Preventing Sophisticated Attacks: Tips From a Real-World Incident Responder

August 15, 2017

| | Endpoint Security & XDR
Robin Jackson, principal consultant for CrowdStrike, has had extensive experience investigating some of today’s most prolific threat actors. He’s also done security research for a number of organizations and is well-versed in the kind of digital crimes that can victimize organizations. As a member CrowdStrike’s professional services team, he works with the Incident Response and Falcon Intelligence™ teams. He recently conducted a webcast titled, “Cyber Extortion: Digital Shakedowns and How to Stop Them,” in which he discussed the types of digital crimes that are occurring and what organizations should do if they are attacked, including strategies for preventing attacks. Jackson begins by describing some of the tools, tactics and procedures (TTPs) used by adversaries he has observed, and discussed the Dark Overlord, a hacker or group of hackers suspected in a wide range of recent attacks, from hospitals and clinics to the high-profile breach of Netflix. Among the tactics they use is to buy credentials to vulnerable RDP servers rather than hacking into them. Jackson said, “We speculated that Dark Overlord was buying lists of vulnerable RDP servers, logging into an exposed RDP server on the internet, and then using the credentials of that user to explore what he can. Ultimately, he likely uses an exploit of a known Windows process to elevate credentials.” SQL injection is another common technique that was recently used in a suspected nation-state attack using ransomware called Erebus, launched against the South Korean internet provider, Nayana. Jackson explained that this attack was likely an exploit through their web server after which the encrypting software, Erebus, was placed on Nayan’s Linux boxes. The victim ended up paying over one million dollars to its attackers to recover its data. Jackson also discussed ransomware and explained how some large targeted attacks he has investigated were conducted. He said that typically, the attacker will locate the organization’s critical servers and encrypt them because it can have the greatest negative impact. “The attacker then deploys Samas, Dharma, Erebus or a similar software on the servers and executes from a command line or a script. He can then generate a TOR hidden service web page and send an email via ProtonMail or some other service asking for a ransom to be paid,” he said.

How Can Organizations Defend Against These Attacks?

Jackson focused much of his discussion on what organizations can do to better protect themselves, offering a series of tips that can help prevent an attack:
  • Establish consistent training —

     

    As he explained, “We don't live in an environment anymore where you can just click unsolicited resumes that haven't been vetted and checked.” Despite how often employees are warned not to click on unknown links and attachments, these methods are still working for adversaries. It’s important that organizations ensure employees are consistently vigilant by providing ongoing training.
  • Be aware of personal internet activity —

     

    Organizations need awareness of users’ personal internet activities. Jackson explained, “People need to be aware that especially on the internet, they need to be very careful about associating themselves with their companies so they don't become the target of an extortion threat, especially C-level officers, financial officers, system administrators and those in similar roles.”
  • Verify extortion attempts —

     

    Jackson also explained that extortion is a grossly underreported crime because the victims are often embarrassed.

     

    One form of extortion is to threaten DOS and QOS (denial of service and quality of service) attacks

     

    where perpetrators can threaten enormous disruption. In these instances, Jackson suggests that victims first try and find out if their attacker is really capable of launching such a massive attack. “In one case we investigated, we discovered that the attacker was only capable of dropping about 16 Gb per second, far less than they were threatening,” he said.
  • Conduct tabletop exercises —

     

    Doing real-world exercises before you are faced with a damaging attack makes organizations more capable of preventing one.

     

    Jackson explained, “Tabletop exercises can give you an understanding of where you may need to put a Snort (network intrusion detection software) or a device, or where you need to put a SIEM in place so that your logs are being adequately retained.”
  • Perform pen testing —

     

    On a regular basis, you need someone looking at your network like an attacker would —

     

    not just using out-of-the-box scripts —

     

    but looking at specific applications to find vulnerabilities and trying aggressively to get in.
  • Segregate your backups — Organizations need to have backups in place, but they can’t be on its system because they will get enumerated when the ransomware begins to encrypt. Jackson said, “One of the first things an attacker does is look for your backups, so you need to be rigorous about segregating the network connection between your backups and the organization.”
  • Encrypt your data — Your sensitive data should be encrypted, both at rest and in motion. Jackson also advocates keeping some data off your network entirely.

     

    “Some data doesn't belong anywhere that an actor can get to it — companies need to organize their data and be conscious of the fact that anything on a network is accessible with elevated privileges,” he said.
  • Ensure the best instrumentation — Jackson explained that the proper instrumentation allows you to see what is happening in your network beyond just looking for malware. He reiterated that increasingly, adversaries are using fileless, malware-free attacks that standard anti-malware and AV solutions cannot detect. Solutions such as the

     

    CrowdStrike Falcon® platform use new protection mechanisms like machine learning and behavioral analytics,

     

    such as indicators of attack (IOAs), to detect and prevent the sophisticated,

     

    fileless attacks today's adversaries are using.
  • Create a communications plan — If your organization does get attacked, you need to be ready for the media, including identifying a spokesperson and having a communications plan in place. He explained, “Whether it's extortion or ransomware, the wrong time to find the person to help you is in the middle of an incident.”
  • Contact law enforcement — If you find your data has been successfully exfiltrated, it’s important to contact law enforcement. Jackson explained that even if they aren’t successful in finding the perpetrators in your case, your cooperation with them is going to add to their ability to find and prosecute cyber criminals who threaten all organizations.
Watch the webcast:

 

Cyber Extortion: Digital Shakedowns and How to Stop Them More Resources:

 

Breaches Stop Here