Evolving Threat Landscape
Technology in the Cybersecurity industry has advanced rapidly. Over the last several years, security practitioners have gained access to advanced tools, allowing them to detect, deter, and mitigate more and more advanced threats. However, even with the security advancements, attacks continue to increase in both frequency and destructiveness. One of the reasons for this is that threat actors have shifted their tactics, evolving as we evolve. Attackers are becoming more organized and corporatized, with specific divisions for each aspect of an attack on an organization. Some large ransomware organizations have gone so far as to have a full ‘customer success’ department, designed specifically to chat and interact with the victimized organization and conduct the ransom negotiation.
It’s a personnel issue
Most cyber security teams are relatively small and don’t always have access to 24/7 monitoring. It’s common for teams to be operating on limited budgets, which exist as a fraction of the IT budget. Old fashioned corporate structure notwithstanding, it is extremely difficult to deal with threat actors once they have gained a foothold in your environment. Even having all the best monitoring tools and alerting infrastructure may not help, as some more advanced threat groups and cybercrime organizations can execute a full network compromise in less than an hour. Imagine this occurring to a company with a 5-man security team at 3AM on a Saturday. It is simply not economically feasible for most organizations to be able to spin up Incident Response operations quickly enough to deal with a highly motivated criminal actor who can put 60 bodies on an attack and has been reconning the target victim for months.
Initial access issues
The most important phase in the kill chain is the step in which an attacker gains the information necessary to initially access a network. This is an obvious statement that becomes much more difficult in practice, as attackers are gaining that information in a variety of ways. Phishing and social engineering are common, but those are not the focus of this blog. Instead, we will talk about another method, that can allow threat actors to bypass privilege checks and conventional security tooling. By obtaining access to employee credentials, or by compromising an employee directly, threat actors have the lateral ability to functionally spread throughout a network and execute a compromise very quickly. One common way that threat groups are doing this is by leveraging credential leaks via utilization of common infostealers. Infostealers are generally considered a ‘small attacker’ problem. It is true that most of the purchases of many of the MaaS (Malware as a service) offerings are small timers. The problem comes when these small fish, of which there are many, begin looking at their small drive-by attacks and see that they have compromised business accounts. They can then turn around and sell these business account credentials on dark web marketplaces that can easily be purchased by more seasoned actors. Seasoned actors can also use the infostealers to conduct targeted info gathering attacks against specific organizations. Gaining access to several employee intranet accounts, or Microsoft 0365 accounts becomes very easy when hundreds of these compromised credentials show up daily on multiple marketplaces.
Initial access intelligence
Understanding infostealers and how credential compromises can affect an organization is important, but proper remediation is difficult. Account deprovisioning must be done in a timely manner, multi-factor authentication, preferably with an authenticator, also helps. Having a good threat intelligence organization who is monitoring account leakage and the credential market can also give you a heads up if employee accounts are being exposed. Ultimately, keeping threat actors out of your system is the best way to avoid costly compromises, and understanding how they are obtaining initial access to your environment is a good first step.