Computer Systems Security Planning for Success

Reconnaissance is the act of collecting information about a target. This typically involves vulnerability scanning, network mapping, and phishing. Attackers are generally looking for weak links and a way in to the company. Understanding how reconnaissance is performed can help a security team pick up on the precursors to an incident.

Resource development involves acquiring infrastructure from which to deploy an attack. This may involve impersonation or custom tailoring exploits based on the results of the previous reconnaissance. In the resource development phase, all the actions needed to set the stage for an attack are performed.

Initial access refers to the first breach of security. There are many ways for this to occur, but some common ones are phishing, someone clicks on a link in an email, or through a compromised accounts. Attackers may find it easier to exploit the underlying software a corporation uses as is the case in a supply chain attack. There are even instances of attackers leaving rogue flash drives in common areas or attacking WiFi networks from nearby cars.

However it is performed, initial access is the first real compromise in an attack.

Execution involves running the commands or scripts needed to perform the rest of the attack. Much of this may be automated through PowerShell or BASH scripts. These scripts will exploit vulnerability, setup tasks to run, download and install software, and possibly even give attackers a foothold for internal spearphishing.

Persistence is the act of setting up a system or systems to continue to run the malware that has been implanted. This may involve autostart execution of scripts, init scripts on a Linux system, creating new accounts, scheduling tasks to run, or even implanting the code within or in place of another executable or macro-enabled document. With persistence, the attacker can be sure that even if the machine is restarted or not fully wiped the malicious code will run again.

Once an attacker has a foothold on the internal network they will typically work to elevate privilege. This may be done locally, through an exploit, by tricking the user into elevating the privileges of a running script, by stealing credentials over-the-wire, or by leveraging running system processes.

The key in this phase is that the security of the machine has been breached, but if the attacker does not have an admin account on the machine the actual extend of the damage may not be that bad. By elevating the privilege to an admin the attacker can fully control the asset.

It is important to note that while this is occurring, malware scanners, endpoint management software, and possibly even members of the SOC will be actively working to detect and remove malware. An attacker will take steps, typically automated, to make it had to detect their presence. This may involve disabling malware scanners, clearing logs, deploying in a container, running within an already running process, and other methods of obfuscation. Defense evasion makes the job of the security team that much harder.

With malware running on at least one machine, an attacker may attempt to steal credentials. This could involve logging key strokes, performing MitM attacks n the local network, brute force programs, cracking locally stored hashes, or exploiting password managers. Credentials give an attacker a means to log in to other machines on the network and expand their assets.

A malicious actor will try to collect as much information as possible about the environment in which they are operating. Knowing about available accounts, types of network traffic, running services, stored passwords, and security countermeasures help them make informed decisions regarding next steps. Internal policies can also be helpful, it’s much easier to guess passwords when you know the company password policy. Expect that at some point after initial access, an attacker will try to gain more information.

Lateral movement refers to moving across internal systems without any major change in privilege. This may refer to a compromised user account being used to compromise other user accounts. The more accounts an attacker has access to, the more effectively they can learn about the environment. Having access to multiple accounts also gives the attacker more options for persistence, credential access, and internal spearphishing.

Data can be collected from workstation keyboards, as well as laptop cameras and microphones. Local system data, shared drive data, and removable media data can all be harvested as well. Emails can be skimmed and stored and in some instances screen recordings may also be employed. Much like in Discovery an attacker is often after as much data as they can possibly collect.

Command and Control (C2 or C&C) refers to the process of setting up a channel between the compromised internal systems and an external system. This channel can be used to get data off the compromised machines and/or for putting malware on the machines. A C2 channel allows the operator to send interact with the compromised machines and even automate much of the work.

C2 protocols may try to piggyback on regular network traffic, or make use of services that are hard to trace. You’ll see encrypted C2 traffic on web protocols, DNS queries, mail protocols, or even chat protocols such as Discord. Lower level protocols like ICMP and UDP can also be used to avoid detection. C2 systems may make use of multiple channels or different channels for uploads/downloads. The ultimate goal is to make the traffic hard to detect, trace, and stop.

Getting the data off of a machine can be difficult for an adversary as large transfers may trigger alarms. Web services that are already used, Google Drive, Dropbox, etc., may be employed to make exfiltration look like regular traffic. In the case of a physical breach, USB drives may be employed. Finally radio protocols like Bluetooth, cellular, or local WiFi may also be used if the attacker is in close proximity to the device.

The impact of the attack needs to be analyzed as well. The impact can include losing access to the asset, loss of data, data held for ransom, defacement, denial of service, or resource hijacking. All of these things can interrupt business continuity and ultimately cost a company money. The impact of an attack needs to be well understood to make security decisions in the future.