How Cybercriminals Are Getting Initial Access into Your System

Image

This article covers the main techniques cybercriminals use at the initial stage of attacks against enterprise networks. There are several dangerous phases of cyberattacks targeting the corporate segment. The first one encountered by businesses boils down to getting initial access into their systems. The malefactor’s goal at this point is to deposit some malicious code onto the system and make sure it can be executed further on.

Drive-by downloads

Description: The gist of this technique is to dupe the victim into opening a website hosting various browser and plugin exploits, obfuscated frames or malicious JavaScript files that can be downloaded to the target system beyond the user’s awareness.

How to protect yourself:

• Use up-to-date web browsers and plugins and run an antimalware solution. Microsoft recommends using Enhanced Mitigation Experience Toolkit (EMET) and Windows Defender Exploit Guard (WDEG.)

Exploiting public-facing applications

Description: This method involves known glitches, bugs and vulnerabilities in applications with open network ports (SSH network services, web servers, SMB2, etc.) The top 10 web application vulnerabilities are being regularly published by OWASP.

How to protect yourself:

• Use firewalls.
• Perform network segmentation with DMZ.
• Follow safe software development practices.
• Avoid issues documented by CWE and OWASP.
• Scan the network perimeter for vulnerabilities.
• Monitor logs and traffic for anomalous activity.

Hardware additions

Description: Computers, network appliances and computer accessories may go with covert hardware components tasked with providing initial access. Both open-source and commercial products may include features for stealth network connection, MITM (man-in-the-middle) attacks implementation for encryption cracking, keystroke injection, reading kernel memory via DMA, adding a new wireless network, etc.

How to protect yourself:

• Adopt policies for network access control such as certificates for devices and IEEE 802.1X standard.
• Restrict the use of DHCP to registered devices only.
• Block network interaction with unregistered equipment.
• Disable the addition of unknown external devices using host protection mechanisms (endpoint security agents for device monitoring.)

Removable media

Description: This technique leads to the execution of rogue code via autorun feature. To deceive the user, the attacker may modify or rename the “legit” file beforehand and then copy it onto a removable drive. The malware can also be embedded in the firmware of removable media or executed via the initial formatting tool.

How to protect yourself:

• Disable the autorun feature in Windows.
• Restrict the use of removable media at the level of your company’s security policy.
• Use antivirus software.

Spear-phishing - attachments

Description: This mechanism presupposes the distribution of viruses attached to phishing emails. The email body typically contains a plausible-looking reason why the user should open the attached file.

How to protect yourself:

• Use IDS (intrusion detection system) along with an antivirus suite that scans emails for malicious attachments and removes or blocks them.
• Configure a policy to block certain formats of email attachments.
• Train your personnel how to identify and avoid phishing.

Spear-phishing - links

Description: Cybercriminals may send emails with links leading to malware.

How to protect yourself:

• Check the received emails for URLs leading to known malicious websites.
• Use IDS and antivirus software.
• Conduct phishing awareness training of your staff.

Spear-phishing via service

Description: In this case, the threat actors send booby-trapped messages via social networks, personal email accounts and other services that are beyond the company’s control. They may use fake social network profiles to send job offers or similar eye-catching messages. This allows them to build trust and later ask the targeted employee about policies and software used in the enterprise and convince the victim to click malicious links and attachments. As a rule, the malefactor first establishes contact and then sends the malicious entity to the email address that the employee uses at their workplace.

How to protect yourself:

• Consider blocking access to personal email accounts, social networks, etc.
• Use application whitelisting, IDS and antivirus software.
• Set up a personnel awareness program focused on anti-phishing.

Supply chain compromise

Description: This method comes down to injecting various backdoors, exploits and other hacking instruments into software and hardware at the supply stage. The possible attack vectors are as follows:

• Manipulating software development tools and environments,
• Abusing source code repositories,
• Interfering with software update and distribution mechanisms,
• Compromising and contaminating OS images,
• Modifying legit software,
• Sale of counterfeit\modified products and
• Interception at the shipment stage.

Cybercriminals usually focus on compromising software distribution and update channels.

How to protect yourself:

• Implement SCRM (supply chain risk management) and SDLC (software development life cycle) management systems.
• Run continuous contractors’ reviews.
• Strictly limit access within your supply chain.
• Use procedures to control the integrity of binary files.
• Scan distribution kits for viruses.
• Test all software and also updates prior to deployment.
• Physically examine the hardware being purchase as well as the media containing software distribution kits and support documentation for signs of forgery.

Trusted relationship

Description: Malicious agents can take advantage of organizations that may access the infrastructure of the target enterprise. Companies often use a less secure practices while interacting with trusted third parties than for regular access from the outside. Trusted third parties may include IT service contractors, security vendors and infrastructure maintenance contractors. Furthermore, the accounts used by trusted parties to access the company can be hacked and leveraged for initial access.

How to protect yourself:

• Use network segmentation and isolate critical IT infrastructure components that shouldn’t be widely accessible from outside the organization.
• Manage accounts and privileges used by trusted third parties.
• Check security procedures and policies of the contractors that need privileged access.
• Monitor the activity of third-party vendors and trusted individuals.

Using valid accounts

Description: Criminals can steal the credentials for a specific user’s account or service account or retrieve credentials in the course of reconnaissance with the help of social engineering. Compromised credentials can then be used to get around access management systems and get access to remote systems as well as external services, such as remote desktops, VPNs and Outlook on the web, or to obtain elevated privileges in specific systems and areas of the network. If this attempt turns out successful, the perpetrators can decide not to use malware and thereby complicate detection. Also, the attackers may create new accounts to maintain access in case the other techniques fail.

How to protect yourself:

• Stay away from credential overlapping across different services and systems.
• Adopt a password policy and follow enterprise network administration guidelines to restrict the use of privileged accounts.
• Monitor domain and local accounts and their privileges to identify the ones that can allow an adversary to get wide access to the network.
• Keep track of account activity using security information and event management (SIEM) solutions.

Of course, cybercriminals need initial access into your IT infrastructure for a reason. It depends on the objectives of the compromise. If the adversary is after industrial espionage, they will steal proprietary information. In case you are confronted with an unscrupulous competitor’s shenanigans, the digital raid may lead to disruption of your business and ruin your company’s reputation. One way or another, the intrusion proper is merely the first step typically followed a number of common stages. These include malicious code execution, establishing persistence, escalating privileges, defense evasion, credential access, lateral movement within enterprise environment, data collection, exfiltration and finally command and control. Since the impact stemming for initial unauthorized access can be critical, it’s a good idea to focus on proactive protection mechanisms. Automated systems like WDEG, EMET, IDS, SCRM, SDLC and SIEM aren’t just fancy acronyms and are certainly worth their salt, but keep in mind that human factor is very often the weakest link in an organization’s security. Therefore, security awareness training of your personnel is among the fundamentals of attack prevention.

Image

About the Author: David Balaban is a computer security researcher with over 10 years of experience in malware analysis and antivirus software evaluation. David runs the www.Privacy-PC.com project, which presents expert opinions on contemporary information security matters, including social engineering, penetration testing, threat intelligence, online privacy, and white hat hacking. David has a strong malware troubleshooting background, with the recent focus on ransomware countermeasures. Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.