It's possible to prevent serious consequences.
If you don’t know how long your network was compromised, how can you fight threats effectively and properly?
Persistence detections are one of the most common investigations done by incident response teams, and you must know what to do in the critical 72 hours following discovery. In this situation, the attacker has been in the network for months (or even years) and established a foothold within the network.
With automated malware, compromises can occur in minutes. Once achieved, second stage actions aim to establish a foothold. If the attackers did their recon well enough—and assume that they have—then they’ll move quickly to find other devices to either move to or put their tools on. They may also start capturing credentials and inevitably be rewarded by recovering a domain administrator who may have inadvertently or improperly managed a device and did not properly log off.
Once the attacker has a domain admin account, they can cause catastrophic damage but likely will not. They’ll try to remain low-key and create extra user accounts in Active Directory. They may then also start to “administer” other devices, just like domain admins who do this routinely. They may also create persistence mechanisms by taking advantage of scheduled tasks. Because most users don’t have permissions, they would never see this. Most domain admins would not see this either, as they’re often overtasked and using a remote desktop connection to a file server that doesn’t usually prompt further investigation—unless the number of domain admin accounts were very small and well-monitored.
Attackers that achieve this level of persistence will be well-versed in your network and may know it better than you. They know how to remain inconspicuous and take advantage of your data, either by monetizing it or stealing intellectual property. They remain active in your environment until such a time where they have nothing left to take or, perhaps, fall victim to the same issue which gave them their opportunity: complacency.
The First 24: Inspect and Validate Your Tools
Alerts may be a sign of a new or previous attack. Trust but verify what your tools are reporting to you.
Whether you enlist the help of an experienced external incident response team or decide to tackle the issue internally, your security team’s first step should be to determine the scope of the incident. Once you have a comprehensive map of your cyber terrain, you can respond appropriately.
Security teams should prioritize identifying both the security tools that detected the attack and those that failed in detecting it, as well as malware in the network. In this critical first day, you should be able to answer the questions: Where are the attackers? Which systems can they access? Then set alerts for the involved IP addresses, user accounts and malware to track them in real time.
Hours 24-48: Map Your Terrain
Attackers hope to gain and retain elevated privileges. A domain admin account is highly sought after as they can likely go anywhere and do anything as their activities may go overlooked for quite some time. Attackers with a domain admin account will make efforts to spread out as wide as possible to avoid any single point of failure. You should already know just how wide and deep your terrain is so you will be prepared to hunt.
After realizing the extent of the attack, security teams should recognize this attack as a persistence detection and will spend the bulk of these hours performing SIEM lookups for good IP addresses, bad IP addresses, malware and user accounts to determine if any breach activity occurred before the incident was detected and track additional movement afterward.
It is also imperative that teams determine why the attack succeeded and wasn’t detected or prevented beforehand to ensure this doesn’t happen again.
The Final Hours: Extinguish the Blaze
As the critical 72 comes to an end, expand the scope of your investigation. It’s time to eradicate attackers by planning and coordinating an event that will turn out the lights on the attacker. This will likely be a tightly orchestrated ballet of removing web access, resetting user accounts, removing malware, remediated affected systems, blocking known bad IP addresses and implementing custom signatures for endpoint active defense tools.
Afterward, security teams should also establish formal reporting procedures with the security operations center about indicators of compromise directly related to this incident. Outline what worked and what didn’t to smooth operations moving forward.
Although there’s often limited information and visibility, if you act quickly and efficiently in the first 72 hours, you can prevent serious consequences. Ultimately, you must identify the scope of the incident and then launch the eradication event, noting missteps and activity along the way to ensure the attacker(s) are gone for good.
Chuck Twardowski is an operational lead for incident response at Fidelis Cybersecurity. He is a retired law enforcement officer and has taught to government agencies at the Defense Cyber Investigations Training Academy.