DAYS
The primary reason for this is because existing enterprise security solutions do not provide visibility into malicious behavior once a user has gained access to the enterprise network. Successfully using legitimate credentials to log into a resource is considered to be a normal behavior. Getting visibility becomes even more complex as the scale of network and the scale of data grows.
In other words, the entire “kill chain” threat model is flawed. The kill chain model assumes attacks are linear; that is, they start at a certain preliminary step and progress through all phases until the attacker’s objectives are accomplished. However, the kill chain does not relate to what insiders are doing in general, and more specifically, what anyone operating with legitimate credentials is doing.
That’s why Fortscale is focusing on four core threat vectors as the primary business use cases, covering malicious actions that can be done with user credentials.
Internal reconnaissance
Attackers attempt to collect data to gain better information about the network through several means: attempts to identify other legitimate user accounts and validate multiple credentials; attempts to identify other devices or services; and attempts to collect and/or copy digital assets (files, certificates, database records, etc.). This behavior is typically characterized by:
Once the goals are met and the attacker holds the data gathered in the 1st scenario, there are multiple options of extracting this information. Typically, the data will be extracted over the network to a remote site controlled by the attacker. For example, by uploading the information to a Dropbox account, remotely connecting to an FTP server or sending an email to an unfamiliar target. This behavior will be characterized in anomalous volumes of activity and access attempts to unfamiliar assets, across anomalous geographic locations.
Establish persistence
Attackers will make attempts to maintain their existing footholds in your network, ensuring they can return and continue their operation until their goals are met. This can be achieved either with acquiring assets that enable repeating connections into the network or by setting backdoors on different assets.
For example, an attacker may create a new account on a target machine to make sure that even if the compromised account’s password is changed, he or she has the ability to reconnect. Another example: taking over a stale or unused account and accessing it using legitimate credentials from a new device, with the expectation of creating a new baseline of normal behavior.
Lateral movement
Attackers attempt to get better privileges to change their postures within the network: After acting under one identity as a specific user or from a specific device, the attacker now acts under a different identity. This is important because malicious parties are limited to what their sets of credentials enable them to do, and very often they will need to move around the network in order to proceed. This creates an opportunity for defenders to identify attackers at that very specific timeframe when a lateral movement occurs, which is key for detecting attacks against the enterprise.
Lateral movement would typically be characterized by making:
Data exfiltration and extraction
Once the attacker’s data-gathering goals are met, they have multiple options for extracting this information. Typically, the data will be extracted over the network to a remote site controlled by the attacker.
For example, attackers can upload the information to a Dropbox account, remotely connect to an FTP server, or send an email to an unfamiliar target. This behavior will be characterized by anomalous volumes of activity and access attempts to unfamiliar assets, across anomalous geographic locations.