Do We Have a Chance Against Well-Funded Attack Teams?
Recently I was pondering some of the observations of the recent CrowdStrike Global Threat Report, which is an excellent read, but might lead one to despair at the same time. If a well-funded attack team can solidify their foothold in your network within 20 minutes of gaining initial access, do you have any chance of defending yourself at all? The answer is “yes,” but this answer deserves a deeper dive to explain why.
Most reasonably seasoned hackers have a battery of “escalation” techniques, from credential scraping to software exploits to local privilege escalation, which they will immediately deploy on initial compromise to solidify the foothold. These techniques are usually at least semi-automated and will work fast. If not carefully done, breaking out from the initial stepping stone can be a loud and calamitous event. They are designed to ensure additional assets in the network are compromised, and the continued presence on the network is thus ensured. But, it does not necessarily mean the attacker gained access to the crown jewels.
It may take substantially longer before the attacker infiltrates deeper—because it requires a certain level of understanding of the attack target and the value of the assets to which the attacker now has access. Gaining access to half a dozen workstations throughout an enterprise can solidify the hacker’s presence and ensure permanence, but discovering which resources are worthy of theft (or destruction) will likely take weeks or months. During this time the compromised machines will be:
- Running malware—which may get picked up at the endpoint, or from new services that appear in network communications
- Beaconing or engaging in C2 communication—which can be detected on the network and investigated in packet traces
- Performing reconnaissance—scanning behavior can be detected, and uploads of stolen credentials can be caught on the network as well
- Attacking for further lateral movement—the IDS may pick-up exploits, and password brute-forcing is a loud and obvious behavior to detect in flow data
- Data theft and espionage—large movements of data and data exfiltrations are visible in both flows and packets
Defense-in-depth ensures good preparation
Overall, a well-prepared and wary defender stands a really good chance, but only when paying attention. It is also a strong argument for “defense-in-depth.” No single solution ensures a complete line of defense, and we should always ensure we deploy both defensive as well as investigative/detection technologies at the network level, as well as the end-point. No attacker will ever trigger all your tripwires, and casting a wide telemetry net and watching from many angles widens your changes of detecting advanced adversaries. What is more, collecting and storing this telemetry for a good period of time (months, or years) allows you to link evidence and truly evaluate the full extent of the compromise.
By its very nature, an espionage operation takes time. Time to analyze the compromised assets, time to find where desirable assets are hiding, and time to gain access to these assets. Despite the ability of an advanced adversary to be able to knock initial doors down fast in SWAT style, permanence and patience are needed to truly get value from the attack. So in summary: yes, we stand a chance. But, only if we take care to listen.