In our last blog, Five Ways Managed Detection and Response Reduce Security Risks, we explored what it is, what it can do for you and why MDR is vital in today’s cyberwarfare. This blog will look at the anatomy of advanced persistent threats and how MDR can make a difference in proactively uncovering the unknown before it disrupts your organization.
The goal of cyber criminals is to remain undetected so they can gain access to your most sensitive information. They typically sneak in discreetly and stay in your network, alluding any attempt to discover a breach until it is too late. These coordinated attacks can hide dormant for several months without detection until the attacker is ready to move. To stop them, you must be proactive in going beyond preventive measures of just identifying and stopping known breaches. That means going undercover … seeking out invisible unknown and emerging threats, such as advanced persistent threats (APT), that are lurking in your environment without you knowing it.
The Anatomy of Advanced Persistent Threats
Many APT threats use zero-day vulnerabilities to target victim organizations. The attacks consist of phishing emails sent to targeted groups containing a link that points to malicious websites hosting the zero-day exploit code. They also send out many more messages to a wider set of targets, trying to infect as many endpoints as possible before a patch is made available. The attackers update their email templates and themes every day to keep the campaign “fresh” and evade any spam detection rules put in place to detect the previous messages.
According to Wikipedia and Dark Reading, each step in an APT attack includes a very well planned and studied move by the attackers.
- Target selection – Attackers research and identify individuals they will target in the attacks, using public search or other methods, and get their email addresses or instant messaging handles.
- Initial compromise – Perform social engineering and spear phishing through email, using zero-day viruses. Another popular infection method is planting malware on a website that the victim’s employees will be likely to visit.
- Establish foothold – Plant remote administration software in victim’s network, create net backdoors and tunnels allowing stealth access to its infrastructure. With external command and control of the PC or server, utility programs are installed on the victim’s network to conduct system administration, including installing backdoors, grabbing passwords, getting email and listing running processes.
- Escalate privileges – Use exploits and password cracking to acquire administrator privileges over victim’s computer and possibly expand it to Windows domain administrator accounts. Attackers access an average of 40 systems on the victim’s network using the stolen credentials, such as domain-administrator credentials.
- Internal reconnaissance – Collect information on surrounding infrastructure, trust relationships, Windows domain structure. Command and control communications allow threat actors to have access to servers, which contain valuable information – the company “crown jewels.”
- Move laterally – Expand control to other workstations, servers and infrastructure elements and perform data harvesting on them. Remote control tools enable attackers to access other desktops in the network and perform actions like executing programs, scheduling tasks and managing data collections on other systems.
- Maintain presence – Ensure continued control over access channels and credentials acquired in previous steps. If the attackers find they are being detected or remediated, then they use other methods to ensure they do not lose their presence in the victim’s network, including revamping their malware.
- Complete mission – Exfiltrate stolen data from victim’s network. They typically funnel the stolen data to staging servers, where they encrypt and compress it, and then delete the compressed files from the staging server.
MDR – Integrating Threat Intelligence and Expert Engineers to Speed Response
Managed detection and response (MDR) bring real-time active monitoring and intelligent-based threat detection that help organizations quickly respond to hidden cyber threats. Working alongside an organization’s internal IT staff, MDR provides organizations with a managed Security Operations Center (SOC) where seasoned security experts deliver 24/7 advanced detection, response and, in some cases, threat hunting expertise. Organizations leverage MDR so they can monitor the security integrity of their cloud, on-premises and hybrid IT environments, including endpoints and cloud applications.
The fully managed solution speeds detection and response using several core functions:
- Security Information and Management (SIEM) – Correlate and analyze security data across networks with log management and event correlation.
- Vulnerability Scans – Identify vulnerabilities within active networks and assets to avoid compromise.
- Intrusion Detection – Detect malicious traffic with network IDS, host IDS and file integrity monitoring.
- Behavioral Monitoring – Identify suspicious behavior and compromised systems with netflow analysis and availability monitoring.
- Asset Discovery – Know who and what is connected to your environment at all times.
- Compliance Management – Simplify compliance regulations with real-time reporting and continuous management.
Conclusion
Cyber criminals today are eluding traditional security controls. Managed detection and response give you an upper hand in protecting your data and assets by combining advanced analytics, threat intelligence and a team of security experts so you can stay ahead of both known and unknown threats.