In February 2014 at the RSA Conference, my colleague George Kurtz and I presented a session titled “Hacking Exposed: Day of Destruction.” We walked through a historical timeline of destructive attacks – all the way back to the late 1980s – profiled them and even showed prototypes of significantly more physically destructive attacks that may come in the future. The events of the past month have shown us the huge impact such an attack can have on an organization.
Here’s how it starts: if your organization lets an intruder onto your network without detection, all bets are off. Regardless of the intent – theft of IP, theft of financial information, identity theft, or general destruction of the network or your company’s reputation — it all starts when the intruder gains access. You must be able to detect their reconnaissance activities inside your network, the elevation of privilege, theft of credentials, and ultimate lateral movement. If you can do that, you can stop the destructive attacks, as well as espionage and financial crimes. You can stop the adversary in their tracks.
First, you need to change your stance about cybersecurity. Understand that it doesn’t matter what industry you are in: if your organization is engaged in activities that someone finds offensive, your organization will likely come under attack. You don’t have to be a government agency, financial institution, or defense contractor to come under a sophisticated nation-state attack. If you have valuable IP, expect to find advanced attackers in your networks.
It’s time to stop thinking of this as a malware problem and start focusing on the adversary. Today’s threat actors can be broadly categorized into three different sets:
- Hacktivist/terrorist organizations that are primarily vigilante focused. These organizations have been attacking companies for years. They have perfected the art of doxing, in which they break into companies and government agencies, take confidential information that could be embarrassing to that organization and then release it into the world.
- Criminal Groups that break into large companies, such as Target or Home Depot, with a specific financial motive to steal bank account and credit card information and monetize it by selling it on the black market.
- Nation-states that conduct economic and security espionage, as well as occasional, but relatively rare, destructive attacks against a wide variety of targets, including western companies, government agencies, and nonprofits. China is by far the most active, but we also have been engaged in long-term tracking of North Korea, which primarily focuses on espionage against South Korea, its financial sectors, and U.S. military installations on the Korean peninsula.
Techniques by all three groups have grown in sophistication over the years and attacks have become more targeted and more destructive. Regardless of the type of activity, the first step – always – is getting into the network. Adversaries must get inside the organization and steal administrator credentials (typically Domain Administrator) in order to move laterally and ultimately gain access to data and initiate any effective destruction they had planned. Once they gain administrative privileges, they can access machines across the network, steal and/or delete sensitive files, and turn off security tools as they go.
The point here is the credentials. If your security tool, if it is still on, is just setting up a perimeter and trying to fend off malware, then you could have an undetected intruder on your network for weeks, months, or years. These types of attacks have happened in the past, but businesses still seem to miss the point that the threat isn’t just destructive malware. The opportunity to keep an attacker from doing reconnaissance on your network, stealing credentials, and moving laterally is when you can actually detect the breach and stop it before any theft of IP or actual destruction of your network takes place. In fact, both theft of data, as well as destruction of the network, can be accomplished without the use of malware by purely leveraging common and legitimate Windows administrative tools like WMI or Powershell scripts.
Frankly, breaches are inevitable, especially if you have a dedicated adversary who has the resources, time, and motivation to spend weeks and months trying to break into your network.
They will ultimately find the one hole they need to break in, which could come in the form of social engineering of one of your users, or a vulnerability in the public-facing Internet infrastructure. However, if you have the ability to detect an adversary at an early stage of their operation, you can prevent them from accomplishing their objectives. The defender has the advantage if you have technology that offers full visibility across your hosts, monitors all execution activities, and allows you to detect the types of activities the adversaries need to take to succeed. With the right type of detection software, you can stop them in their tracks early in the attack process and kick them out before they can do any damage.
Unless you have what it takes – technology and people – to actively hunt for the adversary and identify breaches within seconds of them occurring, you will ultimately lose. Malware will change. It may not even be used as part of an attack at all. If all you are looking for is the malware, then you are going to miss the boat and will not be able to stop these types of attacks.
Here are four important steps organizations can take now to protect themselves against the next Sony-like breach:
- Conduct Proactive Assessments. Enterprises should continuously anticipate cyber threats so they can be prepared for when they happen. They need to prepare the network and their people beforehand and determine how to mitigate the threats and prevent damage. They also need to make sure the tip of the spear – the skills and training of their security analysts and incident responders – are sharpened to perfection.
- Use Next-Generation Endpoint Detection and Prevention Technologies That Hunt for Adversaries, as well as Malware. It’s not enough to just find a piece of malware on your network. You must have ability to detect and stop all of the adversary activities that have taken place. If the adversaries still have domain administrator credentials, or can maintain malware-free persistent access to your network through a Sticky Keys-like trick, the fact that you had discovered the malware part of the operation will be little consolation when you realize that they still have complete ownership of your network.
- Integrate Threat Intelligence Tools. It’s critical that organizations understand the motivations, intent, and capabilities of advanced adversaries. By understanding who is targeting your organization and what specifically they’re after, security teams can better protect intellectual property and customer data. If you suspect a particular action, such as a movie release, may make an enemy out of a specific adversary, it would certainly help to have access to cutting-edge adversary intelligence on that actor to help your teams proactively hunt for their tactics and tools on the network.
- Review and Strengthen Internal Security Controls. It’s important for every enterprise to review its access control and data retention policies and ask the hard question of the impact of a breach or doxing of that data might cause to the company. It is critical to lock down all domain administrator credentials and remove local administrator privileges from all non-IT personnel. Email and file encryption, as painful as they unfortunately may be to use, are critical for raising the bar and making it much more difficult for an adversary to succeed.
There is much more to come from CrowdStrike in the coming weeks. Stay tuned to The Adversary Manifesto as we continue to provide guidance on what organizations can do to protect themselves from targeted and destructive attacks.
Always remember – You don’t have a malware problem, You have an adversary problem™.