To understand the nature of attack vectors, we need to break them down into stages and identify the attacker’s objective at each stage. This sequence of steps in a focused attack is called the kill chain.
Before any attack is mounted, background research is done, utilising both open source intelligence and reconnaissance, including attempts to identify potential weaknesses in the technical, physical and human defences of the target organisation.
Company premises will be located and viewed online to produce a short-list for further examination in person. On-site reconnaissance of selected buildings may then be conducted to plan an in-person incursion as a visitor, staff member or contractor.
The organisation’s registered domains, address ranges and internet hosts will be examined, exposing the type and version of software in use, and locating public-facing systems for potential exploitation, such as Outlook Web Access and SSL VPN portals.
Internet searches will be conducted to harvest email addresses and associated employee information from sites such as LinkedIn. Emails may be sent to elicit responses containing the company’s official style and layout.
This preparatory phase may take days, weeks or months. The time invested will be in proportion to the desired result, but you can be certain that the attacker will take as long as necessary to give them the best chance of success.
Social engineering
Highly-targeted spear phishing, using email addresses discovered in the information gathering phase, will often deliver legitimate credentials which the attacker can then deploy at future stages. Fake domain names and cloned sites will facilitate this password theft with surprising regularity.
This focus on credential theft is supported by the findings of the 2017 SANS Data Protection Survey, which highlights that user credentials and privileged accounts represent the most common data types involved in breaches. The 2017 Verizon Data Breach Investigations Report (VBIR) also attributes 81 per cent of hacking-related breaches to stolen and/or weak passwords.
Telephone phishing (‘Vishing’) can also deliver valuable usernames and passwords when conducted by an experienced social engineer. Impersonation of a technical support engineer, a senior manager or a third-party supplier is relatively easy to achieve with the right background research.
Physical intrusion, where an attacker impersonates an employee, supplier or visitor, frequently provides the opportunity to compromise the corporate network with a drop box, keylogger or other means of stealing credentials and data. With the appropriate level of preparation, gaining access to a building is far easier than many people realise.
Control the endpoint
The next step in the kill chain is to obtain an entry point to the corporate network. Whilst server rooms and data centres are usually well protected, other devices such as desktop PCs, laptops and printers are not. All the attacker requires at this stage is a foothold on the network.
Once again spear phishing can deliver the goods - a link or an attachment that installs a remote-control Trojan (RAT) can provide persistent network access for the attacker. An apparently benign web link can permit a missing patch to be exploited by malicious software hidden on the website, resulting in covert access.
Legitimate access via VPN and remote desktop software can also provide an excellent vector once the user’s credentials are known. Even Citrix remote access can provide an entry point for the assailant if the security configuration isn’t watertight (and often it’s not). If the social engineering phase involved an on-site intrusion, the attacker may have already planted a remote-control device on the network, circumventing the need to hijack a legitimate endpoint device. A device hidden behind a corporate printer, sharing the same network connection, will provide everything needed to move to the next stage.
Explore the network
Once the attacker has both legitimate credentials and access to an endpoint device, network discovery can begin. Every internal network is inevitably vulnerable to exploration and potential exploitation by what appears to be an authorised user or account.
An extended period of gentle probing and investigation will reveal the network architecture complete with routers, switches, servers and workstations. This will be invaluable during the ‘find the data’ phase of the attack. An experienced attacker can also gain lists of users, the groups they belong to, which accounts have privileged access, and the (usually) friendly names of shared resources.
Those usernames and access levels present a target list for privilege escalation through password guessing, or additional social engineering in the ‘take control’ phase. Once a high-privileged account is compromised, the task of searching for valuable and sensitive data is further simplified by knowing the friendly names of interesting shared resources.
Take control
Mapping the network, users, groups and shares will have given the intruder the perspective they need to begin exploitation and potentially gain access to key resources. The nature of corporate network and server administration means that once they have admin privilege they will have unrestricted access to any and all information on the network. They may have been lucky and already obtained admin-level credentials through spear phishing. If not, there are many other ways to get control.
Problems such as inadequate security hardening, faulty access permissions and missing patches are all common on corporate networks. The sheer scale of these networks makes thorough audit and control difficult, and mistakes often go unnoticed as a result. Poor quality passwords are not exclusively the province of ignorant users.
It’s not uncommon for the odd administrator account to have an easily-guessable password or for admin privilege to have been granted to a service that logs on automatically. Identifying those accounts is straightforward and low risk for the attacker.
Missing patches can be exploited to provide a backdoor to a system, giving another route to administrator or root access.
Find the data
Remember that the attacker will have a clear set of objectives and will be experienced enough to know where to look for the information they want. The combination of high-level access and a good quality network map means that semi-automated data discovery is both possible and practical. The prevalence of faulty or weak access permissions makes this process possible even when admin-level access has not been achieved.
Data discovery tools, employing both filename and file content search terms, will reveal the servers, folders and files of interest to the intruder. With administrative privilege in a Windows network, no data is out of reach to a determined attacker. Access permissions can be overridden where necessary and even protected files can be copied for later analysis. Poor quality passwords will provide the attacker with the best chance of gaining access to password-protected files, although sophisticated cracking tools also exist for most file formats.
Steal the data
Finally, extracting or exfiltrating the information will likely be straightforward for an attacker who has got this far. If remote access has already been achieved, using the same channel to move copies of the data to the command-and-control server will be relatively simple.
Other techniques can include embedding the data in another format (steganography) then sending it by email, compromising a legitimate VPN connection, launching a clandestine file transfer service and much more.
Countermeasures
The nature of these sophisticated attack vectors means that organisations must prepare now to deal with severe impacts from cyber threats that cannot always be predicted or prevented. There is no ‘silver bullet’ solution, rather a strategy of cyber resilience is needed to deliver the agility to prevent, detect and respond quickly and effectively, not just to incidents, but also to the consequences of the incidents.
