EESI as Pie: Essential Elements of a Successful Intrusion
Published: May 30, 2017
Author: Dan Ryan
I’ve been a leader on the VTRAC Investigative Response Team for several years. In that time we’ve encountered hundreds (if not thousands) of cases involving one or all of the methods and techniques discussed in the scenario below. In our experience, there’s no single approach or technology that prevents a threat actor from a successful attack. Security is a layered approach and requires trained professionals and the right technology to protect an organization.
What are the Essential Elements of a Successful Intrusion?
Step 1: Gain access. An attacker initiates a spam phishing campaign against your organization and is successful in compromising at least one endpoint system with the attack. The attacker gains user-level privileges on the system. This system isn't fully patched, and thus, the attacker is able to leverage a local privilege escalation vulnerability to gain administrator privileges.
With administrative privileges, the attacker dumps the local administrator’s credentials on the system. Using these credentials, the attacker logs in to a file server, which, it turns out, is shared across the environment. Based on the number of files on the server, the attacker knows it has lots of user traffic and, likely, the domain administrator’s credentials are also cached on that server.
Step 2: Steal data. Since the network supports older authentication schemes, the attacker decrypts a domain administrator's password hash in seconds. The attacker then conducts network reconnaissance to identify systems with open Microsoft Structured Query Language (SQL) database ports.
Upon identifying their target database, which so happens to contain unencrypted data, the attacker logs in to the system with the domain administrator’s credentials. They then use Microsoft's built-in SQL tools to dump the database to a flat file, compress the same, and then exfiltrate it to a remote File Transfer Protocol (FTP) server. This attack takes only a few hours … if you're lucky.
Step 3: Expose flaws. And the bad news continues ... you're left with a mess to deal with.
Your employee user accounts weren't running as local administrators, but they were unpatched leaving them susceptible to a privilege escalation exploit. Your endpoints and servers shared the same local user credentials allowing for lateral movement via these local credentials.
You still have old applications, domain controllers and authentication schemas leaving your domain administrator credentials unsecured. You didn’t encrypt the data in the database to help protect it from exposure in the event the server was compromised.
Your network is flat and you didn't segment off those systems most valuable to your firm. Your enterprise-level network threat detection box did alert on some strange network activity, but it was buried in hundreds of alerts for the day; furthermore, your understaffed IT Security Team hasn't even looked at it yet. You have no egress filtering on your database servers, because outbound traffic shouldn't be malicious, right?
How can you keep your organization protected?
A successful intrusion requires an attacker to accomplish a specific set of tasks. While there may not be one "fix all" solution that protects you from all potential attacks, proper security hygiene can be accomplished through a layered approach. For this, you need to consider these questions:
- Do you sensitize your employees to the latest threat actor trends?
- Do you patch your systems and applications regularly?
- Do you utilize compensating controls for older applications?
- Do you ensure user credentials aren't shared between systems?
- Do you have tools in place to identify attacks?
- Do you segment your network? Do you monitor and restrict egress and ingress traffic?
- Do you encrypt your data?
Want to learn more about data breach mitigation and response?
Get the 2017 Data Breach Investigations Report (DBIR). It’s our foremost publication on security, and one of the industry’s most respected sources of information.
Read the Data Breach Digest for the story of Verizon’s most intriguing cybercrime investigations. Learn about the attacker’s tactics, the victim’s mistakes and the scramble to limit the damage.
Dan is currently a Team Lead for the Verizon Threat Research Advisory Center (VTRAC) | Investigative Response Team. In his time at Verizon, Dan has managed several of the largest data breach investigations to date from leadership, advisory, and technical roles. His years of experience make him an expert in incident response and forensic analysis. He leads a team of seasoned forensic investigators who have a combined several decades of service in the Incident Response and Information Technology industries.