Disrupting an Attacker from Exploiting Domain Credentials

Posted by Avi Kama on May 28, 2019 8:28:00 AM

Security professionals often feel they don’t have enough time to keep up with modern threats. In fact, Crowdstrike researchers have found that top threat actors can go in and out of networks in a matter of minutes. Despite other similar security research reports listing all the ways threat actors can breach a network, they rarely offer a viable solution to combat these risks and often just resign us all to a “we can only do our best” mentality.

I disagree. While I feel that “doing our best” is sufficient for an elementary school project, it’s not the right mentality for an enterprise security team. We as security professionals should strive to be excellent. In order to get there, let’s review some common attack patterns and discuss the best ways to disrupt an attacker’s plan.

Read More

Topics: User Behavior, APT, Credential Compromise

Conditional Access Establishes Trust In the Network

Posted by Heather Howland on Mar 15, 2019 9:46:16 AM

Stolen or compromised credentials pose well-known risks to organizations and their employees. And as hackers and other malicious actors become more advanced and sophisticated in their techniques, the global threat is increasing. At a recent IT security conference, I spoke with a customer about an alert (TA18-276A) that the United States National Cybersecurity and Communications Integration Center (NCCIC) released late last year. The alert, titled “Using Rigorous Credential Control to Mitigate Trusted Network Exploitation,” outlines recommendations on how to overcome these challenges. In this blog, I’ll discuss how Conditional Access and detection of malicious use of tools and protocols can address the NCCIC’s recommendations.  

The alert provides information on how Advanced Persistent Threat (APT) actors are using multiple mechanisms to acquire legitimate user credentials. Once acquired, attackers can use the credentials to exploit trusted network relationships, in order to expand unauthorized access, maintain persistence, and exfiltrate data from targeted organizations. Some of the suggested NCCIC best practices for administrators to mitigate these threats include rigorous credential controls and privileged-access management, as well as remote-access control and audits of legitimate remote-access logs.

Read More

Topics: User Behavior, Risk, Multi-factor Authentication, Privileged Accounts, APT, User and Entity Behavior Analytics, Credential Compromise, Compliance

Real-time vs After the Fact: Pitfalls of Log-based Behavioral Threat Detection

Posted by Yaron Zinar on Apr 13, 2017 7:52:35 AM

It was recently published that Shadow Brokers, the group behind the Equation Group leak, are selling a new set of tools that have the ability to tamper with Windows event logs. What stood out to me is the inefficiency of security solutions that rely solely on logs for detecting threats. Implementing a security analytics or a UEBA product that relies on logs for detection of advanced cyber threats has advantages, but it is also risky.

Read More

Topics: APT, User and Entity Behavior Analytics, Threat Detection

How the CIA Twists the APT Kill Chain to Avoid Detection

Posted by Avi Kama on Apr 4, 2017 8:01:00 AM

A couple weeks ago, in my blog on Improving Hacking Techniques Used by the CIA, I talked about how DLL hijacking could be done easier.  In further looking at the CIA documents, I found an interesting twist that the CIA is taking on the APT kill chain. The APT kill chain is a well accepted description of the way APTs are operated. The chain contains 7 stages (as described on wikipedia): 

Read More

Topics: APT, Preempt Research Team, CIA