Threat actors are evolving their techniques and tactics to evade detection by automatic tools, steal data and target organizations of all sizes. Using a combination of freely available tools and utilities, plus some commercial software, attackers start by choosing their target. Users who are active on social media, or those with a higher likelihood of access to sensitive data or IT administrative functions, are just as likely to be targeted as poorly protected systems exposed directly to the Internet.
Once connected to the target system(s), attackers often take advantage of applications already present on devices. This is known as living off the land. Tools like PowerShell, Remote Desktop and low-level system utilities like Windows Management Instrumentation (WMI) – all legitimate tools – can be used to execute commands locally and remotely, obfuscate the real objectives of the attacker and evade detection from anti-malware scanners.
The rise of ransomware
For attackers, ransomware is often the final goal, but ransomware gangs have evolved their objectives, too. Many are now taking the time to manually move around a target network, discover the infrastructure, locate sensitive data and plan a mass deployment of the file-encrypting payload. Discovering a ransom note is not the end of the incident.
More attackers are taking the time to steal sensitive data, and threatening their target with a second ransom demand, or else the stolen data is released to the public. The amount of time attackers spend in the compromised networks, dwell time, can be measured in days, if not weeks. This gives them ample time to move laterally, carry out network reconnaissance, discover unprotected assets and strengthen their persistence in the network.
How to catch a cyberattacker
To catch a human at a keyboard often demands a human at a keyboard. Detections by automated threat protection products can mark the initial stages of an attack, such as the actor attempting an initial breach against a device. Or even the final stages as the attacker nears their objective, like testing their payload deployment mechanism or file encryption process on a subset of machines. But often the extensive middle stages, the dwell time, goes undetected by automated systems.
This can be for several reasons, including: the attacker moving very slowly, taking days between actions to avoid detection; relying heavily on native tools, living off the land, hiding a small signal of their activity in the noise of day-to-day operations; disabling poorly configured security tools, blinding a cybersecurity team to their actions; or most simply, moving to unprotected machines.
Actions taken by the attackers during the dwell time and recorded in the forensic data collected are crucial to detecting the tactics, techniques and procedures (TTPs) in use and are the key to prompt detection of the incident. This data needs continual monitoring and evaluation by a skilled SOC analyst who knows not only when to act – but when not to act. Moving too quickly, before the full scope of an incident is understood, can be dangerous. Defenders must assume that adversaries have multiple points of access and persistence, legitimate administrator accounts are compromised, data has been exfiltrated and even that the attackers can monitor their communications channels such as email and corporate instant messaging.
Why managed detection and response is the easiest way to protect yourself from cybercriminals
Organizations of all sizes and verticals are at risk from cybercriminals attempting to breach their networks, steal data and affect business operations to extort money. Businesses, governments and non-profit institutions must all engage with proactive threat hunting to detect activities by attackers before they reach their final goal, to fully understand the impact of any data theft and to continually adjust the security posture of the organization with the changing threat landscape. The experience and expertise of a human-led threat hunting and remediation program is a critical part of the security infrastructure.
A managed detection and response (MDR) service can be the most simple way for organizations of all sizes to benefit from human-led threat detection and response. Providing full 24/7/365 coverage with skilled threat hunters, incident responders and malware experts, these services can respond more quickly than in-house teams. MDR providers can aggregate data across their portfolio of clients, ensuring that threat intelligence is shared rapidly, proactive detections created more effectively and response actions are coordinated to completely neutralize a threat without the risk of alerting the attacker.
Sophos MTR (Managed Threat Response) is available as an addition to CDW customers’ endpoint and server protection from Sophos, as well as Sophos Firewall and Sophos Cloud Optix (cloud security posture management) products. These existing tools share their forensic data with the Sophos MTR team in real time without the need for other applications or devices.
To learn more about how Sophos MTR can detect and respond to threats for your organization, contact your CDW account team or visit CDW.ca/Sophos