by Stephen Burgio, on Aug 15, 2022
The MITRE ATT&CK Frameworks highlights Privilege Escalation and Lateral Movement as the 2 of the top 5 attach techniques. We will use the Cisco breach as the most current example of how a "standard attack" plays out by a (likely) human adversary. The steps taken were straightforward (though a bit noisier than some of the advanced threat groups) and accomplished a number of noteworthy objectives. For those unfamiliar with the attack, please see the step-by-step walkthrough in the following Talos post (https://blog.talosintelligence.com/2022/08/recent-cyber-attack.html ).
Upon initially compromising the target user's account, the attacker proceeded to escalate their local privileges and obtain local administrative access. This access was then used to move laterally to other systems and achieve subsequent malicious objectives, ultimately claiming data from Cisco's network to the tune of 2.8GB.
Upon initially compromising the target user's account, the attacker proceeded to escalate their local privileges and obtain local administrative access. This access was then used to move laterally to other systems and achieve subsequent malicious objectives, ultimately claiming data from Cisco's network to the tune of 2.8GB.
While the impact was notable, the attackers approach is relatively straightforward (in terms of sophistication) and we can easily align each step to the Mitre ATT&CK Framework, from Reconnaissance through Exfiltration, and Impact phases respectively. Within each phase, specific tactics were used to move deeper into the environment and privilege access was a core element in this process. It's worth stating that there were several defenses in place that prevented further damage to the environment and it's customers/consumers.
I'd like to share how Remediant's SecureONE solution could have minimized the blast radius of the attack and kept Cisco in a more preventative and less responsive position.
Remediant SecureONE offers mitigations against 71 techniques in the Mitre ATT&CK framework across 9 of the 13 total attack phases. In the case of the Cisco incident, SecureONE would have combatted the attacker as follows:
- Escalation of Privileges - With reference to the escalation to administrator on initial victim system: In a SecureONE, Zero Standing Privilege environment, the attacker would not have had an admin account to escalate to on the initial foothold system, making subsequent efforts more difficult.
- Credential Reuse on Subsequent Systems - The attacker used previously-compromised credentials to log into new systems within the environment as a privileged user: In a SecureONE environment, our solution would have stopped this administrative sprawl from endpoint to endpoint using our Zero Standing Privilege approach. If there are no standing admin on any endpoint, the attacker would have been isolated to that endpoint.
- Creation & Removal of New Local Admin Accounts - The attacker created new Admin accounts ("Z") on compromised endpoints to establish persistence. SecureONE is always-on and always-scanning. This means any new administrator would have been removed as it's not in the known inventory.
- Malicious Tools (Needing Admin) - Several tools utilized by the attacker would have been deemed inert without admin privileges needed to run. These include: Dumping NTDS, secretsdump, MiniDump, custom and other noted, publicly powershell and command-line scripts.
Given the nature of this attack, Remediant's SecureONE would have drastically reduced Cisco's attack surface and limited the impact and effectiveness of the attackers efforts. An environment with no standing administrators is measurably more resilient to compromises like this.
If you enjoyed this write-up and would like to learn more about how SecureONE can protect your organization today from attacks like this, contact us!