Part One
Last updated
Last updated
We see there's a problem and want to help you solve it. First, we need to agree if there's truly a problem and understand its nature. The core issue is that organizations keep spending more on security but still face costly breaches.
Mandiant's annual M-Trends report gives key insights into the latest security challenges based on the incidents they handled.
On average, attackers had control of a company’s systems for 56 days before the company noticed the breach. A few years ago, it took organizations an average of 416 days to detect a breach. Mandiant found that attackers often try to hack organizations again after being removed.
Verizon's annual Data Breach Investigations Report, started in 2008, is a leading source on information security, focusing on data breaches and other compromises.
The report uses data from Verizon’s RISK team and various global sources like US Secret Service, Deloitte, and police units. It offers key insights, making it essential for security professionals to stay updated on worldwide compromises.
The Verizon Data Breach report emphasizes that no system is fully secure, so detection and response are key, not just a backup plan. This aligns with the SANS saying, "Prevention is ideal, but detection is a must." The main point is that every organization can be breached, making quick detection and response vital in cybersecurity.
Exploiting unpatched vulnerabilities is a common way for attackers to breach systems, but they know these flaws will eventually be fixed or that users will stop clicking on links. A major goal for attackers is stealing credentials. Once they have these, they can use them multiple times without needing to exploit vulnerabilities, making them harder to detect. Their actions also appear less suspicious when they use real credentials.
Organizations struggle to detect their own security breaches, often finding out about them only when a third party informs them. Year after year, reports show that this trend continues. While past numbers might be worse, the current data from Verizon DBIR and Mandiant M-Trends is already bad enough to raise concerns.
Mandiant reports that 41% of organizations learn about breaches from third parties. Most breaches, including those causing data loss, are found by other organizations. Additionally, studies often show when the breach started, and those findings are not very encouraging.
It gets worse: when a third party tells you your company has been hacked, it's usually not just hours or days after the breach. Mandiant's report shows that, on average, organizations take 56 days to notice they've been compromised. In some cases, it can take even longer—previously, Mandiant found that it took an average of 416 days to discover a breach, meaning a company could be hacked for over a year before realizing it.
Another organization usually has to tell us about our breach 56 days later, but that's not quite right. If we don't find the breach ourselves, it takes an average of 184 days to discover it. Our ability to detect breaches isn’t great. However, if we do detect it ourselves, the average time is just 50.5 days. The gap between self-detected and externally detected breaches has decreased from last year’s report. Last year, the average time was 78 days, 101 days the year before that, and 146 days the year before that.
Signature-based antivirus has limitations, but we still use it on Windows and OSX systems because it can work against general attacks. Some IT staff resist change and push for caution, leading to little progress. We tell our clients that sticking to the old ways isn't effective.
User agent analysis is important because malware often fakes user agents in obvious ways, like using very short or strange ones. Long tail analysis can quickly spot these. It's easy to collect and analyze this data.
Industry reports show that security is still a big concern. Although recent data looks slightly better than before, many breaches still happen often and can be costly. We usually find out about these breaches through third parties and only after a long delay.
Organizations that get breached may either not have basic security measures or enough staff. Alternatively, they might be targeted by very skilled attackers. However, the reality is simpler: these organizations have security practices, tools, and staffing similar to others in their industry.
Adversaries have a big advantage. The goal of the upcoming exercise is to show how easy it is to perform tasks many think are advanced. This exercise will use open-source tools, which are often used by powerful nations. These capabilities are important and should be seen as standard for skilled adversaries.
When will cyber defense be strong again? Have we ever really been strong? In the past, enemies weren’t as skilled or funded, but that doesn’t mean we were winning. What would winning look like? In terms of attacks, offensive cyber will always have the upper hand. Attackers only need to find one mistake, while defenders must protect everything.
efore feeling defeated, let's pause. Adversaries can always compromise us—it's a fact. But just because they can, doesn’t mean they will succeed. We need to redefine what winning means. Instead of aiming to prevent all compromises, we should aim to stop our enemies from reaching their ultimate goals. This is a more realistic and achievable target.
Adversaries have their goals, and we need to know ours, especially since we can’t just focus on preventing breaches anymore. Our main security goal could be to stop them from reaching their objectives. Alternatively, we could focus on protecting what's most important to our organization, like key data or applications. Not having to only aim to prevent breaches can be freeing.
We'll soon look at the weaknesses of traditional cyber defense, but first, let's think about the attackers and methods it was designed to counter. In the past, attackers were mostly casual hobbyists looking for easy targets. These less serious attackers have been easier to defend against, but they still caused a lot of damage over time. Traditional cyber defense methods have generally worked well against these types of attackers.
Traditional attack methods mainly target service-side exploitation, where attackers exploit a vulnerable service that is actively listening. We use "service-side exploitation" instead of "server-side" to clarify that this can involve more than just data center servers; it can also apply to desktops, mobile devices, or any device with a vulnerable service.
The above shows how a service-side exploit usually works. The attacker sends the exploit straight to the victim. For this to succeed, the firewall must allow this outside communication. This type of attack is called server-side exploitation because firewalls typically permit this kind of traffic only if the target is a server. Even if a desktop has a service running on port 80, the firewall won't let an outside system start communication with it.
Service-side vulnerabilities are easy to exploit, allowing attackers to compromise many systems quickly without needing user interaction. This means they can spread rapidly like a worm.
Even if certain features appeal to attackers, they might not always be usable. Nowadays, fewer attackers use service-side exploits to enter organizations. However, once they get in, these exploits become easier to use. Recent examples of major service-side flaws include the Windows EternalBlue SMB, BlueKeep RDP, and Intel AMT vulnerabilities.
Ah, the good old days when the worst you faced was website defacement. Compared to today’s malware, past attacks caused simpler issues. Old malware mainly focused on spreading, like Sasser, Slammer, and MyDoom, which often led to service disruptions as a side effect of their spread.
Besides causing unintentional denial of service (DoS), malware often caused it on purpose, mainly by sending many spam messages. Although the malware had some effect, its damage was minor compared to today's threats.
Older malware aimed mainly at spreading widely to infect many systems. However, attackers faced challenges in using these infected systems. Early Remote Access Trojans (RATs) offered basic backdoor access through a specific port. The high number of infections pushed the need for stronger command and control (C2) systems.
Advanced Denial of Service (DoS) attacks became easier for attackers. Their malware was very good at taking over systems. Simple packet attacks and flooding a single system didn't last long, but if 10,000 or 100,000 systems joined the attack, it would be much harder for victims to stop it.
Managing thousands or millions of systems was challenging with traditional backdoor shells and remote access tools. Stronger command and control systems were needed for effective Distributed Denial of Service (DDoS) attacks. This led to the development of DDoS suites and botnets.
The shift from basic DDoS tools to full botnets marked the change from old to new attack methods. Initially used just for better Denial of Service attacks, DDoS tools evolved into botnets that could do much more. Botnets and their improved command and control systems enabled attackers to focus on stealing data rather than just causing disruptions.
Ransomware encrypts data and requires payment of ransom to recover the key. Modern ransomware typically requires payment that is usually in the form of cryptocurrency such as Bitcoin.
CryptoLocker was different because its creators learned from past ransomware and fixed known problems. It marked a change in tactics for cybercriminals, who had mainly used scareware that didn't harm data. This shift showed that attackers would keep evolving to make money.
Once activated, CryptoLocker showed its effectiveness. It installed itself in the user’s profile folder and added a registry key to run at startup, ensuring it would persist. It then connected to a command-and-control server to create a unique RSA-2048 key pair, sending the public key to the victim's computer. This strong encryption made it very hard to recover files since the private key was only on the command-and-control servers.
Ransomware has reduced dwell time because it alerts users by changing the desktop background and opening an image. Mandiant states that the rise in breaches found in less than 30 days is due to more ransomware and cryptominer incidents being detected more quickly.
Cryptoware is ransomware that encrypts data via strong encryption, and virtually all modern ransomware is also cryptoware:
A key is generated, and released after payment is received
The encryption is usually cryptographically strong
The key is provided to the victim after paying the ransom
The key is usually destroyed after a timer expires
For sites lacking proper backups: once compromised, there are usually no effective technical solutions other than paying the ransom.
This course aims to introduce a modern way of cyber defense by comparing it with traditional methods, which we'll first define. Traditional doesn't just mean old devices. Even the newest tech can support a traditional setup. What matters is the overall approach and processes used for cyber defense.
Traditional cyber defense mainly focuses on prevention, often neglecting other security measures. This focus makes sense in theory.
We prefer to stop threats before they enter our organization, rather than just detect them. Prevention focuses on keeping attackers and malware out, which seems logical, but we'll evaluate its effectiveness later.
Most security controls in organizations focus on prevention, which is a key trait of traditional security setups.
Firewall
IPS
NGFW
Antivirus
Proxy
Web Content Filter
Malware Detonation Devices
DLP
NAC
IDS
SIM
The saying "80% of attacks come from inside" used to be popular among vendors, but it's a myth. Richard Bejtlich explains this here: https://sec511.com/2q.
They emphasized this idea because organizations have spent many years mainly concentrating on protecting their outer boundaries. This focus on traditional cyber defense shows that companies have prioritized stopping attackers from getting in through the perimeter.
Traditional cyber defense focuses heavily on devices for security. Security staff mainly maintain these devices, often relying on third parties to set them up instead of developing in-house expertise. Employees typically handle basic system updates, acting mainly as caretakers to keep the security devices running.
First let's run the following command to verify that Security Onion's networking is configured properly:
Now let's open firefox and log into Security Onion using these credentails:
Username: student@sec511.local
Password: Security51
Click on the Alerts icon in the upper left and change the search time from the last 24 hours to the last 24 months. We'll see several alerts appear.
Then let's click on the Hunt icon on the upper left, and also change the search time to last 24 months. A lot of connections should appear:
Find a service-side attack launched successfully on June 16 th, 2023 against 10.5.11.173
Determine the name of the attack
Determine the Microsoft Security Bulletin number of the patch that mitigates this attack
Determine the attacking IP
Identify the Command and Control (C2) traffic
Let's start by sorting events by date in the Alerts menu, then look into the related packets in the Hunt menu.
First, let's go to the Alerts menu and switch the grouping from "Group By Name, Module" to "Ungroup." Make sure the alerts are sorted from oldest to newest.
An alert mentions a Microsoft Security Bulletin: "ET EXPLOIT Possible ETERNALBLUE MS17-010 Echo Response." Let's click the arrow next to the description to see more details about this alert.
The "destination.ip" is 10.99.99.8, which is different from our victim's IP, 10.5.11.173. Now, let's scroll down to the "source.ip":
The Hunt menu is better for searching, while the Alert menu is for viewing alert summaries and checking new alerts in the SOC. Let's go to the Hunt menu and search for the IP address 10.5.11.173. It might show up as either a source or destination, depending on the data flow in the Suricata alert. We'll use this Onion Query Language (OQL) query after clearing any previous searches.
The Hunt menu displays all packets, including those not linked to alerts. To view more packets at once, let's scroll to the bottom of the Hunt screen and set "Rows per page" to 500.
Now, let's scroll to the "ET EXPLOIT Possible ETERNALBLUE MS17-010 Echo Response" alert. We'll click on the rule name to see the pcap data, then select "Actions" and choose "PCAP."
A summary of the TCP/IP connection will show up. We can look at different options, like expanding or collapsing the packet data and viewing the hex output. To go back to the default view, click the collapse packet data icon.
Let's download the packets and open them in Wireshark by clicking the download icon.
Let's open the pcap file using wireshark.
Let's right-click on any frame, and choose Follow -> TCP Stream
Let's scoll down a bit, and notice what appears to be base64-encoded traffic.
We found the exploit, so now we need to track down the C2 (Command and Control). C2 typically shows up in new connections. Let's go back to the Hunt menu and search for later communications related to 10.5.11.173 that don't involve SMB. The first non-SMB traffic after the exploit attempt is between 10.5.11.173:49165 and 10.99.99.189:4444 (note that port 4444 is the default for Metasploit). We'll click on either IP in the packet from June 16 at 08:46:32.209, then select Actions -> PCAP.
Then we'll download the packets and view in Wireshark:
Let's right-click on any frame and select Follow -> TCP Stream. We’ll see the message "This program cannot be run in DOS mode" on the first screen, which is not typical TLS traffic!
Wireshark shows this traffic as TLSv1, which typically starts with the Client Hello. To find frames with Client Hello, we'll use this display filter in the search box and press "Enter":
The Client Hello occurs in Frame 186 in this packet capture, that is not normal. We'll get more detailed into that in the next sections.
Determine the name of the attack: ETERNALBLUE
Determine the Microsoft Security Bulletin number of the patch that mitigates this attack: MS17-010
Determine the attacking IP: 10.99.99.8
Identify the Command and Control (C2) traffic: traffic 10.5.11.173:49165 -> 10.99.99.189:4444