In our last post we looked at the Verizon 2014 DBIR report’s recommendations for security controls from the SANS institute to protect against advanced threats. Mandiant’s Threat Report – M-Trends 2015: A View From the Front Lines – provides additional context for why these controls are needed through a case study of an advanced threat.
The first step in the attack outlined in Mandiant’s study was gaining initial access to a corporate domain, and this was done by authenticating with valid credentials through a virtualized application server. Mandiant was not able to determine how the credentials were obtained in this case. While spear phishing and other user exploits are possible methods for harvesting credentials the attackers may have used software vulnerabilities on the system to intercept login credentials. For example, the year old Heartbleed vulnerability was exploited to gain valid credentials used for attacks on Community Health Systems and the Canada Revenue Agency.
Once the attacker had access the next step was to use a misconfiguration of the virtual appliance to gain elevated privileges which allowed for the download of a password dumping utility. That led to the local administrator password, which was the same for all systems, and thus gave access to every system in the domain. Mandiant’s report then outlines how Metasploit was used to reconnoiter the environment, obtain corporate domain admin credentials, configure additional entry points, and install back doors to communicate with command and control over the internet.
Once the attacker was entrenched into the systems they moved on to their target in the retail environment. The retail environment was a child domain of the corporate domain and the hacked domain admin credentials allowed full access. The attacker copied malware to the retail sales registers and that malware harvested POS cards, copying the data to a workstation with internet access so that it could exfiltrate the data to the attacker’s servers via FTP.
Some important points about this attack are:
1. Valid credentials were used.
Patching vulnerable servers and educating users may make it harder but not impossible for attackers to obtain valid credentials. Multifactor authentication could have made access more difficult and monitoring user login locations could have flagged unauthorized access.
2. Server and application configuration is critical.
An application misconfiguration led to local admin privileges and common local admin accounts made it easy to spread throughout the corporate domain and then to the target retail environment. Using different admin credentials and restricting access to the retail environment would have slowed down and possibly prevented data exfiltration.
3. Network traffic anomalies were not noticed.
FTP traffic was used to download tools and upload data. The attack used external command and control servers. Watching traffic over the corporate and retail networks would have picked up recurring patterns in data sent to and received from unknown external addresses.
Advanced threats are designed to be persistent and difficult to detect. Mandiant reported:
[A]ttackers still had a free rein in breached environments far too long before being detected—a median of 205 days in 2014 vs. 229 days in 2013. At the same time, the number of organizations discovering these intrusions on their own remained largely unchanged. Sixty-nine percent learned of the breach from an outside entity such as law enforcement. That’s up from 67 percent in 2013 and 63 percent in 2012.
It is not possible to completely eliminate the possibility of a data breach. But you can limit the scope of a breach and detect it sooner by using the best practices outlined by SANS.org, and by monitoring your network and server activity with SIEM tools such as Splunk®.