Thursday, March 11, 2021

Attackers on the Inside

We perform penetration testing on organizations that often use the latest and greatest tools in security defense, yet our testing sometimes goes unseen. The key to detection and defense? Security layers. If you assume your primary defense does not work, what is its backup? How do you spot activity based on the original outlined phases of an attack if your primary tooling is inadequate? Layers!

Let us focus on the period during which threats are attempting to expand within your network, laterally, after having gained access. Expansion is possible both for ransomware and for individual attackers. Both wish to make the most of their efforts and obtain the greatest levels of success which often involves searching for additional targets.

There are several ways to look for this type of movement, such as reviewing network logs or looking for unexpected connection attempts to different devices. Unfortunately, while academically possible, the reality is that not every organization has these capabilities or resources. Watching lateral movement inside of a subnet may be impossible without specific technologies to capture the traffic. Similarly, reviewing unexpected connections may not be possible without access to all logs and platforms on the network. Often groups are time crunched and need to focus on alerts with low false positives first.

Another way to detect lateral movement within your network is with the use of a honeypot technology. This type of technology is often deployed in a network segment of interest, and setup to look like other targets in the network. The difference with the honeypot, however, is that it is not actually a valid network asset, so no valid connections should be made to it. Therefore, when an alert is generated, security teams can react with a high confidence that it is not legitimate behavior. CTInfoSec’ s Patented NARC® Deception Network Technology successfully detects threats in this manner, including attacks such as ransomware during the expansion phase. 

The ability to detect lateral movement with a low false positive rate is a very important defensive layer in any network security program. Attackers do not know up front which devices are real, and which are not, which is why a honeypot is so successful at what is does. It sits and listens, and hopefully never reports an alert. When it does, you know it is time to react quickly.