vides a useful insight into how those seven steps can be carried out. During the pre-attack phase (Steps 1-4), 173 different tech- niques were identified under 17 attack categories. In the attack phase (Steps 5-7), 10 categories were identified for 169 techniques. While attackers can freely use these techniques, it is virtually im- possible to implement countermeasures against all of these steps in a complex environment.
Targeted attacks reach a turning point when the rogue actor tries to break out from the hacked computer, better known as “lateral movement.” Looking back at NotPetya, the ultimate goal of gathering credentials from an infected computer is to enable lateral movement. Privileged account credentials are the keys to the kingdom. If the intruder can steal these passwords, it is very difficult to identify them from that point, as they will perform seemingly legitimate activities. This can be presented through the Remote Desktop Protocol example.
FireEye’s Mandiant, which handles the investigation of tar- geted cyber security incidents, writes the following on its blog: “While performing incident response, Mandiant encounters at- tackers actively using systems on a compromised network. This activity often includes using interactive console programs via RDP such as the command prompt, PowerShell, and sometimes custom command and control (C2) console tools.”
Usage of RDP is a confirmed tactic by MITRE, and even the most advanced cybercriminal groups such as APT1 or Lazarus used this protocol many times. In practice, Windows servers usu- ally enable remote connection through RDP as they need to be
managed somehow. Those servers can be on premise or in the cloud as well. Therefore, if the attacker has a privileged account, he has a great chance to access the whole Windows infrastructure.
Beyond Passwords —
Next Generation Defense
So how can RDP connections be secured? While the use of strong passwords to enable Network Level Authentication is often rec- ommended, it cannot solve the issue of stolen credentials, and even password managers can be tricked with an authorized privi- leged user account. Only multifactor authentication seems to be an effective measure, but this is often unfeasible due to infrastruc- ture restrictions.
Unfortunately, that is just one example of the challenges that need to be addressed, and every one of the multitude of tech- niques comes with its own set of challenges. As attackers improve their strategies, organizations need to improve their defense tac- tics and supporting toolkits. There are some new technologies emerging that appear to be very promising and may hopefully restore the balance between attack and defense. According to Gartner’s Hype Cycle for Emerging Technologies 2017, Machine Learning or Software-Defined Security are moving toward main- stream adoption and there are a growing number of cyberse- curity solutions coming onto the market that incorporate these technologies.
Csaba Krasznay is the security evangelist at Balabit.
Make us your homepage!
Our website uses responsive design to adapt to whatever device you’re using.
NS8
1.5988 in
securitytoday.com
• Breaking news
• Relevant industry news and trends
• The newest security products
• Online product database and directory
• Trending topic and product videos
• Training through Security Today Academy
Go to sp.hotims.com and enter 202 for product information.