We security professionals are constantly reading over and over: Time is not on our side. In the recent Verizon DBIR 2016 report they illustrate how quickly threat actors go in and out of networks. There are many other similar security data reports that list the possible reasons and detach responsibility which ultimately means “all we can do is our best.”
On the other hand, I feel that “doing our best” is good, but not good enough. We should strive to be excellent. To get there, let’s review some attack patterns and discuss how to disrupt an attacker’s plan.
First, let’s understand how can an attacker spread around an organizational network, given control of a single machine in that network? You’re now thinking about zero-day exploits, but, you should consider that attackers might not want to (or can’t) use zero-day weaknesses.
In my experience, zero-day attacks are tough to find. Good ones (not statistical) that work on a variety of OS versions, allow execution and privilege escalation are tougher to find. They are also usually hard to implement and exploit.
But let’s say the attacker has one. How much should he use it? Every use of the weakness increases the chance of it being captured, discovered and fixed. Given that, a logical move would be to use the 0-day if the risk is low, or if they really had to in order to get initial entry or to remove traces of their access. An example of a low risk usage would be the initial infiltration that plants a backdoor on one of the network’s machines. That is a single act. The code for the exploit vanishes after that one installation. If the backdoor does not contain any traces of the exploit’s code, it is highly unlikely that the weakness will ever be discovered. But, the backdoor will not be able to use the powerfull zero-day for spreading around the network.
An attacker that is well organized, and considers the infiltration operation, might take that approach. This attacker would also be patient. They will take the time to gather intelligence from the single machine under their control, before starting the exploit of actual data theft, cyber terrorism, or whatever. This same patient attacker can use that time to figure out how to gain lateral movement across the entire network. This can be achieved by monitoring logins on the machines. As a matter of fact, it is common knowledge that an attacker can potentially stay on the network for an average of 256 days before being discovered.
When you login to a machine, you will be authenticated with your domain’s domain controller (DC), and it will grant you a ticket that allows you access to other services in the network (file servers, sharepoint, other machines). On Windows, these credentials are wrapped into a token, which every process contains. That token is an abstraction of the credentials used to authenticate the user running the process (you can read more about these tokens here).
Controlling a machine means controlling all of the processes on that machine. You can extract the token from every process (assuming you have system-level privileges), then use that token to create new processes. These new processes will use another user’s credentials, and will have different rights in the active directory.
Patient attackers know that it is not unlikely that a privileged user will sign in. The privileged token can be extracted and used to wreak havoc and access anything on the network. This is especially effective for spreading around the network. If the privileged user happens to be a domain admin, it is an admin on all the machines in the domain - meaning the attacker just gained admin access to all the servers and endpoints in the domain!
But, how likely is a privileged user to sign in to a machine? It depends. This may vary between deployments and IT needs. An attacker might take control of more than a single machine, to increase the odds of getting a hit, but still keep that to a small number so as to not risk discovery of the powerful zero-day. In most networks, it’s hard to even understand who the privileged users are, let alone how likely they are to login to any machine.
How can we address this sort of threat and spoil things for a potential attacker? One way would be to just prevent the attacker from ever getting a foothold in the network. We can regularly update our OS, use endpoint protection software, etc. That is a battle we are likely to lose to the mighty zero-day from the attacker.
Another option would be to keep track of user activity across the network. It doesn’t make sense that an IT professional would install a new Sharepoint server from a machine that is obviously used by Janice from accounting. This approach will narrow down the machines an attacker can use, but requires some effort - tracking user operations, associating machines with users, etc.
A better approach would be to verify that an out of ordinary operation performed by a user, is actually performed by a human. Verifying an actual human being initiated an operation makes it near impossible to automatically reuse credentials. This is a more effective way of spoiling an attacker’s attempts.
When dealing with advanced persistent threats (APTs), weaknesses are not the whole story. Moving from a single infiltration act to a patient, ongoing operation allows attackers to use time to their advantage. It’s up to us to take a new approach so we can be move from doing our best to excellent. User behavior with adaptive response and instant verification moves us in the right direction.
Being able to distinguish between human interactive connections versus impersonators (automated, scripted or programmatic) logins is a simple, yet effective way to disrupt an attacker.