According to the most recent IBM Cost of a Data Breach Report, the average data breach in the U.S. will set you back $3.86 million, making the American business community the most expensive place in the world to get hacked. The same study found that the average time it took subjects to identify and contain a data breach was 280 days. 280 DAYS. For perspective, Security Operations Centers strive for a 1-10-60 rule: 1 minute to detect, 10 minutes to investigate, and 60 minutes to remediate a security incident. So, what gives? Most organizations, especially in the tech and midmarket spaces, receive spending approval to buy security tools, but minimal budget for additional people to manage them. This is like rush hour at the grocery store with only 1 lane open. There are only so many transactions that can be processed that way. Ideally, some of those transactions could be automated, and for those that can’t, every aisle should be open. It’s the same for your security teams and alerts. No alert, or “transaction”, can be overlooked, but when your people get overwhelmed, some of them are bound to slip through, allowing attackers to fly under the radar. I want to examine an attack from both sides– the attacker, and the responder. Since TRUE has its own Red Team of ethical hackers, we are going to walk through the first steps of how our attack team goes about getting into your systems with incredible effectiveness. Then, since we also have our own Security Operations Center (SOC), we will look at a promising secret sauce that can speed up your response times.
What You’re Up Against: Types of Attacks
A data breach attack is different from Malware or Ransomware, where code is unleashed to automate the exfiltration of data once attackers are inside the system. Although certain malware can be one layer in a data breach attack, when you are dealing with malicious code that is the result of a wrong click by one of your users, you have a straight-forward situation. Many attacks are not so obvious, however, such as a Business Email Compromise (BEC) or internal attacks. In these cases, you’re more likely looking at a breach where the target is a valuable dataset, like cardholder data, PHI (patient health information), intellectual property, or HR files. Sharing our own first steps, we are going to show you just how easy it is for someone to get into your systems, even if you are an enterprise organization with top-notch security tools. Regardless of the attack type, if you are managing alerts internally, chances are good that an attacker is going to slip through your net, navigating systems and doing serious damage while your team is still busy reviewing logs and missing alerts.
Attack Level 1: Password Compromise
This usually takes our penetration testers, TRUE’s Red Team, between 1-5 days. First, the attacker will compare your list of employees against dark web caches of users whose passwords have been leaked in one of the major breaches in recent years, such as LinkedIn or Facebook. Passwords from these hacks are readily accessible through a number of dark web channels. Just so you know, the purpose of those major hacks was never to send spam messages to all your friends. It was always to create an international dataset of users and passwords, making this information available to attackers.
They (and we) are banking on the fact that is always someone in your organization who is reusing an old password (or some variation of one) that has been leaked. Maybe you felt clever when you changed your password from SpringBreak2020 to $pringBreak2021. Sorry. Even if the password has been updated, it’s probably some variation of the old one. It doesn’t take us long for us to add a number, change a letter tense, etc. to crack your PW. There are even algorithmic tools to automatically generate variations for us until there’s a match. All we need to know is how your company’s email nomenclature works– like FIRST NAME (dot) FIRST LETTER OF LAST NAME + @ + COMPANY NAME.COM
All reconnaissance will happen off-line, so you don’t even know you are the target of attack yet. Also, since our first access is often a low-level user, like an admin from your back office, you may not be so diligent or worried. If you have an effective MFA (multi-factor authentication) solution in-place, we’ll just pivot to go in through that printer or camera you forgot about that is connected to your network. Chances are, though, the password approach is going to work.
Your first chance to act: Alert 1 – Login from a new IP
If you are using advanced security settings on users’ OS, endpoints, and platforms, an alert will be generated as soon as we log in to your user’s account from a new IP address. The question is, with so many people working remotely or working while traveling, will anyone even take note of the alert? We’re betting not, because the alert is probably coming from your Microsoft admin tools, and we know how busy you are. Those are typically the last alerts to be investigated, and since so many of tools have alerting options these days, teams are inundated, causing alert fatigue. Either way, it’s probably going to take awhile before anyone notices and fully investigates this one. So, an account login alert may go unnoticed.
Meanwhile, we’re navigating… and your clock is ticking.
Targeting More Important Accounts & Privilege Escalation
Attack Step: Once inside a lower-level email account, we also now have access to all your other connected applications. For example, if you utilize Microsoft 365 products, I now have access to your SharePoint and can look at contracts, peruse client information, financials, etc. I’ll figure out how things work, who your signatories are, who issues checks. All of it. From here, we could do some lateral navigation and generate fake emails written from your low-level user’s accounts, targeting someone with higher permissions until we have access to even more valuable systems or files. (As ethical hackers, we will only go as far as our clients have contracted us to go, but obviously a criminal has no stops.)
At this point, you’ll start seeing Admin accounts created. You’d be surprised what we can do with just a local Admin account. Suffice to say, it won’t be long before attackers basically own your network and systems. In the case of TRUE’s Red Team, we will stop there and tell you how we got in and what to fix. Criminals, however, will be having a hay day with your Active Directory, bank accounts, and whatever valuable datasets you have that they want.
The point here is that we work with clients everyday who have full security programs, a stack of security tools, alerts, and teams to watch them. Yet, we successfully get in and have freedom to navigate unnoticed most of the time. Why is that? It truly is an issue of how much teams have to do, and their need for a way to speed up investigation and first-step remediation processes for greater visibility into what is happening across the environment.
Security Orchestration, Automation, and Response
With talented attackers out there who don’t follow ethics and leverage their skills for criminal gain, we are always looking to up our game and stay ahead of them. Having a talented Red Team lets us know what is happening on the front lines, and how we can better protect our clients. In that vein, TRUE has continued to grow our Security Operations Center capabilities year over year, adding dozens of new integrations, more AI, more automation, and new custom run books with Security Orchestration, Automation, and Response (SOAR) technology. We are so excited about what SOAR has done for our own team, that we are now including SOAR technology in our new Security Operations Center as a Service offering, to help other organizations get more out of their own security stacks.
You have probably heard the term SOCaaS. That term can mean different things to different people. Some organizations essentially offer SIEM, calling it SOCaaS. At TRUE, we have seen first-hand the need for many larger organizations to maintain their own security tools, but speed up their response times. That’s why we have developed TrueSOAR, to give you the power of our Security Operations Center, without having to change toolsets. With TrueSOAR, security information from across your systems is ingested into TRUE’s 24/7/365 SOC for evaluation, automation, and correlation before it even reaches an analyst. When our team begins their investigation, they are starting well ahead of the game to get a jump on attackers. This allows them to take remediation steps very quickly because they are dealing with accurate, vetted, correlated data, rather than sifting through logs for hours trying to find the information they need.