Successful cyber threats are a performance of new tricks with old tools. That’s according to a SANS Institute webinar titled Put Some Power in Your Network Security: Detect, Hunt and Prevent Threats.
The initiation stage of an attack remains largely unchanged, according to the presentation. Most attacks begin with an “email front end” where bad actors trick users into thinking a message is from a legitimate source with well-researched, and perhaps timely, phishing email.
Once the target clicks, attackers often use older tools to capitalize on the opportunity. For example, Petya and WannaCry used an old, but relatively unknown, version of the SMB protocol to propagate a traditional ransomware attack.
What was new about these attacks, was the capability to move laterally without user action. This has removed barriers to lateral movement that increases the risk of collateral damage among parties that may not be part of the intended target.
Network Security: The 3 Ways to Mitigate Modern Cyber Threats
Cybersecurity has become an exercise in risk management. Some percentage of threats “always get through” according to the presentation. Organizations that are finding success have evolved to detect threats by monitoring the internal network.
To that end, this webinar posited three opportunities to stop a modern attack in this way.
1) File carving at the initial download
Security professionals have long used sandboxing to try to identify the initial download. A file that looks suspicious is routed to a “sandbox” machine that examines the file and even executing it to see what happens.
In other words, sandboxing is a technique that drops a file on a machine that looks like a normal operating system and tricks potential malware into thinking it landed on a real desktop. This process could take 30 seconds or it could take 5 minutes.
This can result in a long queue of files waiting for a time in the sandbox. The strength of sandboxing is in forensics and post-incident investigation, rather than for mitigating risks as they are occurring.
Bricata uses a technique called “file carving” that carve malicious files off the network. This means our appliance sits on the network connection and extracts files to examine these in-line as the files move along the network. It’s a far better method for taking action to mitigate an emerging threat.
Also see these related posts:
The Bricata Solution for Health Care [data sheet]
The Risk of Overconfidence in the Cybersecurity Perimeter
The 5 Ways Bricata Defends Against Laterally-Spreading Ransomware [case study]
2) Identify exploit characteristics between router and endpoint
When vulnerabilities are announced, it sets off a race between those that would try to exploit it and those that try to patch it. Large organizations have stringent change management procedures to test updates because rushing a patch can have unintended consequences in a production environment.
Yet patching isn’t the only answer when you can use detection rules such as Snort to monitor for use of an exploit. Snort rules are scripting languages that provide deep packet inspection to look for characteristics of an exploit.
For example, the first Snort rules to detect someone exploiting the Apache Struts vulnerability at the center of the Equifax breach was introduced the day after it was disclosed. Similarly, Snort rules were available to identify the use of this exploit a week before we saw WannaCry and a month before Petya.
Generally, it’s faster to write a Snort rule based on new threat intelligence than it is to incorporate a malware variant into a new exploit. This provides security with a second opportunity to stop attacks by observing traffic between the router and endpoint.
3) Detect lateral movement of malware on the internal network
Ransomware typically makes itself known almost immediately. The purpose is to spread across the network and encrypt data it can hold for ransom.
However, it’s harder to mask network behavior such as the lateral movement of ransomware or the exfiltration of data. If a malicious file is using protocols such as SMB or file transfer, this activity will stand out with the right detection tools monitoring traffic moving inside the network.
* * *
The full webinar was co-presented by John Pescatore of SANS and our own Druce MacFarlane and runs just about 60 minutes. A recording is available for viewing on the SANS website. There’s a registration form on the right-hand side that will create a SANS account, which will also provide access to a vast library of webinar recordings.
If you enjoyed this post, you might also like:
4 Considerations for Evaluating an Intrusion Detection System