Advanced persistent threats continue to test organizations’ strength by exploiting new vulnerabilities, organizing massive supply chain incidents and targeting specific industries. According to a study, 84% of enterprises globally acknowledge that cyberattacks have become more sophisticated, causing worries about vulnerabilities, attack surfaces, threat tactics, malware, mobile device security and the use of consumer cloud services by employees.
Fortunately, there are plenty of tools, sources of information and guidelines that help fine-tune responses to sophisticated attacks allowing for a clear understanding of how to hunt threats and remediate IT systems. Since the average cyberattack lasts a day and a half, security teams need to react quickly. However, a timely response doesn’tnecessarily mean malicious actions should be immediately blocked. It is important to understand the right moment to start the containment, eradication and recovery phases of response as an untimely reaction can signal to attackers that their actions are no longer going unnoticed.
For example, if the incident response team blocks infected software, malicious IP addresses or URLs as soon as the first signs of a threat are detected, then the attackers can simply hide in the network or change their tactics. This could potentially require the investigation cycle to start all over again. Moreover, attackers can sometimes hide so well and for so long that discovery would be almost impossible until their next malicious activity is revealed.
Advanced persistent threats (APTs) use lateral movement techniques to stay unnoticed for days, months or even years while they seek out crucial assets in the victim’s environment. For example, in one Lazarus attack, the actor managed to overcome network segmentation and reach the restricted network thanks to lateral compromise of the administration machine that connected both the corporate and restricted segments. Analysis of TunnelSnake’s APT operation revealed a case in South Asia where the threat actor had a foothold within the network from as early as 2018.
Another issue with early reaction is that it can create a situation in which some attack artifacts are left unnoticed during the eradication stage because the IT security team didn’t detect them or didn’t relate them to the attack during the investigation stage.
Furthermore, the entry point might remain unclear. This could include a vulnerability, an unprotected endpoint or any other vector. In this case, even if the attack were stopped and all malicious elements were wiped out, the risk ofintruders making another attempt through the same gates but with new tactics, techniques and procedures would remain.
With APTs growing in volume and sophistication, there are, however, response steps that can be taken to avoid damaging outcomes.
Find the Attack Kill Chain
As soon as an IT security team discovers that their organization is compromised and there is a human on the other side(not just malware), they need to follow the attack and find as many traces as possible. The attacker’s actions should be followed across the whole network, not just the immediate perimeter. The further the attack goes, the more traces it leaves; threat hunters can attribute these to an APT group—or at least guess its target—and then hunt it down in the most effective way. It is extremely important to find the attack entry point to avoid repetition of this type of incident.
The end goal of incident response is accomplished through two activities: Investigation and remediation. The investigation stage involves determining the attack vector, tools, affected systems, damage, intrusion time frames and so on. In other words, comprehensive analysis is a must before moving to remediation.
Threat intelligence and attack evaluation approaches, such as MITRE ATT&CK, are key at this stage.
Response Means Knowing When to Stop the Attack
It goes without saying that it is important to stop the intruder before they reach critical business services or move to another organization the company connects with. This is where the team’s skills come in; by collecting the maximum amount of data about the attack, they can enable planning the most effective response while still acting before the intruder can have a significant impact on the business.
Learn and Monitor the Network
IT security teams should have a clear picture of the whole enterprise network including edge devices, endpoints, network segments and connected equipment. This is achievable through network monitoring, regular audits, scanningof connections and so on. For large enterprises with many entities, supply chains and subsidiaries—this is a must.
Implementing network audits and monitoring, along with measures such as policies and network segmentation, helpsdecrease the number of potential entry points.
Familiarity with the network is also crucial to understanding response—when to contain and eradicate an attack before it reaches critical business processes. At the eradication and remediation stages, all malware tools and traces should be removed from all endpoints, all compromised systems re-installed and credentials reset. Overlooking any piece of malware in the backend of the network can allow another round of attacks in the future.
The silver lining of these critical attacks is that the more time we spend investigating and observing them, the more we learn about the actors behind them and the more we can help organizations anticipate their methods. Threat intelligence and specific tools are designed to help enterprises detect malicious actions sooner, but expertise remains the crucial factor in detection, investigation, cleanup and avoidance of recurrence.
To this end, organizations are still faced with a choice: Either to build an internal team of talent capable of leveraging useful threat intelligence and employing effective investigative and response functions or partner with a trusted, experienced third-party expert who can do this for them. Of course, a combination of the two is a logical choice for many; however, the absence of either will only become more consequential as sophisticated threats continue to evolve.