In our simplified example, the company has a network consisting of multiple segments, with different segments firewalled from each other to prevent unnecessary access to services. The network also contains a security information and event management (SIEM) solution for monitoring the network for potential attacks. The SIEM is used by the security operations center (SOC). In our example, we will show how the attack would proceed if automatic blocking of attacks was not enabled in the monitoring solution, and no one was acting when the attack took place. In the end we show how the attack could have been prevented.
Cyber Range
The simulated company network is built on the Insta Intruders Cyber Range, an easy tool to build simulated company networks for cyber training. Cyber Range allows for an easy single-file configuration for a simulated test environment with segmented networks, Linux/Windows/MacOS workstations and servers. Everything is built automatically from OS images distributed by OS vendors. Machines can be isolated from the internet on a per-machine and per-domain basis. The environment can be fully managed and customized with an easy-to-use command line interface.
Modeling the attack
We have modeled the attack using the MITRE ATT&CK framework. The framework allows us to visualize the different tactics, techniques and procedures (TTPs) used in the different stages of the attack. A MITRE ATT&CK matrix with the TTPs used in this attack is available here.
Reconnaissance
First the attacker performs reconnaissance on the company website, trying to find valuable information to aid in performing the attack. The attacker quickly finds the email address of the sales director of the company.
Initial Access, Execution, Command & Control
After finding the email address of the sales director, a phishing mail is sent to him, containing a malicious Word macro. A macro is a small program embedded in a document, that can execute commands on the computer. This malicious macro executes a program that contacts the attacker’s server, following all orders sent by the attacker in the future. Even though the employee had Windows Defender with all protections enabled, the attacker manages to slip through with a cleverly obfuscated payload. However, the advanced endpoint protection solution installed would detect the attack, if it was enabled.
Discovery
When the attacker has access to the employee’s machine, they can start to conduct scans of the company network. This is performed through a proxy tunnel, that routes network traffic sent by the attacker through compromised user’s workstation. The tunnel’s connection is masked to look like regular HTTP traffic. The network scanning would generate very unusual traffic in the company network, leading to alerts popping up if monitoring was in place.
Lateral Movement
The scanning results in the attacker finding the address of the database server in the company’s network! The actor finds out that the server has an SSH server running, which could be exploited. The actor has developed a backdoor into the popular XZ Utils library, which SSH uses for example. This backdoor allows the actor to compromise the database server and gain administrative priviledges to the server.
Persistence, Exfiltration
The attacker installs a backdoor into a program called cron, that is always ran when the system is started. The backdoor in cron opens a reverse shell connection to the attacker’s server. Through this connection, the attacker has persistent access to run anything on the database server.
After gaining persistence, the attacker exfiltrates the whole database from the server by uploading it to Azure File Storage. This makes the attack raise less suspicion, as large uploads to Microsoft servers can be fairly common, opposed to uploads to random never-seen-before servers. Now the attacker has managed to grab all of the important information in the company.
Preventing the attack
If the company had proper monitoring in place, the attack could have been prevented in almost all stages. In a monitored environment, data from multiple sources such as endpoint security, network monitoring, cloud logs etc. is fed into a security information and event management (SIEM) tool, such as Elastic Security. After that, defenders in a Security Operations Center such as Insta's 24/7 SOC can quickly identify malicious behavior and stop it in its tracks.
In our example, even though the attack bypassed Windows Defender, the Elastic endpoint security solution (or EDR) would have detected the execution of the malicious macro in the Word document sent to the user. Execution of the XZ Utils backdoor would have been detected by the detection rules of Elastic Security. By leveraging machine learning capabilities, the anomalous network connections made by the attacker could also have been detected by the tool. A network monitoring tool feeding data into Elastic Security would have detected the port scanning activity in the network. Our experts in cyber security situational awareness can help you implement these security solutions in your company, blocking attacks even from the most advanced threat actors.
Would you like to know more?
Come to Cyber Security Nordic (29.-30.10.2024, Messukeskus, Helsinki), where we Insta Intruders will present a full demo of the attack in the Hacker’s Corner. There we will show the full attack from the perspectives of the attacker, defender and the user subject to phishing.
Or contact us:
Cyber situational awareness and cyber defenceThe blog post was created as a part of Insta Intruders cyber security training program.
Toni Tertsonen
Writer works in Insta as Cyber Security Specialist and is part of Insta Intruders.