This week, Verizon released it’s highly anticipated annual Data Breach Investigations Report (DBIR), now in its 13th year of publication. AttackIQ is honored to be an ongoing contributor and to help the cybersecurity industry make better decisions around a threat informed defense strategy.
AttackIQ shares redacted intelligence about adversary tactics, techniques, and procedures and kill chain analysis with Verizon’s DBIR team. We gain this intelligence from running emulated attacks and measuring the response against real-world security controls. Our data provides unique insights for the Verizon Data Breach Investigations Report each year to better understand attack paths and effective mitigation controls.
The media and many other organizations will have a lot to say about the Verizon DBIR in the coming days and weeks. In this blog post, I will highlight relevant findings from the report to help you effectively test your detection logic against relevant threats and risks to your organization, and as a result, optimize your security controls.
While validating your security controls against the use of malware should still be part of the continuous security validation practice, the Verizon DBIR found that attackers have been able to rely more on stolen credentials and other techniques to gain access to an asset or persist within an environment versus their previous heavy reliance on malware for this purpose.
Verizon recognizes the importance of running malware and file-related scenarios, but highlights the increasing importance of non-file based behavior (both atomically and as an attack chain) like the malicious use of accessibility features like sticky keys to gain persistence and escalate privileges.
For years the security community has been focused on malware as the dominant threat concern. The Verizon report affirms that defenders can make significant headway by focusing first on known tactics, techniques, and procedures as flagged under MITRE ATT&CK.
How can AttackIQ help you to secure your enterprise? AttackIQ scenarios can be used to validate detection capabilities of security controls against malicious behavior that utilizes legitimate credentials (in both traditional environments and cloud environments). As an example, you can validate your security controls using an AttackIQ scenario that emulates mounting a shadow volume, attempting to dump credentials, or by creating an admin share on a remote machine to determine if a bad actor could move laterally from a vulnerable point in your network to a critical asset.
The DBIR highlights adversaries’ use of stolen credentials as a top-five Action variety for data breaches. Adversaries’ use of stolen credentials is a recurring data point within the entire report.
Why is this important? Within the attack kill-chain, security teams should run scenarios that emulate the adversary searching for credentials both externally and internally, as well as scenarios that use stolen credentials to escalate privileges and/or move laterally by using those credentials. AttackIQ has multiple examples of such scenarios in our scenario library, to include atomic actions like running tools like LaZagne to dump credentials on Windows, Linux, and OSX, as well as scenarios that use those credentials to attempt to create an admin share on a remote machine and move laterally within the data center.
In the vertical-specific section of the report, the DBIR goes on to say that the health care sector has the highest number of bad internal actors due to the greater number of users with credential access. The report details that many of the breaches and incidents within healthcare occur “when External and Internal actors combine forces to abscond with data that is then used for financial fraud.” Reading into this, you can imagine the numerous healthcare employees that have access to medical documents, personal information and either maliciously or inadvertently sends this information to external parties that should not have access to the data. The report also finds that within the financial and insurance sectors, external actors use stolen credentials to get access to sensitive data stored in the cloud.
How can AttackIQ help you secure your enterprise? Security teams should run AttackIQ scenarios to validate traditional and cloud security controls against the assumption (1) that the adversary is using credential dumping within a traditional environment and (2) that an attacker has valid credentials. AttackIQ has numerous scenarios like this that leverage the MITRE ATT&CK Cloud Framework. One example is the emulation of malicious behavior within Amazon Web Services (AWS) that tries to create new identity and access management (IAM) access keys with the assumption that an attacker already has a valid access key ID and secret access key ID.
Ransomware has been a topic and concern in the security community for many years now. The Verizon DBIR confirms that ransomware should be a priority and is amongst the top malware variants used in incidents and breaches.
How can AttackIQ help you secure your enterprise? AttackIQ’s research team has released scenarios related to relevant and timely ransomware variants. Our scenarios emulate enough of the behavior in order to test your defensive strategy at all stages of the kill-chain. AttackIQ’s platform has scenarios that emulate the downloading of ransomware to test your network security controls. Our scenario library has up to date behavior-based scenarios that can safely emulate actions that ransomware would take within your environment in order to test endpoint and internal network and security controls such as EDR, EPP, AV, and Web Filtering. As ransomware continues to be a major malware variant and a threat to organizations, it’s crucial to validate your security controls.
The report states that, “While successful exploitation of vulnerabilities does still occur (particularly for low-hanging fruit ...), if your organization has a reasonable patch process in place, and you do not have a state-aligned adversary targeting you, then your time might be better spent attending to other threat varieties.... In our security information and event management (SIEM) dataset, most organizations had 2.5% or less of alerts involving exploitation of a vulnerability.”
The security industry worries a lot about exploitation but Verizon argues that you need to go further. If you have a good vulnerability management system for your network, you need to focus on defending yourself against other attack methods once the attacker is inside your network. US-CERT confirmed this view in a recent post, saying, "Today our security teams are highly focused on external vulnerability scanning and dumping all resources and efforts into only one tactic within the kill-chain.” This leaves organization’s susceptible to other methods of attack.
How can AttackIQ help you secure your enterprise? We see attackers using tactics other than exploits to gain access and maintain persistence within the environment, to include the use of stolen credentials or phishing. Hackers always seek out low-hanging fruit. If you assume breach, you need to plan for all the methods that attackers will use to move throughout your network after.
We operationalize MITRE ATT&CK to focus your security teams and technologies on known threats. Security teams can use AttackIQ to validate security controls against the following tactics, techniques, and procedures as well as others: “Execution,” “Persistence,” “Privilege Execution,” “Defense Evasion,” “Credential Access,” “Discovery,” “Lateral Movement,” “Collection,” “Command and Control,” “Exfiltration,” “Impact.” All of these tactics can be tested both atomically and across the kill-chain to validate your security controls.
Organizations need to drive down initial access by focusing on vulnerability management, but you also need to plan for what the attacker will do next. That’s what we do. As a cybersecurity optimization platform, AttackIQ tests your organization’s defenses against well-defined threats, measures the effectiveness of those defenses, and helps you execute improvements continuously. The end result: an overall improvement in your cybersecurity posture and increased efficiency in your business operations.