How attackers counter incident response after a data breach
It's not over until it's over. Explore how attackers use backdoors and evasion techniques to counter incident response measures even long after a data breach is disclosed.
By
Andrew KempsterGuest Contributor
Published: 16 Mar 2021
Cyber attacks are one of the biggest threats facing organizations today, particularly during the COVID-19 pandemic. A large contingent of the workforce now works from home, new devices are connected to the corporate network now more than ever and an increased number of business actions are conducted entirely online. This new work environment presents threat actors with more opportunities to enter corporate networks and exfiltrate or tamper with valuable data.
Recently, the SolarWinds attack illustrated how advanced persistent threat actors can remain hidden in a network for long periods of time undetected. With time, opportunity and investment on their side, threat actors have dug deep into organizations in attempts to stay hidden and further advance their goals.
It is critical that organizations know what to do after a data breach is detected by preparing a response plan to stop additional malicious activities. Here, we provide insight into how threat actors counter incident response and how security teams can stop threat actors from further embedding themselves inside an organization.
How attackers counter incident response measures
In situations where threat actors become aware of reactive measures, they will typically accelerate to their end goal, such as exfiltration of intellectual property or execution of ransomware. Advanced threat actors may have multiple tool sets deployed and switch to other means of conducting their activities to reduce the responders' visibility. Threat actors have also compromised email communications to monitor responders' communications.
Given the likelihood of attackers accelerating or changing course upon discovery of incident response engagement, affected entities should have current and tested playbooks, as well as incident response processes, to efficiently respond to a breach, thus reducing the time the attacker has to react. These plans should include a discussion of out-of-band communications platforms.
Tactics they use to stay in the system
Upon successful entry into an environment, threat actors will seek to implement persistence through multiple ingress avenues, such as backdoors, creating legitimate administrator accounts or installing remote control software. This removes the requirement to exploit a vulnerability or a human each time they wish to gain access. Obtaining multiple options for future entry into the environment strengthens the attackers' foothold and ability to return even after discovery and intervention by an incident response team. Affected entities should implement effective network and endpoint monitoring to identify anomalies and react accordingly.
Some advanced threat actors have completed their activities by using the tools provided to them on the endpoints without ever needing to introduce malicious code to the environment.
How they hide from detection
Advanced threat actors will frequently attempt to live off the land by using legitimate software, which will not tend to trigger antivirus or endpoint detection and response technology. These software types are commonly known as Living Off The Land Binaries, or LOLBins, and can be any legitimate software that threat actors use to achieve their goals. For example, the PuTTY suite is commonly used by system administrators to complete day-to-day tasks and is often included in standard client desktop builds. While this provides convenience for the system administrators, it is also a set of tools a threat actor can use to establish SSH sessions, collect further tools from staging servers and move data around -- all through encrypted channels. Some advanced threat actors have completed their activities by using the tools provided to them on the endpoints without ever needing to introduce malicious code to the environment.
How they use backdoors to return when the coast is clear
Backdoors can range from installed code on endpoints to new administrator accounts. Persistence mechanisms on endpoints will typically be a service, scheduled task, registry "run" key or even entries within the Startup folder for the user profile. They can also use compromised or maliciously created accounts to retain remote access -- if remote access is available or the installation of the remote control software is not blocked.
How incident response teams can counter attacker techniques
Incident response does not necessarily fall to a single team, and preparatory activities should be undertaken to advance any security response capability. It may also be beneficial to enlist an expert third party if the security team does not have incident response expertise in-house.
The core incident response team will lead the charge. However, they should call upon key departments and technology owners within the business to add layers of visibility, experience and knowledge. Utilizing the available technology and the knowledge of others within relevant business units will make the discovery of anomalous activity and software or code an easier task.
Some standard activities can be undertaken ahead of any security incident to pave the way for more efficient and expedited responses. Though it will differ from business to business and incident to incident, this dynamic list of activities may include the following:
Identification, assessment and eventual utilization of out-of-band communications platforms -- communications channels that are not hosted internally or on networks owned or managed by the affected entity -- as much as possible to reduce the risk of threat actors intercepting messages. Access to these communications channels should be on an approval-only basis and auditable.
Development and testing of incident response processes and playbooks in advance of any security incidents. These should include key departments and technology owners who can be called upon to assist responders and address common cybersecurity incidents.
Allowlisting of software that is considered acceptable within the business environment. All exceptions should require official application, review and sign-off before approval.
Development of an identity and access management policy that defines the principle of least privilege to reduce unnecessary user privilege. In turn, this reduces the risk of data deletion, corruption or change -- whether inadvertently or maliciously -- or the use of privileged access by compromised accounts.
Development of a standard endpoint build to include only the minimum software required across all business units. Software falling outside this scope will be covered by allowlisting and the allowlisting application process.
Network segmentation to enable monitoring or closure of specific affected areas.
Security teams must be prepared for what to do after a breach -- whether themselves or with the help of an expert third party -- in order to prevent further damages by threat actors. By understanding how threat actors counter incident response teams, organizations can better recognize the warning signs of attack and form action plans to respond swiftly.
About the author
Andrew Kempster is a principal DFIR consultant and technical lead at Trustwave. He has been a digital forensics and incident response practitioner since 2005, working for law enforcement, government and private sector companies.
