From what we’ve gathered, most of these attacks have the following major steps, which I have explained below:
1. Initial compromise
2. Privilege escalation
3. Lateral movement
4. Persistence
5. Data theft (Less Common)
6. Payload detonation
The Initial Compromise is where the attackers gain access into your network, and there could be many ways in which this could happen. It could be as easy as brute forcing a Remote Desktop (RDP) session you have opened to the Internet to help with your remote working or it could by exploiting any zero-day vulnerability (or a very recently discovered vulnerability which hasn’t been patched) of your Internet facing webserver. A few ways to reduce the risk of the initial compromise is to expose Remote Sessions via a secure remote access VPN (with multifactor authentication), make sure you regularly patch your Internet server and ensure you do not expose unwanted services to the Internet.
Once the attacker gains access to your network, they explore to understand what sort of activities can be performed on that network. In most cases, the attacker tends to perform what’s called Privilege Escalation – in simpler terms, this means they try to elevate their level of access. To do this, they would try out methods such as guessing the passwords (Yes, mycompany@123 can be a very common password) or look for passwords stored in text files (Yes, this sounds very trivial, but the truth is when administrators force you to maintain strong passwords we often resort to simple means of remembering them, i.e. text files) or more complex methods such as running exploitation tools like mimikatz to steal credentials. The higher the access the attacker gets, the more damage they can do to a network. As a preventive measure, you can always try to force users to use complex passwords and educate them on how to keep the passwords safe. You could also monitor your user activity to detect abuse and misuse.
The next step of the attack is the Lateral Movement. In other words, once the attacker gains higher privileges on your network, it starts spreading the payload to all possible victim devices to cause more harm than damaging a single machine. Many would ask what makes a ransomware attack so devastating? The answer is its behavior of launching attacks on multiple devices within a small timeframe. This is what makes them so devastating and enables them to bring down organizations within a few minutes or hours. Most attackers utilize vulnerabilities on your network (e.g. the eternalblue exploit) or they would abuse legitimate tools to spread the payload. The abuse of legitimate tools can be very hard to detect as in most cases since the activity is done in such a manner that it mimics legitimate user behavior. Therefore, it’s very difficult to differentiate if the entire activity is malicious or not without proper context. For example, consider an attacker gaining access to the server that you use to distribute software in your organization. They can use this same tool to distribute the malware as well. A few methods of detecting and preventing lateral movement would be to properly segment user privileges, make sure all your devices have UpToDate security patches, your network is properly segmented and firewalled (a common thing we see is that although you tend to protect your network from the external entities, you rarely practice segmentation internally. Hence, when a network gets compromised, it is easy for the attacker to travel within your network), monitor suspicious usage of privileged accounts and limit what privileged accounts could do in your network.
The next step of the attack would be to make themselves Persistent in your environment. Many attackers put in a lot of effort to gain access to your network and the effort is mostly proportional to the amount of security you maintain on the network. Once this is done, the attacker would hate to lose access via a reboot or change of credentials or other interruptions. Hence, they deploy methods such as using the group policy feature of windows environments, registering as a service, creating scheduled tasks, and creating new accounts to make sure they will not lose their control abruptly. A few methods of detecting and preventing such attempts would be to limit what actions user accounts can perform, monitoring suspicious user creations (e.g. users created during off hours) and monitoring group policy or other services related changes.
Before moving to the final stage of the attack, attackers may opt to steal your data – Data Theft. This isn’t a very common move, but we have witnessed some instances. If attackers sense that your data would have a substantial black-market value or that your brand image would be gravely damaged by certain information becoming public, then they would decide to exfiltrate your data. A common method of stealing data could be uploading the files to a file share site (it’s very common for administrators to allow file sharing sites to make their day-to-day work easy but keep in mind attackers too could exploit these same paths). The methods of preventing or minimizing such data loss would be to implement Rights Management Systems (this will help you to make sure that even if the data is exfiltrated the attacker cannot use it), implementing Data Loss Prevention Systems (will detect/prevent when data is been exfiltrated) and block file sharing sites that aren’t needed for work-related matters.
The final step of the attack would be Payload Detonation. Unfortunately, it’s at this stage most organizations learn that they have been attacked, and by the time the initial panic phase has passed, a lot of damage might have been done already.