Sunday, December 24, 2017

"Sophisticated" Attacks

I ran across an interesting article recently, which described a "highly sophisticated" email scam, but didn't go into a great deal of detail (or any level of detail, for that matter) as to how the scam was "sophisticated".

To be honest, I'm curious...not morbidly so, but more in an intellectual sense.  What is "sophisticated"?  I've been in meetings where attacks were described as sophisticated, and then conducted the actual incident response or root cause investigation, and found out that the attack was perpetrated via a system running the IIS web server and Terminal Services.  Web shells were found in the web content folder, and the Windows Event Logs showed lengthy history of failed login attempts via RDP.

Very often what is said to be "sophisticated" is often framed as such due to a dearth of actual data, which occurred for a number of reasons, most of which are traced back to a simple lack of preparedness on the part of the organization.  For example, were any attempts made to prevent the attack from succeeding?  I've seen a DNS server, per the client's description, running IIS and Terminal Services, with the web server logs chock full of scan attempts, and the Windows Event Logs full of failed login attempts...yet nothing was done, such as to say, "yeah, hey, this is a DNS server, we shouldn't be running these other services...", etc.  The system lacked any sort of configuration modifications "out of the box" to allow for things like increased logging, increased detail in logging, or instrumentation to provide visibility.  As such, in investigating the system, there was scant little we could determine with respect to things like lateral movement, or other "actions on the objective".

At this point, my report is shaping up to include words such as "dearth of available data due to a lack of instrumentation and visibility...", where the messaging at the client level is "this was a highly sophisticated attack". 

I've also seen ransomware attacks described as "highly sophisticated", as they apparently bypassed email protections.  In such cases, the data that illustrated the method of access and propagation of the ransomware itself was available, but apparently, it's easier to just say that the attack was "highly sophisticated", and leave it at that.  After all, who's really going to ask for anything beyond that?

After reading that first article, I then ran a quick Google search, and two of the six hits on the first page, without scrolling down, included the term "myth" in the URL title.  In fact, this Security Magazine article from April 2017 is more inline with my own experience in two decades of cybersecurity consulting.  Several years ago, I was working with a client and during the first few minutes of the first meeting, one of the IT staff made a point of emphasizing the fact that they did NOT use communal admin accounts.  I noted this, but also noted the emphasis...because later in the investigation, we found that the adversary had left a little "treat".  At one point, the adversary had pushed out RAT installers to less than a dozens systems via at.exe, and about a week later, pushed out a close variant of that same RAT installer to one other system; however, this installer had a different C2 configuration, so the low-level indicators (C2 IP address, file hash) that the client was looking for were obviated.  This installer was pushed out to the StartUp folder for the...wait for it..."admin" account.  Yes, that is the name of the account..."admin".  It turned out that this was likely pushed out in case the other RATs were discovered, and would provide a means of access back into the infrastructure at a later date.  After all, the "admin" profile already existed on a number of systems, meaning that the account had been set up in the domain, and then used to log into several systems.  The RAT installer was pushed out to one system, in the "admin" profile's StartUp folder, as a means of providing the adversary with access back into the infrastructure, in the advent of IR activities. 

As in the above described instance, a great many of the incidents I (and others) have responded to are not terribly sophisticated at all.  In fact, the simple elegance of some of these incidents are impressive, given the fact that the adversary knows more about the function of, say, Windows networking, beyond what you achieve through the GUI. 

For example, if an adversary modifies the "hosts" file on a Windows system, is that "highly sophisticated"?  Here is a MS article on host name resolution order; it was updated just shy of a year ago (as of this writing), but take a close look at the OS versions reference in the article.  So, are you not seeing suspicious domain queries in your DNS logs because there is no malware on your infrastructure, or is it because someone took advantage of Microsoft capabilities that go back over 20 yrs? 

Speaking of archaic capabilities, anyone remember this one?

My point is, what is truly a "highly sophisticated" attack?

3 comments:

Anonymous said...

The most likely interpretation of 'sophisticated attack' seems to be "an attack that doesn't rely on brute force or trial and error or isn't the result of blind luck".

It has probably become a frozen expression: those two word go together in news reporting, and so the need to add 'highly' in order to make it different from yesterday's sophisticated attack as well as those of last week.

I'm reminded of snooker players, who usually apologize if they 'fluke' a shot: that's sometimes the only way a non-expert bystander of a match to tell a difference between skill or luck. But not all players do so apologize ... and few attackers seem likely to admit to luck in any form.



ark console commands said...

"More Sophisticated Attacks?" They can't even answer the simplest of questions... They show up wearing bicycle helmets... (Retard Head Gear) and they swing sticks at people... How "sophisticated" can they get? LMAO!!!

H. Carvey said...

Word choice aside, can you elaborate a bit?