One way to improve enterprise security is to try to understand all the steps that an attacker can take to fully compromise an organization. By thinking like an attacker and implementing security controls for each attack phase, an organization can help reduce cyber risk.
That’s one of the key messages that Matthew Maglieri, Chief Information Security Officer (CISO) at Ruby Life, shared at the SecTor conference in Toronto. If you’re not familiar with the name Ruby Life, you’re likely not alone. It’s the re-branded name for Avid Live Media, which was the parent company of adult infidelity website Ashley Madison.
Ashley Madison was the victim of a high profile data breach in July 2015. In the aftermath of that breach, Maglieri was brought in to help restore trust and security in the platform. Before joining Ruby Life, Maglieri worked at FireEye’s Mandiant incident response business unit, where he saw firsthand how organizations of all sizes were affected by hackers.
While hackers and offensive security activities led to the breach at Ashley Madison and countless other incidents Maglieri has investigated, he sees value in using the same approach that attackers use in order to help organizations boost their security. It’s a model he referred to as “offensive risk management,” which includes multiple steps.
“What we’ve done is we’ve actually taken each phase of the targeted attack lifecycle, broken it out, documented the common phase activities and then listed all of our controls against those phase activities,” Maglieri said.
Those attack phases are:
- Initial Recon
- Initial Compromise
- Establish Foothold
- Escalate Privileges
- Internal Recon
- Complete Mission
The initial reconnaissance stage is when the attacker scopes out the organization. During this phase, attackers conduct both passive and active port and service scanning to get an understanding of what an organization has that is facing the public internet.
Part of the initial recon stage can also involve using other sources of public intelligence such as LinkedIn. Maglieri said he has seen employees of large organizations publicly post about what versions of software and technologies they use as part of their job. That information can be valuable in helping an attacker quantify a potential target.
Example Controls: Acceptable use policy, including guidelines on how to avoid revealing sensitive information online, and active and passive scan monitoring.
The initial compromise phase is when the attacker gains some level of access to the target organization. Among the most common ways that the initial compromise is achieved is via a phishing email or other social engineering activity.
Initial compromise can also come as a result of an internet-facing service misconfiguration as well as unpatched known vulnerabilities.
Example controls: Anti-phishing and email content filtering and other email security measures, security awareness and training, vulnerability and patch management.
After the initial compromise, an attacker will need to establish some sort of foothold in order to have persistence within an environment and move laterally in an organization to get more information.
During this phase, Maglieri said attackers often deploy software that will enable command and control of the victim system.
Example controls: Endpoint protection software, network protection software (to block command and control activity).
Attackers rarely, if ever, will be able to get full administrative privileges to a target environment though the initial compromise or foothold stages of an attack.
Escalating privileges is all about expanding the hacker’s level of access within an organization to get at more data.
Example controls: Host-based exploit prevention, password vault secure credential storage.
Once inside a network with the right level of access, attackers will want to see what’s there.
During the internal recon phase, attackers do multiple things, including directory service queries, fileshare scanning and port scanning, in an effort to discover other areas where valuable information can be hidden.
Example controls: Network segmentation, continuous anomaly detection.
Attackers generally need to move around inside of an environment to get to the sensitive data. During this, phase common attacker activities include the use of remote access protocols and services.
Example controls: Blocking host-to-host communication, network segmentation, multi-factor authentication.
Throughout the attack lifecycle, the attacker has to maintain presence in order to keep their access to the victim’s environment. That presence can potentially come over a VPN or from internet-facing web shells.
Example controls: Network protection, VPN monitoring, active threat hunting.
“Lastly, the attacker is going to complete their mission,” Maglieri said.
That mission could be about exfiltration of data or some other malicious activity. If an organization has not disrupted an attack by this phase, there is little chance they will do so at this point.
That said, what can be done at this stage is making sure there is an incident response plan in place to help understand and know what to do.
Example controls: Incident Response Plan.
Overall, Maglieri emphasized that while it might seem some days like attackers have the upper hand, cybersecurity today is a board-level conversation, and organizations, like his, that have suffered breaches have recovered.
“We need to communicate and collaborate, because I guarantee your adversaries are,” he said.
Sean Michael Kerner is a senior editor at eSecurityPlanet and InternetNews.com. Follow him on Twitter @TechJournalist.