Attacker techniques, tactics and procedures (TTPs) are constantly evolving — and RSA Conference is the perfect place to get intel on the latest attack trends.
Get to know the attack trends that were most prevalent at RSA, including trends discussed in the popular annual keynote The Five Most Dangerous New Attack Techniques, which featured a panel of five SANS instructors.
Most of us are familiar with living off the land, a technique that involves threat actors using tools that already exist within an environment to avoid detection. However, with the popularity of cloud services, attackers are also taking advantage of cloud services to stealthily infiltrate an environment — a technique that Katie Nickels, Certified SANS Instructor and Director of Intelligence at Red Canary, dubbed “living off the cloud.”
Adversaries use cloud services for the same reasons that organizations do: it’s easy, cheap and convenient to set up infrastructure, Nickels said.
“As a defender looking at network traffic, it’s tough to tell whether cloud traffic is legit or benign,” she said.
Using cloud services, threat actors can also bypass firewalls and proxies, she added. Specifically, adversaries can use ngrok, a reverse proxy that fronts web services running in the cloud, to easily get a shareable URL that looks like a legitimate domain to use for phishing. Adversaries can then send payloads through Ngrok’s reverse proxy to go through the firewall.
How does detection and response need to change in order to protect against these new threats?
“Know what’s normal for cloud services in your environment to identify the bad stuff,” Nickels said.
Multi-factor authentication (MFA) is still an incredibly powerful security control, but organizations should also be aware that misconfigurations can hinder its effectiveness.
Nickels highlighted a 2021 attack in which a Russian state-sponsored actor gained initial access into an environment using compromised credentials and enrolling a new device in the organization’s Duo MFA.
According to the CISA alert: “The victim account had been un-enrolled from Duo due to a long period of inactivity but was not disabled in the Active Directory. As Duo’s default configuration settings allow for the re-enrollment of a new device for dormant accounts, the actors were able to enroll a new device for this account, complete the authentication requirements, and obtain access to the victim network.”
Continue to use MFA, Nickels emphasized, but be thoughtful in how it’s implemented — for example, ensure inactive accounts are disabled uniformly across Active Directory and MFA. Organizations should also monitor for unusual behavior and login sources.
Another consideration with MFA is lost or stolen tokens, said Johannes Ullrich, Dean of Research at SANS Technology Institute.
“How are you dealing with lost, stolen, or broken second factor [tokens]? How are you recovering them?” Ullrich said.
Ullrich recommended purchasing multiple second factors — particularly when working with FIDO tools with hardware authenticators.
“Give people a chance to move from one hardware authenticator to another by allowing them to register multiple authenticators,” he said.
Backups are often the last line of defense for ransomware, but backup software can also have flaws, Ullrich said.
Several backup products, including Veeam, IBM Container Backup and NetApp have been susceptible to vulnerabilities over the past year that attackers can take advantage of. Since backups are a treasure trove of data for extortion, this becomes particularly problematic.
“Ghost” backup attacks occur when an attacker breaches the controller, adds a malicious backup job, and exfiltrates data to attacker-controlled storage.
Ullrich recommends to perform an inventory for backups on a regular basis, and use end-to-end encryption — including encryption at rest — for off-site backups.
Shiny new techniques are always interesting to learn about, but experts at RSA emphasized that old techniques are very much still in use.
“If you’re an attacker, you want access. Why not use what simply works already?” said Heather Mahalik, DFIR Curriculum Lead and Sr. Director of Digital Intelligence, SANS Institute and Cellebrite in the panel.
Stalkerware, for example, is a type of malware that allows a threat actor to remotely monitor a user’s device without their consent. While spyware is used by government agencies and law enforcement, stalkerware is used by individuals.
Threat actors gravitate towards stalkerware because it is relatively cheap and easy to obtain, said Mahalik.
Pegasus is a type of “zero-click” stalkerware developed by the Israeli company NSO group that can infect iOS or Android devices without the user clicking on anything.
Worms are another older technique that are still dominating the threat landscape and were a top threat in Red Canary’s 2020 Threat Detection Report, said Mahalik.
“It may not be the sexiest thing to be like, ‘I’m going to evaluate a worm,’” Mahalik said, “But WannaCry is still impacting security from 2017.”
“Don’t let the shiny APTs distract you,” she continued, reminding organizations to go “back to the basics” to ensure that their attack surface is protected.
Our recent research report, The State of Detection and Response, highlighted similar trends. There is only a limited number of actions a threat actor can take to infiltrate an environment and once threat actors find a method that works, they are likely to reuse it.
Blumira’s first State of Detection and Response report is based on research from 33,911 key findings from a sample including 230 organizations, which took place over the course of 2021.
In this report, you’ll learn: