For hackers, particularly those working as part of an advanced persistent threat (APT) groups, compromising network perimeter security is just the first step play in a potentially long game. Once through the firewall they will conduct a number of activities until they reach their end goal – stealing money or sensitive information or causing long term damage to the victim’s systems and reputation.
By knowing what these activities are, organizations can better identify security incidents in progress – and respond accordingly. Here we uncover the basic playbook of successful hackers.
1. Secure access to the network
Sophisticated fraud takes time to set-up and execute; it is highly unlikely that criminals can do all the work needed in one day. Their first order of priority once into your network is to secure access, allowing them to reconnect whenever they want.
Typically access is gained via a compromised PC, so they will establish some form of persistence. This is usually achieved by installing a backdoor that acts as a basecamp for stage 2.
2. Compromise credentials
Once inside your network, attention shifts to capturing elevated permissions that allow the hackers greater control over network resources. Ideally, they are looking for administrative-level credentials at either local or domain level, allowing them greater control and increased visibility of network resources.
The hackers have a range of tools at their disposal, from keyloggers installed on endpoints, to man in the middle (MITM) attacks that sniff packets, scan ports and hijack sessions on the current network segment. In some instances they may delete software libraries to trigger a call to the helpdesk; this allows them to capture admin-level credentials when the technical support engineer logs in to begin troubleshooting – a technique known as “pass the hash”.
3. Exploit and/or compromise existing vulnerabilities
While work continues trying to capture admin-level credentials, the hackers will also scan for basic security vulnerabilities elsewhere on the network. Network attached resources will be scanned for misconfigurations, particularly where default login details have not been changed – or left blank.
By taking control of additional resources, the hackers consolidate access to the network and increase potential attack vectors as more in-depth techniques come into play.
4. Secure access to corporate servers
With access to endpoints secured, attention shifts to the servers where key services and data are hosted. They will create new admin-level accounts to the domain for instance, helping to reduce the risk of being detected. They will also create new SSH keys and install rootkits to further obfuscate their activities.
Work will then proceed on how best to exfiltrate data without detection. Covert channels like HTTPS proxies and DNS tunnels are perfect for disguising unsanctioned activities because they tend to go unnoticed in the middle of ‘normal’ network traffic. They will also compromise intrusion detection systems through general misconfiguration, or by whitelisting affected hosts to ignore any traffic, thereby deflecting suspicion.
On some occasions hackers have been known to use off-the-shelf applications to speed up the process. Legitimate network support tools like Radmin, Teamviewer and Anydesk offer a quick and dirty way to control servers and exfiltrate data without raising too many red flags with their victim’s network security team.
What do hackers hope to achieve?
With admin-level access to a corporate network, cybercriminals are free to do almost anything they choose. Virtually all hacking activities are carried out for profit, or as part of an espionage program funded by a foreign nation state, or corporate competitor.
Data exfiltration is generally a priority. Once in possession of corporate information hackers can search for sensitive details – like credit card number – or sell the data to a third party. Where exfiltration is not possible, criminals will search through databases and applications looking for banks accounts, stock trading accounts, corporate encryption certificates, or anything else they may be able to sell.
Some cyberattacks are simply part of a larger project. Supply chain attacks allow hackers to propagate vulnerabilities to other parties, compromising secondary networks from the inside and dramatically increasing their potential targets for instance. Other times they may compromise web applications using code injections; in the case of the recent British Airways breach, a code injection attack went undetected for 15 days, allowing hackers to capture customer credit card details direct from the ba.com website.
In other cases, attacks may be designed purely to cause maximum damage or disruption. By deleting or corrupting data, business operations can be severely disrupted at significant cost to the victim.
How to reduce your attack surface
At the center of your cyber defenses is an understanding that this is an ongoing process; security needs to be constantly reviewed, revised and strengthened to reduce the risk of becoming a victim.
The first step is to create a series of cybersecurity policies that detail potential risks, and responses to a suspected breach. As well as defining an access control policy to govern permissions, you will need to include cybersecurity concerns as part of the wider personnel policy, emphasizing everyone has a role to play in keeping the company safe. It's recommended to include security awareness trainings for employees because people are usually the weakest part of cybersecurity chain. Finally, a security incident policy will help to define what happens in the event of a suspected breach, and how the investigation and remediation will be handled.
Second, your business needs to look at how network security will be improved. Enhanced identity management will reduce the risk of falling victim to basic login exploits for instance. You will also need to dramatically tighten resource access, using access control lists (ACL) and privileged user management to prevent compromised credentials being used outside their intended roles.
Change management will also play an incredibly important role in ensuring network resources are properly patched and updated. Maintaining both change control and configuration management registers allow you to quickly trace sanctioned network changes – and those that may have been performed by an unauthorized third party. A similar patch management register will help keep track of systems that have, or have not, been updated.
Even with these safeguards in place there is always a risk of network being breached as long as it is available on Internet. To further reduce potential attack surfaces, best practice principles suggest performing penetration testing at least once per year. In this way you can identify and patch vulnerabilities before they are exploited. You should also carefully check statutory requirements – PCI DSS compliance demands penetration test is carried out at least annually and after significant changes in the environment.
Modern cybercrime is a high stakes game, with the potential to financially and reputationally ruin a business. It is also a highly technical, resource-intensive discipline, which means many organizations lack the resources and knowledge to test and maintain defenses in house.
As experienced security testers, Advantio has the necessary expertise to help better test and secure your network. Complete our scoping questionnaire and we will get back to you with your personalized penetration test quote.