Article Rewritten:
This article aims to provide insight into modern cyber threats and the attack surfaces commonly used by malware or cyber attackers. Cyber attacks often occur in stages, so it is crucial for SOC teams to understand the attack patterns and chain in order to break it and prevent criminals from achieving their goals. By doing so, businesses can minimize the impact of data loss. While this article does not offer a foolproof defense plan or blue-team guide, it does offer information on attack vectors that every SOC team should consider when creating a defense mechanism, especially for organizations that cannot afford a full-fledged SOC. Additionally, it provides a recommended training resource for SOC analysts to further their knowledge on cyber attack intrusion.
It is important to keep three major facts in mind when dealing with cybercriminals. Firstly, cybercriminals often plan ahead of security controls. In order to make it difficult for attackers to gain access, control measures should be implemented in the network. Secondly, legitimate vulnerable applications should not be enabled if they are not in use, as attackers often exploit these applications within the network. Lastly, attackers do not rely on a single piece of code; they incorporate multiple stages, commands, and functionalities to achieve their aims. This concept is known as Cyber Kill Chains.
The defense mechanisms that need to be built will depend on the specific environment. There are three stages to consider when building a defense against cyber attacks. The first stage is the delivery of malware into the organization’s network, the second stage involves defending against the lateral movement and persistence of the malware within the organization’s network, and the final stage deals with preventing data exfiltration or breaches as the attacker completes their activities. These stages can be visualized as a basic attack phase.
In order to defend against the delivery of malware, organizations must rely on firewalls/IPS and email gateways. However, traditional defense systems can often be defeated by cyber attackers who employ multi-stage infection techniques. Two common methods used by attackers are email delivery, such as MalSpam and spear phishing, and Remote Desktop Protocol (RDP) entry points. Organizations should take steps to block unwanted and unauthorized email attachments by restricting certain extensions. Additionally, employees should be trained to recognize and avoid spam emails. For RDP, access should be restricted via firewalls, strong passwords and two-factor authentication (2FA) should be implemented, and only authorized users should be able to log in using RDP.
In the retrieval of payloads from Command & Control (C&C) servers, attackers often exploit legitimate Microsoft Office applications. Organizations can disable or restrict certain features like macros, Object Linking and Embedding (OLE), and Dynamic Data Exchange (DDE) to prevent the abuse of these applications. Attackers also utilize legitimate applications and Windows built-in tools like VBScript, JavaScript, and PowerShell to retrieve payloads. To counter this, organizations can disable or limit the capabilities of these applications. Additionally, blocking certain applications like certutil.exe, mshta.exe, regsvr32.exe, bitsadmin.exe, and curl.exe can prevent outbound requests.
The next stage involves defending against the execution and spread of the malware within the organization. Traditionally, organizations have relied on antivirus (AV) software to prevent malware from running. However, attackers have evolved to bypass or evade AV systems. Endpoint protection software that utilizes machine learning and real-time system activity analysis can be more effective in detecting and blocking malicious behaviors. Application whitelisting is another layer of defense, but it can be challenging to maintain. Attackers can also inject malicious code into approved processes to bypass whitelisting and AV. Monitoring processes and API calls can help prevent injection techniques.
The final stage of defense involves ensuring that data is not exfiltrated or breached after an attacker has completed their activities. Attackers often use legitimate tools and processes on the system to avoid detection. Privilege escalation is a common goal in the post-exploitation stage, and it involves gaining additional rights and access. Attackers can abuse programs that auto-elevate, conduct DLL hijacking, exploit privilege escalation vulnerabilities, and dump credentials. To defend against these techniques, endpoint protection software, UAC settings, network segmentation, two-factor authentication, and other measures can be implemented.
In conclusion, understanding the various stages of a cyber attack and implementing appropriate defense mechanisms at each stage is crucial for organizations to mitigate the risk of cyber threats. By following the recommended steps and considering the specific environment, organizations can build a strong defense and reduce the potential impact of cyber attacks.