Development and operations a practical guide
Download 4.62 Mb. View original pdf
|
| Consider this scenario After evaluating a target network, a threat-actor decides phishing is their chosen method to gain access. They send a phishing email to a small number of targeted individuals. The phish contains an excel attachment with a DDE based attack. One of the email recipients opens the attachment. This launches malicious code and establishes command and control (C. The threat-actor then performs a series of steps that includes situational awareness of current access, enumeration of potential new targets, and identification of lateral movement options to those targets. In this case, the threat finds clear text database credentials on an old test web application backup in a public share. The web application has no direct significance or critical data other than access to a test database with no critical data. It’s just a test application. The credentials provide the means to laterally move to a test database server. Remember, the database doesn’t have sensitive data but is part of the server zone” in the network. Code execution on the database server provides elevated access. The situational awareness cycle repeats. The threat-actor discovers elevated credentials stored in memory on the database server. The threat extracts this credential material and uses to communicate with a Windows domain controller to extract an even greater elevated credential from a Windows domain controller using the dcsync [6] technique. The threat-actor repeats the situational awareness and enumeration cycle using the newly gained credentials from the domain controller. The intended target is identified and located on a sensitive file repository. The threat-actor prepositions themselves using the access and information gained and achieves its final objective by exfiltrating sensitive data from the network. Answer the following questions as if you were part of the targeted organization. Is this scenario reasonable? Were opportunities presented to detector prevent the threat? Could your current security program prevent, detector respond to this threat? Are you sure? Have you verified? If so, how? What techniques or indicators were left behind by this threat? Organizations often blame the end-user who clicked the link. This scenario indicates an organization's entire security model may depend on users not clicking a link in an email. What about the actions the threat took after the initial click Many organizations do not intend to hinge all security on a single user, but the steps taken to defend systems often say otherwise. Download 4.62 Mb. Share with your friends:
|