Reverse Deception: Organized Cyber Threat Counter-Exploitation (113 page)

Y
ou’ve invested your valuable time reading this book, and we’ve covered a lot of topics related to cyber threats. In this chapter, we will tie all of it together and help you figure out what you can do with this information. From understanding the issues that could compromise your crown jewels and being aware of the legal ramifications of taking action or not taking action, you know you need to do something, but what?

So far, we have provided some examples and situations to assist you in your daily activities. You may have been deceived. You may have been hacked. You may have already increased your network security to no avail. Your legal advisors may not be up to speed on the laws governing this domain. At this point, you’ve had about enough. But before you run off and do something hasty, take some time to read this chapter. It provides some information to help you with your troubles.

The goal of this chapter is to provide a quick reference if you need help when you encounter someone who has gained unauthorized access to your network. You may recognize some of the material from other chapters, but we will also address some other issues. So sit back, breath, relax, and let’s talk about protecting yourself in the face of known and unknown adversaries.

Determining Threat Severity

How severe is the threat? This has become the age-old question of the information security and incident response era. The answer is not always clear. If you are a new or small business, you probably do not have the technical expertise on staff to help you determine which events qualify as incidents, warranting increased attention. If you are a larger company, you may have standard operating procedures that help you determine when to mobilize and call your technical personnel into action; but as with all things in the digital realm, not everything fits nicely inside a package for each situation.

Let’s be clear about one thing: you can’t predict or protect everything. You may spend a tremendous amount of time and effort to put every measure in place to protect your network, but one misstep by an average nonprivileged user could wholly compromise all that you have done. However, in the conduct of your daily monitoring, you will need to distinguish when to expend your resources to investigate suspicious activity and when you can chalk it up to a minor threat that can be remedied with minimal intervention. That depends on your ability to determine the severity of the threat you have just identified, which will help you take a logical step to deal with the problem at hand. Stuff happens, and it will happen again. A threat to your network, and possibly your livelihood, has reared its ugly head. Whether the threat is already in or you have information that it is coming, how you react must depend on the true threat it poses. Let’s take a look at a couple of scenarios.

Application Vulnerability Scenario

You take seriously the responsibility you have to maintain a secure environment in which the employees can perform their daily tasks. You notice a recently published security advisory highlighting a newly identified vulnerability in one of the applications your company uses often. What is your next step? If you feel that you need to meet this challenge by first thinking critically about the threat, you are correct. Before mobilizing your limited resources, you need to determine just how much of a threat this poses to you and your company. Okay, it’s a new vulnerability—it stinks, but it happens. Here’s the first question you should ask: Is this something you need to worry about?

You do a little more reading and discover that this vulnerability was fixed with the last patch issued three months ago. If you routinely apply operating system and application patches soon after they are released, then you can probably rest easy, realizing that the threat severity to your network just decreased dramatically. If you never applied that patch, then you may want to push it out to your machines, while analyzing and monitoring those same machines to ensure they were not compromised because of the vulnerability.

In this example, relying on patches was an easy way to solve the problem. However, this approach could prove risky in some cases. You also need to look at the nature of the exploit and vulnerability. For instance, does an attacker require physical access to the machine? If so, then you will need to rely on your trust in the employees in your organization, as well as your access-control mechanisms. If the vulnerability can be exploited via remote access or physical access, then you will also need to check your network logs to determine if traffic related to this exploit has passed through your network. And is your firewall set up to stop this kind of incoming and outgoing traffic via the rules you have established? Now you are really starting to see the nature of the threats in this domain. Many times, there is no simple answer.

Targeted Attack Scenario

Now let’s consider a situation where your company has drawn the ire, for some reason or another, of a group of malicious actors. You discover they want to take down your website. In this instance, you don’t have a collateral threat to your network; you have a direct threat to a system that is one of your sources of revenue.

If your site goes down, you stand to lose money each minute it cannot be reached by potential or returning customers. Now is the time to call your group together and come up with a plan of action. Do you want to ensure your web server has the latest patches for all the software running on it? Absolutely. Should you ensure that your firewall and IDS are functioning properly to help protect and alert you to the activities that may be coming your way? Without question. You’re following the trend here, right? Now you have identified a direct threat, and it’s time for action.

There is no possible way to cover all the actions you should take, but when you deem the threat is severe, ensure you act in accordance with your standard operating procedures. Think critically about the threat posed to your network, and then act accordingly. There is nothing worse than being that chief security officer, chief information officer, or network manager who “cries wolf” all the time.

What to Do When It Hits the Fan

At one time or another, “it” will hit the fan. Your sacred domain has been infiltrated. Now is the time for action. The burning question you will want to ask is, “Who has done this to our organization?” However, at this stage in the game, it is not the most important question to answer; that will come later. Your tools to monitor logs and real-time traffic have just become your new best friends.

From the moment you notice the infiltration, you need to make a plan. You should already have an overarching plan to handle events and incidents such as this, but each situation is unique. Depending on the actions you want to take, you may need management’s approval. You will need to begin examining your logs to determine how the intruder gained access, which systems were compromised, and so on.

Block or Monitor?

After you’ve gathered some information, one decision you need to make is whether to block the intruder’s entry point. There is some value in watching what your adversary is doing on your network, although this idea may be completely counterintuitive to many security managers.

If you catch your adversaries in the act, do you want to watch them to see what they are going after, determine their methods, and understand what they have done and are doing on your network? Or do you want to cut off their avenue of approach immediately and start the triage process? That is a question you must answer for yourself. For the less experienced, you might want to stop them now and move to the incident response phase. For the more experienced, you could make the case to management (and probably the lawyers) to study your enemy for a finite amount of time, which could reveal things you might never discover by just going through the logs.

Some organizations already have in-place procedures to immediately take the infected systems off the network, rebuild them, and patch them to the point where that infection is void. Each situation is unique and will largely be driven by your company’s policy.

There is one fact you must accept though: no matter what you choose to do immediately (block or monitor), just closing the hole they used to gain access to your network does not mean you are in the clear. If they got in, they likely installed another way to get back in via a backdoor of some sort. If you’re monitoring, you should determine all the ways they are gaining access to your network. Also, go back through your logs to see how they gained access initially. Do they match? If they do, you may be in the clear—the key words are “may be.”

Isolating the Problem

As mentioned previously, your logs and/or real-time traffic monitoring will be your guide to where you need to focus your efforts next. You’ve determined how they got into your network, and you’re on the lookout for other possible avenues of approach. Now isolating the problem is key to saving your network.

Which systems on your network have been compromised? In a perfect situation (as perfect as this can be), only a few systems were compromised. In this case, you can take these systems offline and rebuild them, ensuring that the vulnerability is patched before you place them back online. Now, although it is very easy to say that you will “rebuild machines,” this involves many implied tasks: reinstall each machine based on a pristine image you have for all machines on your network, install all applicable patches on each machine, recover data from the backup server (after you have scanned the data to ensure none of it is malicious), and change the passwords for users of that machine. That is just an example of what you may need to do in this case, but keep in mind, it all depends on the situation.

In the worst case, the intruder was able to move laterally through your network and gain access to many of your machines. It will take you a little longer to determine how to proceed in this scenario. You may need to rebuild many machines, implement company-wide password changes, and check the integrity of data within your data stores, among numerous other response actions.

One of your primary concerns after finding out how they got in and what they compromised is ensuring that you remove all possible traces of their presence. If you miss one of their entry points, they will return—again and again. Completely eradicating the enemy from your network is critical before you can perform a full recovery to normal operations.

Distinguishing Threat Objectives

Either during the process of removing the threat and restoring your network to a secure state or after the process is complete, it is necessary to determine why the intruders were in your network. This is a step that cannot be overlooked during your response to a compromise.

To fully understand future threats to your network, a historical perspective must be considered. You need to determine whether this was a target of opportunity or a targeted attack. As we’ve explained in earlier chapters, a target of opportunity is a compromise that results from a vulnerability being exploited because it was resident and publicly visible, meaning that intruders compromised your network because they could. A targeted attack is one that occurs because they are after something you have. They may deface your webpage or steal your intellectual property, but they came after you for a reason.

A thorough examination will need to occur for those questions to be answered. It may not be clear-cut either; analysis never is. You may need to rely on your experience and judgment to make an educated guess about the reason for the attack. When the infiltrators gained access to your network, what did they do? If they immediately went after sensitive information concerning your company’s latest product, you can reasonably assume that was their goal. In that case, the next question that must be answered is how the intruders found out where the information was stored. There may be an insider in your midst who supplied the location of the intellectual property, which was subsequently stolen.