Attackers must overcome a lot of challenges before their efforts can be considered successful. Of course, this involves some understanding of the objectives of the perpetrators. For example, if the objective is to render a given website or internet-connected access point unavailable, the attacker does not have to figure out how to access, collect and extract data from the target. Rather, the attacker needs to know only how to either block access to the site or cause it to fail. For example, if a site’s manager has not taken simple (but vital) steps to prevent unauthorized changes to the internet registration of a domain (e.g., sampledomain.com), an attacker can initiate a transaction that could associate that domain name with an internet protocol address controlled by the attacker. When someone enters the domain name, they end up somewhere else. Once the objective of the attack is known, the elements of information needed to understand the attack become evident.
While attacks against cyber infrastructures have been going on for more than 50 years in various forms, there are many published standard ways of defining how incidents occur. Some, we have found, oversimplify an attack and do not result in the depth of understanding needed to understand why an attack was successful, what worked (and did not work) for the attackers, and what you need to know to effectively strengthen your cyber defense measures. In developing this chapter, we decided to use the MITRE ATT&CK™ model, which is the result of contributions from many experienced practitioners as a way of describing attacker behaviors in a consistent way.
The ATT&CK model suggests that to fully understand an incident, an organization should try to understand the following characteristics of attacker behavior. Our experience indicates that it is unlikely that all these characteristics will be known, particularly at the initial stage of an incident response and investigation, but it is a very useful model for reminding the investigators of the diverse avenues they need to pursue.
How was the attack initiated? Did it involve removable media? Was it a ‘drive-by’ (a visit to a website that automatically downloads malware)? The result of a phishing email? Social engineering? Additionally, attackers may carry out pre-attack activities such as surveillance (i.e., determining what tools are in use within a network and testing to determine whether common exploitable vulnerabilities exist). Recognizing these indicators of an attack that is in the planning stage can help an organization to prevent it, or at least to mitigate the damage. Note that pre-attack activities can be either focused on a specific target or carried out by automated systems to create a list of vulnerable sites to be exploited in the future. This element of the incident includes what some other models refer to as ‘reconnaissance activities’. To the extent that a network can detect these types of activities, that can be an early indicator of a potential attack on the network, and can provide the information needed to prevent or mitigate a successful attack and exfiltration of data.
What was the technology used to initiate the compromise? Was it a compiled HTML file? Did it use a dynamic data exchange? Was PowerShell used?3
In previous decades, the attack model was to get in, steal data, cover your tracks and get out quickly. Today, the model has morphed to one in which the attacker aims to establish a long-term stealthy presence in the target network. This characteristic describes the means used to support persistence of an attack.
Once an attacker enters a system, they may well need to gain additional capabilities to do things like getting to valuable data, moving to other parts of the system, establishing persistence or being able to remove data from a network. How they go about doing this is described in this characteristic.
Once in a system, attackers do not want to be noticed, caught or prevented from carrying out their plans. They understand not only that their targets will put defenses in place to prevent them from being successful, but what those defenses are likely to be. There are many ways in which an attacker can bypass or otherwise evade these defensive measures; understanding how they carried out the evasion is an important part of understanding the attack as a whole.
How did the attacker get the credentials used in an attack? Did they find the information in an insufficiently protected file? Was a known vulnerability used to gain access to a valid credential? Was the attacker able to cause the creation of a credential that was not supposed to exist?
How did the target discover the attack? For example, did they notice a strange device on their network? An unusual file? An anomalous movement of data out of the system? Unfortunately, the discovery process may not start until the victim organization is notified of the attack by a third party (e.g., by law enforcement agencies or a payment card issuer).
Once an attacker has gained access to a network, how do they navigate from one part of that network to another part of the network, or to a connected network? As an example, in the well-known 2013 attack against the retailer Target, the cybercriminals first entered the system through a vendor responsible for store heating and cooling systems; they were then able to move laterally through the network to gain access to the payment card information of tens of millions of customers. Moving from the environmental systems part of the network to the payment card portion of the network represents lateral movement.
What techniques were used by the attackers to collect the data that they intended to move out of the system? Were they able to access shared drives? Did they use screen captures? Did they access information stored on a remote system (i.e., cloud storage)? Understanding this is key to developing more effective defensive measures.
How did the criminals get the data from your network to the site or email address that they control? Did your data leakage control system fail (if you have one)? Were there unprotected endpoints? In one case, we discovered that an organization that believed it had 14 points of connection to the global internet actually had more than 70!
Command and Control
There are a number of ways in which an attacker can monitor and direct an attack against an organization. As with other categories, understanding how they achieved command and control helps with strengthening defenses.
In looking at this list, you may notice that there was no specific element focused on the identity of the perpetrator of the incident. There are several reasons for that. First, once it is determined, for example, that the attack was designed to steal credit card information and that the stolen information was transmitted to a site in Asia, there may be little or no value in spending time and money in what may well be a fruitless search for the identity of those responsible. The chance of actually catching them and bringing them to justice is low, and an insurer or managers may not want to incur that expense. Second, there are many ways in which a perpetrator can obfuscate its connection to your data. You may believe you know who the perpetrator is, but that may not be sufficient to support a prosecution or to result in an international extradition.
3.PowerShell is an automation engine and scripting language with an interactive command-line shell that Microsoft developed to help IT professionals configure systems and automate administrative tasks.
An extract from the first edition of The Guide to Cyber Investigations. The whole publication is available at Global Investigations Review.