentication. If an attacker can gain the ability to log into the network as a legitimate user via the corporate VPN then it is very difficult to identify the malicious activity.
Of course, at some point an attacker may be successful in moving around the network, gaining access to sensitive data and exfiltrating that data. In this event, the ability of defenders to detect and respond to the malicious activity is paramount.
The ability to detect an attack largely depends upon two critical factors. First, having the right data available; and, second, actually looking at it.
Most organisations that fall victim to network intrusions have the evidence of compromise sitting in their logs all along, but the problem is that often nobody reviews logs until an incident occurs. Organisations need to learn to go "threat hunting" as a matter of routine.
Behaviour to watch for includes Windows log-on events (ID numbers 552, 4648, 540, 4624, 5140), new services being installed, tasks being scheduled, and remote execution with wmic, psexec or winrs.
All of these will be recorded in typical Windows event logs. On the network side, look for connections to odd places or at odd times. Also, be aware of any unusual user-agents in the proxy logs.
There are many other items to consider when threat hunting, but these few items will pay massive dividends if carried out regularly. Compromise is almost inevitable, but with relevant security training and planning it doesn't mean game over.