As we start looking at attacker activity and common network vulnerabilities, we need to talk about initial methods of ingress – how attackers are able to get into your environment prior to being able to move around. We've summarized three very popular methods of ingress (common cyber security threats). These are not fully comprehensive, but we'll talk through them quickly. Spear phishing is where we have an attacker sending a tailored document with either a malicious attachment or a malicious link to a user hoping to fool them into downloading malware and allowing the attacker to get into the network and move around. Vulnerability exploitation, taking a look at your Internet facing systems, identifying what they are, identifying if there are public vulnerabilities or zero days that they can use to get in. Social engineering, this may be cold calling help desk technicians. This may be using websites like LinkedIn to identify your key users or most privileged users and attempting to trick them into giving you access or getting passwords into the environment.
Once an attacker has made their way in, they're going to perform reconnaissance. They need to know where they are prior to trying to accomplish their mission, whether that's going to be defacement, industrial espionage, those sorts of things. They need to know where they are and where the privileged information is. Often, what we're going to see them do is we're going to see them use standard Windows commands like ping, net, ipconfig to get some information about the systems so that they can understand where they are, what access levels they have, and how they can escalate their privileges in order to move. Once they've identified an avenue for escalating privileges or moving to systems that the user they are running as has access to, they're going to start using a couple of techniques either with standard Windows commands or external tools to be able to move to other systems, try to find file servers, try to find domain controllers or additional credentials, and ultimately escalate their privileges to that of a domain administrator or a highly privileged user.
When they have escalated their privileges to the highest level possible, they're really going to start digging. They're going to find any information that they can, they're going to package up that information, and they're going to need to move it out of the network. That may be over HTTP. They may be building RAR archives or other ways of compartmentalizing that data and compressing it. Their end goal is to move, find data, get that data out, and oftentimes maintain persistence so that they can continue to find more information as it's generated by your employees.
That is a brief rundown of how attackers move through your environment. Please join us next week for Whiteboard Wednesday.
