Threat Vectors

See What Attackers Are Doing in Your Network
200

DAYS

According to many studies, attackers spend more than 200 days on average within the network.

The primary reason for this is because existing enterprise security solutions do not provide visibility into malicious behavior once a user has gained access to the enterprise network. Successfully using legitimate credentials to log into a resource is considered to be a normal behavior. Getting visibility becomes even more complex as the scale of network and the scale of data grows.

In other words, the entire “kill chain” threat model is flawed. The kill chain model assumes attacks are linear; that is, they start at a certain preliminary step and progress through all phases until the attacker’s objectives are accomplished. However, the kill chain does not relate to what insiders are doing in general, and more specifically, what anyone operating with legitimate credentials is doing.

That’s why Fortscale is focusing on four core threat vectors as the primary business use cases, covering malicious actions that can be done with user credentials.

Attacker’s Objective: Scan and gather information within the enterprise that can help promote the attack’s objectives

Internal reconnaissance

Attackers attempt to collect data to gain better information about the network through several means: attempts to identify other legitimate user accounts and validate multiple credentials; attempts to identify other devices or services; and attempts to collect and/or copy digital assets (files, certificates, database records, etc.). This behavior is typically characterized by:

  • Large volume of activity, especially unsuccessful login attempts;
  • Low and slow activity patterns (repetitive attempts to access the same or multiple resources until successful); or
  • Accessing unusual resources that were not previously accessed from a specific account or peer group

InternalReconnaissanceOnce the goals are met and the attacker holds the data gathered in the 1st scenario, there are multiple options of extracting this information. Typically, the data will be extracted over the network to a remote site controlled by the attacker. For example, by uploading the information to a Dropbox account, remotely connecting to an FTP server or sending an email to an unfamiliar target. This behavior will be characterized in anomalous volumes of activity and access attempts to unfamiliar assets, across anomalous geographic locations.

DOWNLOAD USE CASES OVERVIEW

Attacker’s Objective: Obtain privileges and set mechanisms to ensure the continuity of the attack campaign

Establish persistence

Attackers will make attempts to maintain their existing footholds in your network, ensuring they can return and continue their operation until their goals are met. This can be achieved either with acquiring assets that enable repeating connections into the network or by setting backdoors on different assets.

EnterprisePersistence

For example, an attacker may create a new account on a target machine to make sure that even if the compromised account’s password is changed, he or she has the ability to reconnect. Another example: taking over a stale or unused account and accessing it using legitimate credentials from a new device, with the expectation of creating a new baseline of normal behavior.

DOWNLOAD USE CASES OVERVIEW

Attacker’s Objective: Proceed inside and outside the network toward the target resources that enable accomplishing the attack objectives by changing identities, elevating privileges, and gaining access to different assets and resources

Lateral movement

Attackers attempt to get better privileges to change their postures within the network: After acting under one identity as a specific user or from a specific device, the attacker now acts under a different identity. This is important because malicious parties are limited to what their sets of credentials enable them to do, and very often they will need to move around the network in order to proceed. This creates an opportunity for defenders to identify attackers at that very specific timeframe when a lateral movement occurs, which is key for detecting attacks against the enterprise.

ImpossibleJourney

Impossible journey is an example of lateral movement.

Lateral movement would typically be characterized by making:

  • Multiple successful connections from the same set of privileges from the same device
  • Hops between different areas in the network (remote access -> on-premise data center -> corporate network)
  • Hops between different devices (for example, first time that machine A is connecting to machine B)
  • First-time access to a specific account from a different asset

DOWNLOAD USE CASES OVERVIEW

Attacker’s Objective: Extract the information gathered throughout the attack campaign outside the enterprise network

Data exfiltration and extraction

Once the attacker’s data-gathering goals are met, they have multiple options for extracting this information. Typically, the data will be extracted over the network to a remote site controlled by the attacker.

DataExfiltrationWithCopy

For example, attackers can upload the information to a Dropbox account, remotely connect to an FTP server, or send an email to an unfamiliar target. This behavior will be characterized by anomalous volumes of activity and access attempts to unfamiliar assets, across anomalous geographic locations.

DOWNLOAD USE CASES OVERVIEW
FS-icon-white

Get Started Fast

Let’s discuss your needs and show you how it can work for you.

SCHEDULE A DEMO