.svg)
.svg)
By Sıla Özeren • January 02, 2023
Introduction
Considering the devastating financial and reputational outcomes and its prevalent use among cyber threat actors, organizations cannot ignore the benefits of being prepared against lateral movement attacks. Since techniques used for moving laterally in a network are hard to detect, organizations must adopt a proactive defense approach and identify their security gaps beforehand with lateral movement attack simulations. These simulations must mimic how cyber threat actors operate in the wild. As a result, lateral movement attack simulations must meet specific requirements.
In this blog post, we explained the requirements for lateral movement attack simulations that mimic real-life APT actors.
Reveal Attack Paths Before Attackers with Picus Attack Path Validation (APV)
How to Simulate Lateral Movement Attacks Like an APT Group?
Sophisticated adversaries such as APT actors and state-sponsored threat groups launch cyber attack campaigns against organizations with a specific objective. They also utilize evasive and stealthy techniques to avoid detection by organizations' defenses. Therefore, lateral movement attack simulations should represent the cyber threat landscape and follow the footsteps of real-world threat actors.
After thorough research and analysis, Picus Labs came up with four main criteria for lateral movement attack simulations to comprehensively assess organizations' security posture.
1. Attackers Utilize Stealthy Attacks Techniques
Attackers cannot risk being detected by security controls before reaching their goals. Adversaries' success is highly correlated with their ability to stay hidden in the compromised network.
Sophisticated attackers often avoid performing traditional attacks like downloading additional tools or binaries on the victim's disks because any additional tool transferred to the victim's network poses a significant risk of being detected by security controls. As a result, adversaries rely more and more on fileless malware. Research conducted by WatchGuard (2021) shows that fileless malware attacks surged by 900% [1]. Thus, organizations must include and prioritize fileless malware attacks in their lateral movement attack simulations on top of traditional malware attacks.
Adversaries also abuse native system utilities and built-in tools for their objectives, as security controls often have difficulty differentiating between benign and malicious use of these tools. Almost any administrative tool can be turned into a hacking tool in malicious hands, which makes it especially hard for SIEM tools to detect abnormal user behaviors and malicious network traffic. For instance, PsExec is a common tool that administrators use to launch interactive command prompts and execute processes on remote systems. However, PsExec is also known to be abused by sophisticated attackers like Hive [2], BlackCat [3], LockBit [4], Conti [5], and Vice Society [6] ransomware groups in their high-profile cyberattacks. Hence, organizations include malicious use of built-in tools and functions in their lateral movement attack simulations due to their prevalent use in real-world cyber attacks.
Note that skilled threat actors often avoid using high-volume and noisy spray-and-pray attacks as they have a high chance of being detected and/or generating a significant amount of logs on the security controls. Thus, the spray-and-pray approach should not be included in a lateral movement attack simulation because this approach does not reflect the behavior of sophisticated adversaries.
2. Attackers Run Objective-Based Attack Campaigns
In real life, attackers act on their objectives. The motivation behind these objectives can vary from financial gain, harming organizations' or even governments' reputations, disrupting production lines, to political reasons. However, in most scenarios, threat actors perform financially-oriented attack campaigns like cyber espionage, sensitive data exfiltration, and ransomware attacks.
Sophisticated adversaries carefully choose their malicious actions and prefer the fastest, stealthiest, and most effective technique to accomplish their goals. Otherwise, their actions may be blocked or detected by security controls before they achieve their goals. Therefore, lateral movement attack simulations should be designed with a specific objective to reflect real-life scenarios. This approach allows security teams to identify critical attack paths that are likely to be abused by adversaries.
3. Attackers Don't Request Exceptions in Security Controls
When planning an adversary emulation, attack simulation tools or offensive security professionals often require access to the network or exceptions like reconfiguring a rule on the firewall. However, real-life threat actors are not bound to such exceptions or scope limitations. Adversaries do not kindly ask organizations to change their firewall configurations or whitelisting specific IP addresses for data exfiltration.
Lateral movement attack simulations should also mimic this aspect and assess organizations' security posture as it is.
4. Attackers Use Evasive Command and Control Communication
Adversaries use Command & Control (C2) servers to establish communication between the compromised machine and the attacker's server.
.png?width=754&height=362&name=Screenshot%202023-01-03%20at%2013.11.11%20(1).png)
Figure 1: Adversary Use of C2 Servers
Attackers mainly use C2 servers to
- transfer malicious payloads to the compromised host,
- pivot from the compromised host to other hosts in the network,
- enumerate the other vulnerable endpoints or services to jump on,
- maintain a command center for malware,
- exfiltrate and store sensitive organizational data
- create a botnet, etc.
In real-life scenarios, the communication between the C2 and the compromised host is encrypted, and binaries used in the attack are almost always obfuscated. For instance,
- MuddyWater, a cyber-espionage group, establishes a connection to the PowGoop C2 server using a modified base64 encoding mechanism [8].
- Zeppelin ransomware, which targets various industries such as defense, education, and manufacturing, communicates with its command and control server via shortened URLs addressing its C2 server [9].
- BlackMatter ransomware, a ransomware-as-a-service (RaaS) affiliate program, uses a C2 server to exfiltrate data [10].
Considering the various use of C2 servers in the threat landscape, lateral movement attack simulations must emulate the malicious use of C2 servers and communication between compromised hosts and adversary-controlled C2 servers.
What Is Next?
In this blog, we explained the four main criteria that organizations should include and look for in lateral movement attack simulations to assess their security controls in a meaningful way.
Stay tuned! In the upcoming blog, we will discuss Picus' lateral movement attack simulation approach.
[1] WatchGuard Technologies and Inc, "New Research: Fileless Malware Attacks Surge by 900% and Cryptominers Make a Comeback, While Ransomware Attacks Decline," WatchGuard Technologies, Inc, Mar. 30, 2021. [Online]. Available: https://www.globenewswire.com/news-release/2021/03/30/2201173/0/en/New-Research-Fileless-Malware-Attacks-Surge-by-900-and-Cryptominers-Make-a-Comeback-While-Ransomware-Attacks-Decline.html. [Accessed: Sep. 22, 2022]
[2] S. Ozarslan, "Hive Ransomware Group," Aug. 22, 2022. [Online]. Available: https://www.picussecurity.com/resource/hive-ransomware-group. [Accessed: Sep. 01, 2022]
[3] H. C. Yuceel, "BlackCat Ransomware Gang," Aug. 22, 2022. [Online]. Available: https://www.picussecurity.com/resource/black-cat-ransomware-gang. [Accessed: Sep. 01, 2022]
[4] S. Ozarslan, "LockBit Ransomware Gang," Aug. 22, 2022. [Online]. Available: https://www.picussecurity.com/resource/lock-bit-ransomware-gang. [Accessed: Sep. 01, 2022]
[5] H. C. Yuceel, "Conti Ransomware Group," Aug. 22, 2022. [Online]. Available: https://www.picussecurity.com/resource/conti-ransomware-group. [Accessed: Sep. 01, 2022]
[6] S. Ozarslan, "Vice Society Ransomware Group," Aug. 22, 2022. [Online]. Available: https://www.picussecurity.com/resource/vice-society-ransomware-group. [Accessed: Sep. 01, 2022]
[7] F. AdepojuSeptember, "DNSFilter: How to Prevent a Command and Control Attack." [Online]. Available: https://www.dnsfilter.com/blog/c2-server-command-and-control-attack. [Accessed: Sep. 01, 2022]
[8] S. Ozarslan, "TTPs and IOCs Used by MuddyWater APT Group in Latest Attack Campaign," Jan. 12, 2022. [Online]. Available: https://www.picussecurity.com/resource/blog/ttp-ioc-used-by-muddywater-apt-group-attacks. [Accessed: Sep. 01, 2022]
[9] H. C. Yuceel, "Zeppelin Ransomware Analysis, Simulation, and Mitigation," Aug. 13, 2022. [Online]. Available: https://www.picussecurity.com/resource/zeppelin-ransomware-analysis-simulation-and-mitigation. [Accessed: Sep. 01, 2022]
[10] S. Ozarslan, "BlackMatter Ransomware Analysis, TTPs and IOCs," Oct. 21, 2021. [Online]. Available: https://www.picussecurity.com/resource/blog/blackmatter-ransomware-analysis-ttps-and-iocs. [Accessed: Sep. 01, 2022]
