“We’ve been hacked” is a phrase no executive or cybersecurity professional wants to hear, but unfortunately it happens and with cybercrime on the rise it’s something organisations need to take seriously.
Even with the best defences in place, threat actors are always finding new and innovative ways to infiltrate networks. So, what happens if an attacker slips through the cracks, is it really game over?
Well firstly, it’s important to understand that gaining initial access doesn’t always equate to success. Typically, cyber threat actors don’t pounce immediately, which is why it’s important we understand their movements after the they have gained access to your environment.
Being able to understand and anticipate an attacker’s next steps will help you implement strategies to cut them off at the pass. Just because they’ve gotten in, doesn’t mean it’s game over.
The more roadblocks you put in their way, the less likely they are to glide along their attack pathway and achieve their goal. If you’re a tough enough nut to crack, frustration may even push the attacker to quit early on.
But it’s important to note that the longer intruders remain undetected, the more time they have got to learn about your network and how best to exploit it.
After gaining initial access attackers will often use a tactic called lateral movement to foray deeper into the compromised network seeking sensitive data or other high-value assets. Threat actors will prioritise gaining access to administrative accounts that will grant them greater reach and control within the company’s digital estate, either for data exfiltration or as a precursor to a ransomware attack. This will also enable them to escalate privileges and discreetly disable safety measures to ensure ongoing access and to avoid detection.
To evade detection and increase their dwell time, threat actors will seek to compromise an endpoint that doesn’t have monitoring or security controls in place. This means that even if the original infected endpoint is discovered, the attacker can hide away on another machine. This step can be repeated to ensure the attacker always has a bolt hole if detected.
Secluded in a new location, they can explore and map out the network, its users and devices. This will help the adversary identify operating systems, potential payloads, and gather intelligence to inform their next move. If undetected, the attacker can lurk for days or weeks in the network before launching an attack or stealing data.
From keylogging tools to social engineering techniques such as typo-squatting and phishing, attackers will use various means to illegally obtain the credentials that will allow them to by-pass security controls and navigate freely through the network. Threat actors can use these purloined details to disable security controls such as anti-virus or EDR on compromised machines or to establish secondary access points or, in the case of ransomware groups, prep for a scorched-earth scenario if access is lost.
It can be hard to detect these activities because they tend to mimic ‘normal’ network traffic. However, threat actors are human, and humans make mistakes. A robust security solution can detect these human slip ups and trigger bells so they can be dealt with. However, if improperly triaged or investigated there’s a risk the incident is misidentified as isolated and is not linked back to a bigger ongoing incident.
Update endpoint security – ensure that anti-virus software is rolled out and up to date on all endpoint devices. Outdated and unpatched systems are easy access points for attackers.
Be proactive in asset inventory and management – ensure you have full visibility and control of your attack surface. Identify and ensure that all potential access points from the internet across the network are secured and kept up to date.
Proactive hunt for advanced threats – over alerting, too many false positives or alerts without context can lead to alert fatigue, which can lead to threats being missed. Implementing a security solution that provides expert threat hunting, proactive monitoring, and threat prioritisation will help alleviate this. An EDR solution can also help automate some of these processes and reduce the risk of alert fatigue.
If you’d like to learn more about the current cyber threat landscape, why not check out our latest “Top 3 Cyber Threats Facing UK Businesses: And How to Defend Against Them”.
If you want to discuss any of the issues raised in this article, visit Detection & Response or please contact us to find out how Adarma can support your cybersecurity journey.
To hear more from us, check out the latest issue of ‘Cyber Insiders’, our c-suite publication that explores the state of the threat landscape, emerging cyber threats, and most effective cybersecurity best practices.
You can also listen to our new Podcast, which explores what it’s really like to work in cybersecurity in today’s threat landscape.
Stay up to date with the latest threat insights from Adarma by following us on Twitter and LinkedIn.
![adarma_logo_twgt-black[11615449]](https://adarma.com/wp-content/uploads/2022/10/adarma_logo_twgt-black11615449.png){kind=logo}
