Inside A Cyber Security Breach

Intrusion Team
Oct 02, 2020

Most CIO’s and network security specialists working in smaller to mid-sized companies in the US, can be lulled into thinking a cyber attack is limited to well-known corporations—Marriott, eBay, Equifax, LinkedIn, Adobe and Yahoo. While those have been the most publicized and egregious breaches, they represent only a fraction of cybercrime incidents, which caused over $3 trillion in losses in 2019 alone.

While the giant companies that fall victim to cybercrime grab all the headlines, 43 percent of cyberattacks are aimed at SMBs. In fact, more than half of all small businesses suffered a breach in 2018.

Unfortunately, that number is rising. Cybercrime is projected to cost the world $6 trillion in 2021 – and that was an estimate made before COVID-19 hit and magnified vulnerabilities through an influx of remote workers.

If you still think that your company is too small, too unknown, or just doesn’t have anything that a cybercriminal wants, you’re dead wrong—and that mistaken belief could cost you your business as 60% of organizations hit by ransomware close their doors within six months.

There is a dangerous misperception that cybercriminals are simply individuals hacking from their mothers’ basements. This allows business owners and management to disqualify themselves as a point of interest. To be fair, if that was the only type of attacker you had to defend against, it would be relatively easy. However, the truth is that cybercrime has proliferated, not due to the number of human attackers, but as a result of the tactics – and machines – being used.

That’s right. It is far more likely there is an AI (Artificial Intelligence)-enabled computer is attempting an attack than a person. These machines can deploy multiple attacks on multiple organizations simultaneously – and they never get tired. They don’t eat. They don’t sleep. They don’t even take bathroom breaks.

This is important, because for you to successfully defend against the enemy, you must know them. You have to know what you are up against. Here is a breakdown of the tactics frequently used in cyberwar.

The Anatomy of a Cyberattack

The Launch: After performing their initial reconnaissance, a rogue agent (using an AI-enabled machine as discussed above) gains as much information as possible about the target network. The next step is to attack the target network based on the found vulnerabilities.

Credential Sharing To Escalate Privileges: Chances are this adversary has gained access to your network with normal, low-level user privileges. Next the adversary will try to escalate the user account to gain administrator-level privilege. This will be achieved by looking for password lists, and/or attempting multiple logins until the adversary lands on a winner.

Lateral Spread: Once inside the internal network, the adversary can gain access to other devices. Then begins the collection of additional information like applications running, operating systems, user ids, passwords, etc. Stolen data will likely be exported in drips and drabs to some location or device that look innocuous, in an attempt to not draw attention to the data theft.

Establish Back Doors: After compromising servers and collecting information, trade secrets and priceless intellectual property, the adversary will then try to install and configure back doors or remote-control hacking tools to gain access to the system in the future.

Hide the Tracks: Once an adversary gains control of a device (or had control of it all along since they manufactured it or wrote the code running on it) – a natural thing to do is to hide their tracks from the logs and disable or cripple defenses. They may perform many actions to accomplish this, for example, deleting the log files.

Leverage the compromised network: Finally, the adversary would start using the data or the network itself to inflict damage on your company. They can steal or destroy the target network data, bring servers down, interrupt customer service, ransom your company, or attack another organization using the target network’s systems.

A Big Problem with Existing Network Security

For too long, the industry has focused on keeping adversaries out. But once inside, devices have a lot of freedom to talk to other machines, look around for data, establish improved credentials and download critical information with little to no real-time oversight. There are also precious few, if any, solutions that are concerned with what is leaving your network. You can’t steal an article of clothing from a store if you don’t actually leave the store. The same is true of data, trade secrets, or any other information your organization is trying to protect.

Fighting Todays Advanced Cybercriminals

These are the realities, the techniques and serious challenges facing today’s cybersecurity specialist. And to be honest, until now, there haven’t been all-in-one solutions, let alone affordable, solutions that address these cyberwar tactics. While there were possible mitigation approaches, the cost were exorbitant and the results often not effective. That was the inspiration behind Intrusion Shield. It is an affordable solution that uses real-time AI to address the majority of cyberattacks (conducted by enemy AI) at a cost companies can afford.

Launch Mitigation—Who Are You, Why Are You Here?

Spoofing is often the way a malicious attackers starts their assault, by impersonating another device or user on a network The most effective way to stop such activity is with an active monitor that maps source MAC address and source IP address wrapped in a distinct tag for each computer, port, or Wi-Fi connected device. Every packet a device transmits must be decoded and logged, including the MAC address and IP address. For example, if a device spoofs the address of another network device, Shield removes the uncertainty about who did it.

Eliminate Credential Sharing

The default method for a corporation to detect credential sharing is to create enterprise certificates for all computers, which allow the network security staff to decode all messages. The problem is, if you decode usernames and passwords and start archiving them, that audit record set becomes the master set for an adversary to steal or purchase from an insider. With Shield, machine learning recognizes that a secure login occurs without decoding it. In many cases, successful logins vs. failed logins can be determined with simple traffic analysis, but with AI this process is automated. Mapping login attempts to device and time creates an independent source for detecting shared logins, because the user that successfully logged in wasn’t on the correct machine for that user. This independent audit source can also be compared with native login logs to discover which machines share the same logins to which resources.

Stopping Lateral Spread

Intrusion has defined lateral spread as using any beachhead in a network as an attack vector to compromise additional nodes. Shield provides independent audit, monitoring, filtering, isolation, and other controls including the insertion of deeper scrutiny where desired or required within a network rather than just at the edges of a network, mitigating later spread through securing every beachhead.

Preventing Back Door Attacks

Literally any protocol can be used as a Trojan backdoor for an adversary to use one of the devices on your network as a human driven survey and penetration tool. As one example, in the Target breach, a vendor’s HVAC remote access VPN was intended only to allow the HVAC vendor to access Target’s HVAC systems and telemetry. That entry point allowed bad actors entrance where they soon gained credentials to access secured customer data inside the network. With Shield, an active controller isolates these systems from the rest of the enterprise and also isolates the vendor’s remote access channel from the rest of the enterprise. The active filter leverages the learned behavior of all systems and locks them down so that non-enterprise IT services will not intermingle with non-IT devices by blocking them.

Leave Network Attackers With Nowhere To Hide.

When an adversary gains control of a device (or had control of it all along since they manufactured it or wrote the code running on it) – a natural thing to do is to hide their tracks from the logs and disable or cripple defenses. Put simply, end point defenses can’t defend against compromises of themselves.

In order to make covert communications invisible, adversaries have used a great many covert communications methods over the years, which are designed to be impossible to detect using the tools and logging present on a network . The goal of a defender is of course, to detect and mitigate them all.

Intrusion Shield provides independent audit, monitoring, filtering, isolation, and other controls including the insertion of deeper scrutiny where desired or required within a network rather than just at the edges of a network.

A Good Defense Never Rests

As soon as you write the book on Network Defenses, cybercriminals have already thought of new ways to disrupt your livelihood, steal your secrets and damage your credibility. Oftentimes, these attackers are well-trained, well-funded teams working on behalf of your competitors or agents from a rogue nation state. The only answer is to stay vigilant, learn from the past and use real-time AI. While it may seem daunting for SMBs or even the largest companies to defend against such high levels of cyber breaches, it is not impossible. Intrusion’s mission is to protect companies against such attacks and doing so at an affordable price. If you can’t trust your computers and your technology, then it is impossible to stay in business.

Resources that might interest you.

Get on our email list.