NEW VIDEO: Security Weekly - How to protect AWS metadata services (used in Capital One breach). Watch now!

An Attempted Breach from the Attacker’s Point of View

By Jason Wood, Threat Hunter — Apr 11, 2019

Today’s news is full of data breaches and security incidents. What was once only of interest to a small portion of the technical world is now attracting more attention and questions from the non-technical population of the world. I first realized that times had changed when family members who had previously been adamantly uninterested in technology started asking me questions about a data breach they’d heard about through mass media. My explanation of what happened usually boiled down to: an attacker gained a foothold inside of a company’s network then moved from that initial system to more interesting hosts. Eventually, the attacker found the data they wanted and exfiltrated it out of the victim organization. Company executives’ exclamations of dismay followed the discovery that the attacker had been in the network for a while but hadn’t been caught.

For the past six years I have worked as a penetration tester and have successfully accessed data that I should never have reached. The experience of my colleagues and I is that once we gain that initial foothold, we nearly always find our way to sensitive areas of the organization. A frequently used description has been, “hard and crunchy on the outside, but soft and squishy on the inside.” Once you are in, you can move around with impunity because segmentation is nearly non-existent. Once you compromise a few usernames and passwords, it’s game on!

Recently, things have started to change, and it’s because of one network organizing principle that’s starting to catch on: zero trust. The idea behind zero trust environments is eliminating the soft inside while keeping things running smoothly for employees who work in this environment. The idea is that being inside the network no longer means you have nearly full access to hosts or applications. A username and password will no longer unlock all the doors that are meant to keep attackers out.

What would it look like to an attacker who has broken into an organization? Let’s take a look.

Come see Edgewise at Secure360 Twin Cities, May 14-15, 2019 in Prior Lake, MN

Zero Trust from the Attacker’s Point of View

Let’s call our example attackers the Wile E. Attacker Group. They have decided that ACME Inc. has something they want. After some debate, Wile E. chooses to start an attack with a phishing campaign to land their initial footholds into ACME’s environment. Part of the team begins gathering information about likely targets for the emails, and others start working on the payloads to embed in malicious documents, attachments, and websites. Wile E’s basic plan is to establish some initial points of access and then move laterally to other hosts. They move slowly to determine what kinds of email filtering ACME has in place to avoid appearing to be an active campaign. After some initial roadblocks, Wile E. figures out a way to send their messages without being quarantined and rejected. At this point, emails are sent to the intended victims.

The Wile E. Group watches for a bit and sees that they have several indications that people are looking at the malicious documents and websites. After a little while, a few victims execute the payloads, and the attackers now have access to systems inside ACME! They are aware that with this initial access, the real work has now begun. They have to avoid detection as they work their way towards the data they have targeted. What they do not know yet, is that ACME has implemented a zero trust model for the environment.

Because they need to avoid detection as much as possible, the Wile E. Group has decided to move slowly. Their attack plan looks something like this:

  1. Map out the internal environment, determine where hosts are located, find where resources are stored, and discover who the significant users are
  2. Capture credentials from victim users to use in lateral movement, or at least ride their existing sessions
  3. Carefully spread to other systems and work closer to finding/accessing/exfiltrating data

Once they are inside, the attackers begin exploring the environment to discover where things are. This initial discovery goes well at first. They gather up information on the compromised systems to learn more about how things work inside ACME. They successfully collect credentials from their footholds. They perform DNS queries to look up hosts and services that are inside the network. DNS queries are expected activity for workstations, so this doesn’t cause any immediate preventions and alerts. But when the attackers try to access other hosts, things start to go wrong. Access is not working as expected. What’s happening? Why can Wile E. use their normal tactics and techniques to progress the attack?

Things Start to Go Wrong

One of the Wile E. Group’s typical tactics is to run PowerShell commands to access other hosts. PowerShell is built into the Windows operating system and is a very powerful tool. Its functionality allows the attackers to avoid introducing custom code into the victim organization. The less custom code introduced to the target, the less likely the attackers are to be caught by traditional anti-virus.

Something is different at ACME though. Wile E’s PowerShell-based attacks are not working, and something is blocking them. Perhaps ACME has implemented security controls to restrict the use of PowerShell on these systems? After all, this has become a method of attack that defenders have become much more aware of and are acting on.

The attackers regroup to discuss and start looking a bit more carefully at the compromised systems. Someone notices that security software installed on these systems involve zero trust access control. The game has gotten much more difficult if this technology has been implemented well. The Wile E. Group must now come up with new tactics to deploy, and this slows them down. They start worrying about whether their attacks will be detected. The longer they work in ACME’s environment, the more time ACME has to discover them.

Wile E. determines that, instead of their usual tactics, they can migrate their activity to inside of a running application such as Outlook and communicate with the Exchange server on the other side. Other applications are running in the workstation that can communicate with specific applications on other hosts, but that is all, and the access isn’t enough though; they need to break out of these restrictions.

Attackers Change Tactics

The Wile E. Group decides to take the step of introducing compiled tools that use the .Net framework. This change is an unusual step for them, and the team is uncomfortable with the decision. However, their usual methods aren’t working so they have to change the attack plan. Their new code is downloaded to the victim systems and execution is attempted. The attempts fail and they aren’t getting anywhere. Stress is increasing as fellow Wile E. actors are now pressuring them to get the data they have been assigned to retrieve.

Meanwhile, ACME hasn’t been ignoring the activity of Wile E. At first, it looked like a few odd security alerts and the ACME team wasn’t alarmed. As the activity continued, the security team started investigating. Their tools provided the insight they needed to what the attackers were doing, and their incident response process was engaged. They were able to profile what was happening and which hosts were behaving unusually. The incident response team quarantined the systems and was able to remove them from the environment. The Wile E. Group was back to square one. What happened?

Zero Trust in Action

One of the problems the Wile E. attackers encountered was ACME’s implementation of zero trust access control. ACME had spent the time to deploy the necessary tools, such as Edgewise, to profile normal activity in their environment. They implemented microsegmentation based on which applications were authorized to communicate with other applications on other hosts. They also spent the time to tune and work with the security data provided by these tools. Any project of this scope is not a simple one to implement, but the visualization tools and recommendations from the software made it possible to implement without creating chaos for ACME’s employees and processes.

When the Wile E. Group gained initial access to ACME’s environment, their activity may not have been immediately suspicious. Workstations communicate with hosts on the internet using web browser components. They started running into trouble when they attempted to move laterally. Just how often is it acceptable for a workstation to connect directly to other workstations? Rarely. It may be normal for helpdesk staff to do so, but their work was already profiled and approved during the zero trust implementation. The same cannot be said for a marketing employee’s workstation.

The lateral movement attempts were not able to be authenticated because they did not meet the authorized behavior, applications, and network protocols between these two systems and their applications. Authentication required more than a username and password in this security model. As a result, the Wile E. Group was more visible than normal and their progress was slowed. ACME had more time available to analyze the attacker’s activity and to determine what was happening. Wile E’s activity became even more visible when they had to change tactics and deviate even further from the expected behavior of these systems.

ACME had several advantages that Wile was not prepared to encounter in this incident. Instead of depending on traditional firewalls and anti-virus products to protect them, they took the point of view that internal host traffic was not automatically trusted and considered authorized. Authentication required much more than user credentials. Applications are authenticated against each other. When the attackers failed to meet these requirements, their access was denied, and alerts were created. Their hostile activities didn’t blend in with expected behaviors and became more visible. The attackers were also slowed down significantly, and defenders were given more time to identify and prevent further compromise. In this case, because of zero trust-based network controls, the result was a security incident that required remediation, but no substantial breach of sensitive data. ACME’s security and operations teams scored a big win for the business and Wile E. had to retreat without the sensitive data they’d expected to easily access.

Jason Wood, Threat Hunter

Written by Jason Wood, Threat Hunter

Jason Wood has been a penetration tester for the last seven years as a consultant and an internal penetration tester. He recently moved back to defense as a threat hunter. Through his consulting, Jason has years of experience advising clients on their security programs and performing penetration tests for them. His clients have spanned a wide variety of industries, including health care, financial services, SaaS businesses, government agencies, and critical infrastructure. He has more years of experience in security testing, threat hunting, and systems administration than he would like to admit. Jason is also a member of the Security Weekly podcasts and appears weekly on Hack Naked News.