Vectra Networks has today announced the results of its latest Post-Intrusion Report, a real-world study about threat behaviour that evade perimeter defences. It has shown that cyber attackers are getting quieter once inside the network, with use of covert attack communications on the rise.
The report analysed data from 120 Vectra customer networks comprised of more than 1.3 million hosts over January to March this year. All organisations showed signs of targeted attacks including internal reconnaissance, lateral movement or data exfiltration.
Of the 120 participating organisations, nearly 98% (117 organisations) detected at least one of these behaviours during each month of the study.
Irrespective of whether an attacker has breached the perimeter defences through a targeted exploit or a broadcast botnet campaign, real financial and reputational losses for the victim organisation begin to occur once the cybercriminals start moving laterally within the network – searching for, and stealing, confidential information and intellectual property.
Once an attacker has a toehold within the network with remote access and control of a compromised host, an obvious objective is to start collecting user and administrative credentials.
In general, it is relatively easy to capture the user IDs and local administrator account passwords – by scraping memory, registry files, scraping email, or through keylogging processes.
These locally captured credentials can be used to escalate local permissions to unlock greater control of the compromised host and, in the case of virtual images and cloned installations of corporate hosts that have neglected to change default administrative passwords, provide the basic tools to access similarly configured hosts across the network.
With sufficient permissions on the toehold system, the attacker can install additional tools that will automate the next phases of attack and open the door to lateral movement and eventual access to targeted hosts, servers, or devices.
A popular first step is to install a network sniffer that passively monitors network traffic and, over a short period of time, constructs a map of systems on the network, shared and broadcast user ID’s and credentials, and helps illuminate key assets for targeted attack.
Armed with a pseudo map of the network, a collection of user IDs, and a handful of passwords, the attacker is in a solid position to begin probing other hosts and servers on the network, and seeking to gain access to them.
An easy way to gain access to a remote networked device is to try using previously captured credentials. If those credentials were incomplete (e.g. missing a decrypted password), then the attacker will often rely upon brute-force techniques to automatically cycle through and try candidate passwords – typically trying all locally captured passwords first, then moving on to a list of ‘popular’ passwords, and finally on to a incremental guessing algorithm.
This automated bruteforce technique tends to be very noisy – creating a lot of suspicious network traffic and generating a lot of failure alerts in authentication logs.
Because brute force techniques are so noisy, more experienced and skilled attackers tend to try other access techniques first – preferably automatable techniques that are difficult to distinguish from normal network traffic and where failures are unlikely to be alerted upon.
Over the last couple of years, new tools have come to the fore for exploiting weaknesses in the Kerberos protocol (a protocol that is used extensively in corporate environments with large Microsoft Windows and Active Directory deployments).
Following a detailed presentation at Blackhat USA 2014 by Alva Duckwall and Benjamin Delpy covering ‘pass the hash’, ‘golden tickets’ and abusing Kerberos in general, a new breed of tool has been added to the hacker arsenal.
> See also: The growing threat of DDoS attacks on DNS
Easy access to these tools and detailed write-ups of the weakness, and a general lack of ability for organisations to defend against this kind of attack, has resulted in more attackers abusing Kerberos frailties to gain access to other networked hosts and to move laterally within the breached network.
Once suitable Kerberos keys have been created and administrative accounts broken, it become an easy and automatable process to compromise other hosts within the victims network.
Such actions correlate with Vectra Networks observations – with Kerberos Client and Automated Replication now accounting for 72% of observed lateral movement within breached networks.
Sourced from Gunter Ollmann, CSO, Vectra Networks