This playbook is common because it is easy to execute and often successful. In fact, it is so common that we sometimes counsel our clients to skip the phishing phase of an engagement and assume breach, where a user has executed a phishing payload (this is called a “white card”).
“60% of the time, it works every time.” – Brian Fantana, Anchorman
Targeted attacks and untargeted attacks often use differing tactics, techniques, and procedures (TTPs) to carry out their objectives. I will largely cover targeted attacks in this post, though the sophistication of untargeted attacks is vastly increasing.
Code Execution on the Remote Computer
“Your things are now my things through my actions.” – Mooninites, Aqua Teen Hunger Force
If a payload successfully executes on the victim’s machine, the attacker will then install persistence, or a way to get back into the computer if it’s temporarily disconnected from the internet or rebooted. Persistence payloads often take the form of a “beacon” that pseudo-randomly “calls” out to the internet and a Command & Control (C2) server. The beacon checks for commands to run on the victim machine. Depending on the motives and sophistication of the attacker, this beaconing may happen as frequently as every five seconds or be spread out over hours, days, or weeks.
Reconnaissance is then run from the victim machine using the currently logged-in user’s credentials. Even a normal, unprivileged domain user has access to an incredible amount of information that is useful to an attacker. Sometimes the user is a local administrator, or has local administrator privileges on many workstations or servers.
Tools like BloodHound might be run to discover paths to becoming a Domain Administrator on the network. There are a number other techniques used to find this same information.
Privilege Escalation and Lateral Movement
“I hunt SysAdmins.” – @harmj0y
A targeted attacker is often looking for ways to completely take over your system and have guaranteed access to the information they’re seeking. There are many ways to perform this, but generally an attacker is looking for local admin accounts and domain admin accounts that they can somehow compromise. This may involve pivoting through the network seeking out credentials of high-integrity or privileged accounts. Trust relationships throughout the network are targeted and exploited.
Depending on the attacker motives and capabilities, a compromised email account (even originating from the original phishing victim) may be used to send further phishing emails from within the organizations own email server.
Once a higher-level access is gained, the attacker will seek to accomplish their goals whether it’s stealing patient data, trade secrets, or denial of services (destruction).
The Post-Compromise Gift that Keeps on Giving
“All your base are belong to us.” – CATS, Zero Wing
If you’re facing a long-term operation from a targeted attacker, they’re likely going to install some form of long-term persistence that will call out to their C2 over very long intervals. In some recorded cases this beaconing has been 2-4 weeks. These long-term pseudo-random intervals can prevent incident responders from identifying suspicious network traffic as the activity occurs so infrequently as to be almost invisible.
It has also been proposed that some targeted operations sell access to victim networks post-compromise. The initial attacker accomplishes their goals, such as stealing data, and then sells access to a crime-ware organization who may leverage that access to install ransomware.
In a long-term persistence mode, the attacker may be harvesting data over weeks, months, and sometimes years—it’s the gift that keeps on giving.
Some cases, such as Sony, destruction or denials of service is the ultimate goal. Once the network has been totally and completely compromised, the attacker begins altering and/or destroying data. The most effective attacks begin this malicious activity weeks or months before performing more overt activities as to ensure their destructive actions are recorded in recent backups.
Take Back Control and Shore Up Defense
Inoculate Yourself against Dormant Cyber-Pathogens
Let’s look at the chain of events that lead from “everything is ok”, to “everything is on fire”.
This is a “back of the napkin over beers” list of fixes. Almost none of these are easy, but each one does mitigate your risk.
Risk can be significantly reduced by actualizing the preceding steps. As an investment in improving your system’s security posture, these steps are requisite for any healthy network.