WIMZKL was recently engaged in a forensic exercise on behalf of a new client who experienced a significant breach that occurred prior to WIMZKL’s involvement. Sadly, this is something seen far too often where an organization commits to better information security practices only AFTER something regrettable occurs. Please, please, PLEASE – learn from the mistakes of others and get your act together TODAY.
Meanwhile, the upside is that these incidents, while stressful and costly across so many contexts, like plane crashes, always lead to better policies, processes, procedures, awareness and outcomes for the future.
The investigation WIMZKL directed is a great example of why being pro-active is key. The primary reason being the number and frequency of memory-only attacks is on the rise. These kinds of stealth attacked use widely available, open source tools that anyone can download, install and learn to use. It doesn’t take a lot of technical experience or know-how to execute these tools in an attack.
Dismantling the traps, backdoors and revealing evidence of same in a usable way, however, does.
My peers and colleagues are growing tired of hearing me talk about this. In short order, Red Teams (offensive strategy) can use open source tools to stress the multiple layers of defensive tactics of Blue Teams (defensive strategy). You can think you’re really great at defensive strategy and have all the Defense in Depth pieces in place you can think of. The one, big problem I have with this is that you won’t really know if it works or not until you get hacked.
In contrast, Red Teams who practice offensive strategies against their own environments, will know with certainty, and almost instantly, if they suck or not.
This philosophy empowers Red Teams to iterate and learn faster. It’s why the bad guys are winning. Using open source tools, they can elevate their privileges on a system, enumerate and gather intelligence, credentials and move undetected in memory only. This means the scaffolding they put in place can survive even during a system’s reboot.
Because of this simplicity, or sophistication, depending on how you choose to define it, these kinds of breaches are virtually undetectable to the average bear. Why? Since this approach does not write anything to the file system, detecting and tracing it requires special attention, tools and training. Add to this, all associated network activity between a compromised system, or systems, and external command and control servers can easily be encrypted. That means there is little these attacks have in common with anything the average bear has seen before.
The big lessons:
- Teams that aren’t balancing their defensive practice with offensive fluency, and frequently testing their own defenses, will be no match for attackers who are iterating, evolving and learning exponentially faster.
- Teams that are relying solely on network-based evidence, and not including memory-based forensics, are sitting ducks and open to being exploited in ways they only imagine in their worst nightmares.
Want to learn more? Get in touch and elevate your team’s approach to protecting your business, your reputation and the bottom line. WIMZKL wants to be your long-term partner in this success.