3 Key Takeaways
- Comparing the cyber intrusion path to a burglar breaking into a house helps any audience understand the technical concepts underlying such cybersecurity frameworks as MITRE ATT&CK and the Cyber Kill Chain.
- Organizations need to adopt a cybersecurity posture focused on recognizing threat actors’ behavior once they have entered so they can minimize the harm caused.
- Data exfiltration detection is one of the most important, yet commonly overlooked measures, organizations can take to combat intrusions.
Understanding Cyber Intrusion Paths and Key Frameworks
As cyber threats increase in frequency and complexity, organizations must understand the typical path cyber intrusions take. Doing so can help them conduct more thorough incident response planning and establish proactive cybersecurity measures.
Several frameworks exist to explain the path of cyber intrusion. The MITRE ATT&CK framework, for instance, is an extensive catalog of the tactics and techniques threat actors use. The Cyber Kill Chain is another leading model, developed by Lockheed Martin, focused mainly on Advanced Persistent Threats (APTs)—highly sophisticated attacks along multiple vectors over a long time.
Although these frameworks, among others, are valuable, they aren’t without limitations. Implementing MITRE ATT&CK framework-informed security, for instance, can be difficult because the knowledge base’s sheer volume of information can overwhelm users who lack a certain level of cybersecurity expertise. The Cyber Kill Chain’s focus on APTs is vital, but may limit its applicability to other threats. Neither framework may effectively analyze novel threats.
NetDiligence® President Mark Greisiger and Devon Ackerman, Global Head of Digital Forensics and Incident Response (DFIR) for Cybereason, recently discussed Cybereason’s unique approach to understanding the path of a cyber intrusion.
“There are other fantastic frameworks,” said Devon. “My analogy isn’t meant to replace them. It’s meant to help any audience understand [them]. . . . Whenever you have some type of unauthorized access event . . . you have these stages.”
Read this summary of Devon’s analogy, followed by edited highlights of Mark’s conversation with him, and watch the full interview above.
The Five Stages of a Cyber Intrusion
Cybereason’s intrusion story uses the analogy of a burglar breaking into a house. This analogy follows the intruder through five steps:
1. Finding the Door
Threat actors wanting to stage a network intrusion must find a way in. This way is the initial exploit. It may or may not involve advanced, long-term reconnaissance. Internet-facing third-party software can also bring vulnerabilities criminals know about and scan for, only then choosing a victim.
2. Crossing the Threshold
Having gained a foothold in the targeted network, threat actors experience a “Where am I?” moment, as does anyone who enters a house they’ve never been in before. Criminals must take time to orient themselves.
3. Shining the Flashlight
Before they can explore their surroundings, threat actors need certain tools, or access they didn’t initially have. These tools won’t always trigger a network’s intrusion detection system tools. “We sometimes see threat actors bring in a very normal tool,” said Devon, “something free off the internet.”
4. Sneaking Around
“Just like a physical intruder,” Devon explained, “as the threat actor starts to explore, they map out the ‘house.’ They map out the network—the relationships between ‘rooms,’ like relationships between employees and an organization. They start to identify how to move through the house.”
5. Taking the Prize
Regardless of the threat actor’s identity, their cyber intrusion ends in a prize moment. Criminals sponsored by nation-states often want research to benefit the sponsoring government’s intelligence. Organized e-crime is financially motivated—for example, a ransomware payment or a redirected wire transfer in a business email compromise.
Adopting a New Cybersecurity Posture
Mark Greisiger: Why do you feel the reconnaissance stage is a pivotal point in the cyber intrusion path? What cybersecurity measures can an organization take to detect and disrupt attackers at this stage?
Devon Ackerman: A lot of clients focus on stopping an intrusion. I’ve tried to educate them—through tabletops, incident response planning, talking to boards—that it’s not about keeping intruders out. You’re not going to in all scenarios, with all exploits. Let’s adopt an understanding that they’re going to get in.
Whatever network security monitoring software or whatever security operations center (SOC) we have, we need to move away from a mindset of, “Here’s an event, here’s another, here’s another,” and treating those events as individual tickets. We need to adopt an investigator’s mindset. If this event pops up here and this particular failed login pops up there, it’s like a bad guy breaking into a house. They’re going to go try doorknobs. They’re going to “Shine the Flashlight” in certain places. They’re going to try to disable the security system.
When we’re monitoring that activity in near-real time, if we’re not putting the big picture of the cyber intrusion path together, we can miss the threat actor moving through the environment. I’ve seen clients miss it because they’re treating the events as individual incidents versus one large story.
Why Data Exfiltration Detection Matters
MG: What can organizations learn from the “Taking the Prize” stage to improve incident response planning and recovery strategies going forward?
DA: Let’s talk about ransomware. One hallmark of organized crime or e-crime groups is they will do some data exfiltration out of the environment before, or in close proximity to, the encryption event. We call this a double extortion ransomware attack.
One thing I highlight for ransomware victims when we’re reviewing lessons learned, or proactively when we’re doing a tabletop, is roadmapping how an organization can detect volumes of data leaving their environment—from servers that shouldn’t be talking to the internet, or data going to internet locations where they’ve never sent data before.
Organizations can build detection processes with whatever infrastructure, whatever ecosystem of technologies, causes those alerts to fire. This scenario assumes bad actors get to that “Taking the Prize” step, which would be unfortunate. But if they have, one item I see the least is proper traffic monitoring to detect data leaving the environment.
Learn more about Cybereason’s ransomware protection for businesses.
Read Our Full Response Playbooks On the Most Common Types of Cyber Incidents
Start your 30-day free trial of Breach Plan Connect®, our turnkey solution for cyber incident response planning, today. Get critical insights on responding to the most common types of cyber incidents that organizations face today, like business email compromise, malware and ransomware attacks, and more!
