When we talk about the top threats that your organization needs to detect, we’re really talking about different techniques that can be combined to get to an attacker’s end objective – such as access to your systems and data.
This aligns with the techniques outlined in the MITRE ATT&CK Framework – a project initiated to document the common tactics, techniques and procedures used against Windows enterprise networks (mitre.org). Blumira’s team of security analysts uses this framework to help inform the detection rules they write for Blumira’s SIEM platform.
Some of the top techniques and indicators of a possible insider or external threat include data exfiltration, lateral movement, ransomware, anomalous (geo-impossible) user behavior and brute-force attacks. This is a brief summary defining each technique/attack with a few examples from Blumira’s real detections; in subsequent posts, I’ll highlight each one with more detail and discuss how Blumira can help you respond and remediate.
Data exfiltration refers to any technique an attacker employs to steal data from your network, applications or systems. Once collected, attackers might compress and encrypt the data to avoid detection while they transfer it out of your network, according to MITRE.
They might transfer it over command and control channels – a command and control server (also referred to as C&C or C2) is one that an attacker uses to send commands to a compromised system in order to receive stolen data.
In the example of Blumira’s finding below, our platform detected a user attempting to transfer at least 16GB of data – an anomalous event, as the user has never connected to a certain public IP address previously and nor had anyone else in the organization. That indicates a potential incident of data theft.
Another example of potential data exfiltration is detecting Tor (anonymous network) traffic on your corporate network, through an integration with Carbon Black Response, an enterprise EDR (Endpoint Detection and Response) solution. Blumira can alert you that this traffic may be tunneling in from a malicious server, prompting further investigation and remediation.
Lateral movement refers to any series of techniques used by an attacker to move through your network. They might jump from one system to another, or compromise different accounts and escalate privileges to gain access to their objective. It’s important to detect this type of behavior early to avoid breaches or malware infection.
A few different types of detections that Blumira’s platform provides may be indicators of potential lateral movement, including:
Internal Port Scanning
Blumira can detect a source IP that’s running a port scanning tool against a destination IP – this can indicate that they’re in the early stages of an attack. Scanning can indicate an insider is researching your network for vulnerable areas to attack and move laterally.
Remote Desktop Exploit
This detection refers to a specific vulnerability identified as BlueKeep (CVE-2019-0708) that affects Microsoft Windows OSs – an attacker can exploit this to perform remote code execution on an unprotected system. Blumira can detect if this exploit is being run from a destination IP from a certain source IP, over a destination port. That can indicate an attacker is leveraging BlueKeep to either gain a foothold into your environment or move laterally within it.
While not a technique, ransomware infection is what may happen after a series of certain detections go unnoticed or unaddressed (MITRE refers to this as ‘Data Encrypted for Impact’). Ransomware is a type of malware that can infect a system and either lock out users or encrypt the user or organization’s files. Attackers will ask the user to pay a ransom in exchange for regaining access to their system or files.
One detection that could lead to a ransomware infection is an SMB (Windows Server Message Block) connection originating from a public IP address. This type of connection shouldn’t be allowed, as it can open up organizations to risks from attackers – such as allowing attacks like EternalBlue to occur. With our Windows server integration, Blumira detects and alerts on these types of connections.
EternalBlue is the name for a vulnerability affecting Windows OSs, patched by Microsoft (MS17-010). In 2017, it was used to spread the wormlike WannaCry ransomware that remotely compromised unpatched systems and spread itself to other computers. Detecting an SMB connection early can allow you to respond quickly and deter a potential ransomware infection.
Anomalous User Behavior
If a user attempts to authenticate from New York City within four hours of the location of their previous authentication attempt in Los Angeles, this could indicate that the user’s credentials have been stolen. This type of geo-impossible login attempt could mean an attacker is attempting to access your systems, which Blumira will alert on.
Other geo-specific behavior, such as authentication attempts from countries you don’t normally do business in, is another way to detect an external attacker that may be accessing your systems remotely.
A brute-force attack is a technique attackers use to attempt to gain access to a user’s account, and subsequently, your organization’s systems. They may use automated software to generate password guesses, using a list of known or possible passwords.
Blumira can detect attempted unauthorized brute-force access, originating from multiple external sources. Blumira can also detect connections to Remote Desktop Protocol (RDP) from public IPs, which can result in potential brute-force attacks if found and exploited by attackers.
Effective Threat Detection & Response
There’s a variety of tools you likely have in your arsenal to help detect these attacker techniques. A SIEM can help aggregate logs from these tools and give you insight into threats as they occur.
But many organizations have failed or incomplete security information and event management (SIEM) implementations, due to complexity or lack of resources to properly configure and manage them. Or, they only use a SIEM to store logs and meet compliance requirements – without extracting any real security value when it comes to threat detection and incident response.
Replacing your legacy SIEM with a modern platform that comes with effective detection and response built-in can help automate the entire process so your team is spending less time putting out fires, and more time on strategic IT/security initiatives. Ideally, a modern SIEM gives you the basic log collection capabilities, plus:
- Advanced threat detection, data correlation and threat hunting capabilities in one easy-to-manage platform
- The ability to automate threat response through an integrated platform
- Step-by-step playbooks to walk you through remediation and give you security recommendations based the type of detection
- Honeypots to help you detect attacker lateral movement in your environment
These are rolled into Blumira’s modern SIEM platform – our security analyst team proactively works behind the scenes to power the platform with relevant rules to detect attacker techniques, automating the threat hunting process for you. We make it easy for you to quickly pinpoint the issue and take action within the same platform to respond – this makes the entire threat response lifecycle more automated, less manual and take less time overall for investigation and remediation.