Here are the key parts of the BeyondTrust Cyber-Attack Chain model, along with tactics to disrupt the attack at each phase. That’s more than 9 months that an attacker could be sitting on your network planning their coup de grâce. Eliminate shared accounts and password sharing. And, don’t forget about the role of multifactor authentication (MFA) – could be the difference between stopping an attack and becoming another breach statistic. This initial foothold allowed HOLMIUM to run their custom PowerShell backdoor (known as POWERTON) directly from an Outlook process and to perform the installation of additional payloads on the endpoint with different persistence mechanisms, such as WMI subscription (T1084) or registry autorun keys (T1060). Understanding the full attack chain enables MTP to automatically intervene to block the attack and remediate assets holistically across domains. Your email address will not be published. However, without the victim changing the stolen credentials, the attacker could have likely re-initiated their attack at-will. Figure 11. However, other complimentary techniques should also be applied at this stage including anti-exploit technology to prevent credential theft, privilege escalation and application abuse. EDR examines the chain of attack Take the massive Norsk Hydro ransomware attack as an example: The initial infection occurred three months prior to the attacker executing the ransomware and locking down much of the manufacturer’s computer systems. In this blog, the first in the Inside Microsoft Threat Protection series, we will show how MTP provides unparalleled end-to-end visibility into the activities of nation-state level attacks like HOLMIUM. Successful exploitation automatically triggered remote code execution of a script when an Outlook client synced with a mailbox and rendered the profile Home Page URL. MTP sees the full attack chain across domains beyond simply blocking on endpoints or zapping emails, thus putting organizations in a superior position to fight the threat. Microsoft is a leader in cybersecurity, and we embrace our responsibility to make the world a safer place. How do they make their way onto the endpoint undetected? The study found that there were nearly 300 cybersecurity incidents impacting supply chain entities last year, with the most common attack coming in the form of company-crippling ransomware. In the case of malware phishes, attackers (or at least the successful ones) have largely stopped attaching malware executables to emails. Figure 6. For credential phishes, threat actors have most recently been leveraging customizable subdomains of well-known cloud services to host legitimate-looking authentication forms. Every day, we see attackers mount an offensive against target organizations through the cloud and various other attack vectors with the goal of finding the path of least resistance, quickly expanding foothold, and gaining control of valuable information and assets. This post outlines why endpoint telemetry is now fundamental to reducing the time taken to identify and remediate security incidents. In HOLMIUM attacks, MTP not only stops the PowerShell activity on endpoints but also contains the impact of stolen user accounts by marking them as compromised in Azure AD. Entities like individuals, businesses, and governments believe that that relevant information that can be mined from the data set can be used to better improve their operations and processes, and thus, improve their customer engagement. As customers face attacks across endpoints, cloud, applications and identities, MTP looks across these domains to understand the entire chain of events, identifies affected assets, like users, endpoints, mailboxes, and applications, and auto-heals them back to a safe state. Privileged password management solutions enable organizations to enforce password security best practices, while identifying and eliminating shared accounts and default passwords. This resulted in gaps in visibility and, subsequently, incomplete remediation. These fileless malware attacks can range from difficult to impossible to detect with traditional endpoint anti-malware engines that rely on scanning files to identify threats. It usually starts with a phish. This stage begins with the attackers gaining a foothold in an environment by delivering their weapons and sending instructions to them, telling them what to do. The increasing pervasiveness of cloud services in today’s work environments, accelerated by a crisis that forced companies around the globe to shift to remote work, is significantly changing how defenders must monitor and protect organizations. This is why studying the attack chain, or cyber kill chain, to understand the different steps attackers take, is so crucial. The infection isn’t usually limited to the single endpoint for long after this. In either case, the dropper file’s only job is to identify the operating system and then call home and grab a secondary payload. The JavaScript method is a more recently popular method that leverages Windows’ built-in scripting engine to initiate the attack. The above screenshot is from a recent phish WatchGuard Threat Lab encountered. Figure 2. Lockheed Martin’s cyber kill chain breaks down an external-originating cyberattack into 7 distinct steps: Intruder picks a target, researches it, and looks for vulnerabilities, Intruder develops malware designed to exploit the vulnerability, Intruder transmits the malware via a phishing email or another medium, The malware begins executing on the target system, The malware installs a backdoor or other ingress accessible to the attacker, The intruder gains persistent access to the victim’s systems/network, Intruder initiates end goal actions, such as data theft, data corruption, or data destruction. These systems work in unison to prevent attacks or detect, block, and remediate malicious activities. Supply Chain Attack: A cyberattack that attempts to inflict damage to a company by exploiting vulnerabilities in its supply chain network. Weaponized home page and initial PowerShell payload. Figure 9. This step calls on the full integration of privileged access management (PAM) and vulnerability management (VM). A Supply Chain Attack … What has changed is how attackers compromise endpoints. How to dismantle or contain an attack at this phase: Identify and remediate vulnerabilities. The Threat Analytics report provides an exposure view and recommends prevention measures relevant to the threat. Once one member’s security protocols are found to be weak, the member’s vulnerabilities become the target company’s risk.