Jason BloombergNovember 3, 2020
Originally published on DZone.
This is a true story. The targeted company wishes to remain anonymous – typical in instances of compromise – so we’ll call it Horizon.
With the help of a team of experts, Horizon was able to stop a determined attacker in its tracks. Here’s how they did it.
Horizon had signed up for the Managed Detection and Response (MDR) service from Open Systems – a fortuitous choice, as this story will show.
Unfortunately, Horizon’s deployment of Open Systems’ SD-WAN technology was not complete at the time of the attack. The company was in the process of rolling out Open Systems Network Detection and Response (NDR) technology, including SD-WAN, firewalls and secure web gateways, but the attacker found an entry point not yet protected by this technology.
The attack vector: a simple phishing attack, using a fake Google Chrome download alert (see the diagram below). The attacker cast a wide net with its social engineering, knowing that a single click on the alert’s install button would give the attacker entry to Horizon’s network.
The Attacker’s Point of Entry (Source: Open Systems)
In this case, the determined threat actor used this social engineering technique to establish a foothold at Horizon. Next, it used evasion techniques to avoid detection, including passing along a .dll file that allowed the hacker to whitelist its activity, thus avoiding any flags from Horizon’s antivirus software.
The attack actually lasted several days, while the attacker identified multiple vulnerable targets, eventually achieving a persistent presence on Horizon’s network. At that point, it installed backdoor programs, giving it a command and control link that it could use to achieve its actions on its target objective.
The first few hours of the attack, however, were critical. The attacker executed a suspicious power shell command on a Horizon server, initiating traffic to a public cloud. Simultaneously, the attacker created five separate local administrator accounts on five different clients.
At that point, the attacker ran Mimikatz, an open-source application that enables hackers to view and save authentication credentials. Mimikatz is a cybersecurity tool that enables organizations to penetration test their Windows servers looking for credential-centric vulnerabilities, but in the wrong hands, it’s also a powerful attack tool.
Using Mimikatz, the attacker discovered the credentials of a backup service account that had been incorrectly configured with domain access privileges. These credentials enabled the hacker to escalate its attack and move laterally within Horizon’s network via a privileged IT administrator account.
Normally, once an attacker has both established a command and control link and compromised an IT admin account, it is able to proceed quickly to actions on its objective (typically the theft of data).
Not in this case. The Open Systems MDR team in conjunction with Microsoft Defender Advanced Threat Protection (ATP) detected the creation of the new local administrator accounts on the five clients within 15 minutes of attack.
However, because Horizon had chosen not to deploy Open Systems’ NDR at that time, the MDR team did not receive an alert about the attacker’s lateral movement within the Horizon network.
Nevertheless, Open Systems’ experts analyzed the pattern of attack events. They advised Horizon’s security team to block traffic to the cloud provider on the firewall and to reset the passwords of the compromised accounts.
The attacker still had some cards to play, however. Next, it accessed a compromised host using a previously installed backdoor that the MDR team had not identified. In response, the MDR team isolated the compromised hosts and instituted continuous identification and reporting of any additional infected systems.
All in all, the attacker had compromised seven user accounts across 13 hosts, establishing four command and control links across four separate domains. It was able to leverage or install no fewer than 18 malware packages and hacking tools and sent three reconnaissance output files back to the attacker’s home base.
And yet, even with all these compromising activities, the attacker failed to achieve its objective. The MDR team, in conjunction with Horizon’s security team and Microsoft Incident response, foiled the attack.
The key to Horizon’s successful mitigation: the Open Systems security analyst promptly understood the initial alert and implemented the first response.
The MDR team then involved the right people at Horizon, consulted them and the Microsoft team for countermeasures, and supported Horizon operations with the implementation of counterattack actions. After the attack, the team helped mop up by collaborating with the Microsoft Incident response forensics team.
The response to an attack like this one must be prompt, thorough, and complete.
The fact that the NDR and other components of the security stack were not yet operational enabled the attacker to move laterally in the network, ultimately logging onto a domain controller that gave it access to a privileged account. No organization can afford such weak links in its cybersecurity chain.
Fortunately, Horizon was able to mitigate this weakness. Leveraging expert engineers from the beginning of the attack proved crucial to preventing damage at Horizon. If the initial attack had passed to level 1 support and then up the organizational chain to an expert, critical time would have been wasted, giving the attacker the time it would have needed to succeed.
In other words, assume the worst, and put the best people on the response.
Coordination was also an essential success factor for Horizon. In this case, Open Systems experts, Horizon personnel, and support from Microsoft’s incident response team were critical in the successful and rapid response to the attack. If these people had become distracted with fingerpointing or the ‘not my problem’ trap, the attacker would have likely succeeded to achieve its objective.
The final, and perhaps most important lesson: while cybersecurity leverages tools, it’s the people that make the difference between success and failure.
Remember, the bad guys have good tools as well. Some of them also employ experts– which means your experts have to be better than theirs and work better as a team.
Copyright © Intellyx LLC. Open Systems is an Intellyx customer and Microsoft is a former Intellyx customer. Intellyx retains final editorial control of this article.