By Robert Keblusek, Sentinel Chief Technology Officer

In Part 1, I wrote about how SamSam is a great example of an attack that spans the cyber kill chain and used the graphic below to help show how. At our Vision 20/20 customer summit this past January we highlighted how your organization can detect and disrupt SamSam and similar attacks using Sentinel’s SecuritySelect™ portfolio of solutions and services.

In Part 2, I will detail the delivery and attack portions of the kill chain. There are plenty of technologies that have a big impact protecting an organization but equally important is maintaining a strong security policy and awareness program designed to help prevent breaches but also respond and recover from them when they do occur. You will see screenshots from an actual SIEM and learn how your organization can detect and protect against some of these exploits as attacks continue to become more frequent and more sophisticated.
Fig. 1 - SamSam Attack and Cyber Kill Chain

Delivery & Attack

During delivery and attack, the attacker determines the best approach to entering the network, provided they are not already an insider. They choose what type of malware or compromise will be best to achieve their objectives and monetize their attack. In some cases this may be a “drive by” attack where a generic phishing email was sent to an unsuspecting (and likely untrained) end user that unknowingly executed malware by clicking on a malware-weaponized link or even provided login credentials to a well-crafted fake web site that looked exactly like the Office 365 user portal. In other phishing cases a user might receive a very well-crafted and seemingly authentic email from a trusted source that is actually a compromised host within the network allowing code execution within the network. Once the attacker is in the network, depending on the experience level of the attacker and how targeted the attack, they will make good use of the information gathered in the reconnaissance phase. With over 50% of attacks coming from organized criminals, if you are specifically targeted it is highly likely your attacker is very capable.

You can refer back to the previous post here, where I wrote about the reconnaissance phase from a more technical perspective, including scanning a target for vulnerabilities, seeking available services, exposed port scans, and more. It is worth noting that I didn’t even mention the sophisticated social research attackers will sometimes do to create a great deal of authenticity to some attacks using phishing or malvertising web sites. An experienced hacker or advanced automated attack is likely to find an available resource or unaware user to exploit without much difficulty. At this point, perimeter defenses are often rendered useless. Modern attacks, much like secure virtual private networking used by organizations, use encryption keys to hide their attack in an encrypted tunnel often invisible to your defenses. A great example of this type of attack can be seen in this Anatomy of an Attack video from Cisco.

Unless you have an extremely well-protected organization with immaculate patching procedures and highly trained/aware users with policy behind your security program, attackers will find a way in. Motivated attackers are nearly impossible to stop. So once they gain access to your environment, is your organization prepared to respond?

The latest Verizon security report notes that 68% of breaches took more than a month or longer to detect. Time to detection is difficult to measure but a critical key performance indicator (KPI) Sentinel’s Security as a Service focuses to improve. Gartner predicts that 60% of enterprise information security budgets will be allocated to rapid detection and response approaches by 2020, because attackers will get in, regardless of how much you invest in protection.

Detection During Delivery & Attack

In the screenshot below, I have provided some examples of the Delivery & Attack intent from a Sentinel-managed SIEM. Some very common items we see are brute force attacks and known bad actors from our world-wide threat feeds. In addition, this example shows an attempted denial of service attack using a known vulnerability.
Fig. 2 - Delivery & Attack

We see both external and internal attempts to steal or break into accounts using various types of attacks via HIDS agents (host intrusion detection) in nearly every deployment of our managed SIEM. Brute force attacks have become the norm and we have seen these from external hosts attacking exposed IP addresses, but also against internal resources such as end user workstations and even IoT devices. Our dedicated security DevOps teams continually alters our detection algorithms to identify brute force attacks. For example, our team can look at the new Office 365 plug-in or host-based IDS instances that we deploy on domain controllers and critical servers to compare what might be a user struggling to recall or type their password or an automated machine attack repeatedly attacking the target with failed logins. Even if you don’t have Sentinel’s managed SIEM, it is critical to identify these attacks within your various systems and stop them in their tracks before your credentials are compromised and lead to a full-scale breach.

In many cases we need to have our customer remove those devices and either clean them or re-image the desktop. IoT devices typically require more specialized approaches to protection. Prior to having this detection, these systems went undetected and sometimes were successful at breaking weak passwords to then move laterally to a full cyber breach.

Some of our customers opt to use our Adaptive Threat Response™ to automatically block identified threats in supported security firewalls. This allows you to respond without action against known bad activities while triggering a report from the SIEM on the behaviors and blocked elements.  Other customers choose to receive the alarm and either investigate it themselves or leave it to our professionals. In either case, tracking and investigating activities such as brute force attacks is critical to your defenses. In some cases this could be a device trying to legitimately log in to a host, but a change in credentials requires attention. In other cases, this could be a bad actor trying to break into your network to further their attack and eventually obtain command and control (C&C).  The complexity of detecting east/west compromise has brought about a number of network flow-based and decoy detection options available from Sentinel to assist in identifying an attacker before it is too late. Decoy technology can place traps on your network for attackers to unknowingly trigger. Think of them as “motion sensors” on your network that can be modified to look very genuine and result in a highly trustworthy anomalous detection alarm when an attacker touches one. Sentinel has worked with Attivo Networks to launch a Decoy as a Service offering integrated to our managed SIEM and SOC service. Sentinel and Attivo are very excited about this offering as it is becoming critical to trick the attackers and detect them in order to investigate and potentially even identify the attacker to authorities.

Another example from the screenshot above identified by our world-wide threat feed is a common vulnerability (CVE) for a potential denial of service attack on an IIS server. According to the national reporting of this vulnerability it “allows remote attackers to cause a denial of service (use-after-free) or possibly have an unspecified alternative impact via unknown vectors.” Identifying vulnerabilities attempting to be exploited is a powerful feature of Sentinel’s SECaaS and allows you to patch these items prior to any damage being inflicted. Vulnerable hosts with exposed services have been identified as the attack vector in many recent high profile attacks such as the City of Atlanta (based on initial reports) and has been confirmed in a number of other recent attacks, especially targeted at healthcare organizations. These can be vulnerable web servers, RDP servers exposed to the internet, IoT devices or nearly any type of connected device that might be compromised and allow lateral movement within the network.

The Human Factor

While vulnerable host attacks by SamSam have made headlines lately, the top attacked resource within your organization is your people. A stunning fact is that 96% of social attacks occur through email phishing campaigns. All of us likely see these types of attacks multiple times per week, if not multiple times daily!

Most organizations have some form of email gateway in place to try and prevent these types of attacks, however some will still get through no matter how strong your defenses are. A lot of customers are moving to hosted email services such as Office 365. These hosted services typically include email protection. While some can be very capable, we often see customers set these up and then fail to maintain them properly. Our own hosted email security, which supports Office 365 and premise email services, has proven very valuable in preventing email attacks and malware-weaponized attachments from getting into organizations. In many cases we have had customers send us sample phishing emails for investigation and determined that our service would have stopped those emails in their tracks. However we also experience more advanced email attacks that sometimes slip through even our well-managed gateway service. Once identified, we put automated rules in place to protect all users of our service. Even with a managed email gateway powered by an experienced SOC organization like Sentinel, we still recommend additional layers of protection along with strong end user education and mock phishing testing programs. End user awareness is critical to keeping any organization secure. Users shouldn’t simply assume they are safe, because they are not. Diligence is a necessary job requirement today.

The screenshot below shows a number of attacks that progressed through strong endpoint security, email gateway services, and made it into the user’s inbox ready for exploitation. With these emails now in the network, users sometimes take the bait.
Fig. 3 - Sentinel Managed Cisco Umbrella Phishing Prevention

In this case you can see Cisco Umbrella’s efficiency at stopping the attacker from getting further into the attack by blocking the infected user at the DNS/IP layer. This is a great way to disrupt such an attack and prevent a breach from ever happening. Cisco Umbrella also has end user client services to ensure corporate assets are protected no matter where your employees go, even when they leave the network. 

It is also important to note that the users themselves will benefit from cyber security education to avoid clicking through in the first place. Sentinel’s cyber awareness program includes both computer-based training and mock phishing services to encourage responsible computing. While this is outside the scope of this blog, Sentinel can help develop and deploy a program for your organization to better enable end users to work responsibly and avoid most cybercriminal temptations.

Be Prepared - Test, Test, Test

One of our hottest offerings today is our Advisory Services-delivered security assessments and penetration testing (PEN). They can help organizations better understand their risk beyond a simple vulnerability scan. PEN testing digs deeper into your most at-risk systems and determines the effectiveness of your detection services. 

During a PEN test, we execute attacks on your identified assets of interest. While assessments have become the norm for any organization interested in advancing their security posture, many organizations are adding our PEN testing as well to provide a more in-depth review of their posture and more specific security recommendations that can further harden their systems. For organizations with a SIEM and SOC, we also supply feedback on what was and was not detected during the PEN testing. This allows an organization to further improve their detection and response systems, and test their teams responsible for the investigation of and response to attack activities.
Fig. 4 - Sentinel PEN Testing Overview

What You Can Do - How It Relates to SamSam

While PEN testing (which I recommend no less than annually) and protection tools are great to help prepare for and prevent a breach, improving lateral detection systems are just as critical. Most organizations have neither the systems nor the people in place to detect attacker activities on their network and respond to them before it’s too late. 

The SamSam attacks could have been strongly defended or altogether stopped in every case with proper protection, detection, and response tools in place. Although SamSam hasn’t been shown to exploit email systems, it was important to point out in these examples that most attacks do utilize that vector as a point of entry into your environment. Constant monitoring is critical, as is having resources available 24x7x365 to investigate and respond to an attack. Without those things, modern attacks will get through your protection and move laterally across the network undetected for weeks or months. The longer an attacker goes undetected on your network, the more likely that their attack will be a success. 

According to the 2017 Marsh & McLennan Cyber Risk Report the worldwide average dwell time is 146 days with Europe averaging 469 days! Dwell time, the time between compromise and detection, is a critical component I would encourage all organizations to work to reduce down to single digit days or even hours. The longer an attacker is on your network the more opportunity they have to identify vulnerable targets, escalate their access, and monetize their attack – eventually leading to command and control.  

Sentinel does many NIST alignment workshops with our customers, and while we often find critical deficiencies in detection and response, there tend to be even more deficiencies in the NIST “identify” area of the framework. Our NIST alignment workshop is a very small investment of time and money and provides some great visibility for your team to get started identifying security strengths and weaknesses. 

Up Next...

In part 3, I will highlight exploit and installation. At this point of the attack, the attacker has begun to exploit your systems and is progressing closely to command, control, and ultimately a full scale breach. If you are interested in learning more about Sentinel’s SecuritySelect^® portfolio, including Advisory Services, PEN testing, and NIST alignment, please contact us. You can follow Robert Keblusek on Twitter, @RKeblusek.

By Robert Keblusek, Sentinel Chief Technology Officer

In recent months I have presented an example of the cyber kill chain using the SamSam ransomware attack, which was first identified in 2015. It has seen a resurgence as of late, and if you follow the news, the recent cyber-attack crippling the City of Atlanta was yet another form of SamSam. SamSam can be quite difficult to stop without proper process, patching, and tools. Protecting your organization from SamSam is no different than being prepared for other known and unknown attacks. 

In this multi-part blog series I will profile some strong detection and protection solutions for SamSam and similar attacks. You will learn more about Sentinel’s Security as a Service (SECaaS) offerings and how they can help defend against these attacks. I will also break down the attack across the cyber kill chain and recommend areas where detection or protection might intervene to protect your organization and ensure it doesn’t wind up like Atlanta.

A majority of enterprises invest in excellent protection technologies and develop a fairly regular patching cadence. Some use vulnerability scanning software to report on and prioritize their patching needs, but fail to do so frequently enough. Others hire Sentinel’s Advisory Services team to perform timely security assessments instead. Sentinel’s world-class Managed Services team is also available to handle patching for you. The most advanced organizations engage us to go beyond security assessments and perform penetration (PEN) testing on critical internal and publically exposed assets. Often however, organizations lack detailed visibility into their security environment. They may invest in many protection tools, but nobody is constantly watching what those tools are doing and how well they’re performing. There is no single perfect security solution, and even if one existed, most organizations don’t have enough qualified staff to properly develop, manage, and monitor it. 

Environmental Awareness - Who's Watching Your Network?

Being fully aware of your environment is the first step toward keeping it protected. With this information you can cultivate best practices such as regular patching while identifying unauthorized services on your network that introduce additional risk. Security teams can focus on improving system hardening as well as understanding what is happening on your network. Vulnerabilities in items like Adobe or Java software become easier to identify and patch. Threat feeds identify known risky IPs that are “knocking on your door” and alert you to activity.

Vulnerability Scanning

Sentinel’s Security as a Service (SECaaS)-managed SIEM includes constant vulnerability scanning of your assets and rates each one using the common vulnerability scoring system (CVSS). By putting a full-time vulnerability scanning system with real-time detection service on your network, you gain unprecedented visibility into your environment.

Patching is critical, no matter if you handle it on your own or use Sentinel’s Managed Services to take care of it for you. With constant vulnerability scanning you can have your assets scanned and reports delivered to your team on a regular basis (our service defaults to monthly). Cyber threats are taking advantage of known vulnerabilities faster than ever. Attack windows are shrinking and patching on an annual or even quarterly basis simply isn’t often enough. Sentinel has even created a custom reporting dashboard allowing your team to sift through vulnerabilities within the SIEM to find specific items that might be within their domain of support or to simply identify the most at risk items quickly and easily to continue to harden your defenses.

Intrusion Detection

Vulnerability management, security assessments, and even periodic PEN tests are just a start. Organizations also need constant security monitoring. When combined with vulnerability visibility, constant monitoring will let you bring together log information from your current security investments and add Intrusion Detection Sensors (IDS) at strategic locations within your network.

The graphic below is a real-world example of the constant visibility offered by Sentinel’s SECaaS. In this sample, I have it filtered to show only the first “intent” level within the managed SIEM “environmental awareness.”

IDS sensors review activity on the network as well as log source information to identify risks such as suspicious behavior and service scanning of the network. Risks are rated as low, medium, or high so that IT teams can easily identify and prioritize risk items before taking action.

How it relates to SamSam

Thus far, SamSam attacks seem to be targeted at specific organizations rather than drive-by attacks looking for “low hanging fruit.” Data gets stolen, and traditional recovery methods such as snapshots or backups are crippled or eliminated so organizations are forced to pay a significant amount of money to get it back. This is why a strong backup strategy with air gapping plays an essential role in recovery. It is one of the many benefits our customers receive as part of Sentinel’s Backup as a Service (BaaS) offering.  Contact Sentinel today to learn more on how you can air gap your existing backup or add an air gapped service within our CloudSelect® BaaS offering.

While many attacks depend on unsuspecting users opening a deviously crafted email asking for credentials or loaded with a malicious file, SamSam tends to hunt for vulnerabilities in your network and move laterally. Knowing your vulnerabilities and addressing them in a timely manner is one of the best practices to avoid becoming the next victim. In past years SamSam took advantage of known web server vulnerabilities. In the case of the City of Atlanta, although not officially disclosed at the time of this blog, it has been mentioned that publicly accessible RDP servers were affected as well as servers with known vulnerabilities. Patching might prevent these attacks, but if a bad actor wants to get in they won’t stop there.

Reconnaissance and Probing - Who's Knocking on Your Door?

Most customers that I meet have invested in great protection technologies, including next-generation firewalls and strong endpoint protection. However, many take the approach of set it and forget it, which isn’t an effective security strategy.