Three Proven Techniques for Detecting Targeted Attacks

by Carl Manion, Managing Principal

Thanks to extensive media coverage of the numerous cyber security breaches over the past several years, most organizations are generally aware of the risk they face due to advanced persistent threats (APTs) and highly skilled cyber criminals. They understand that well-coordinated APT campaigns do, in fact, exist and can result in significant adverse impacts on their business through theft of data or intellectual property; damage to their business reputation or image; and/or sabotage to their critical business systems and networks. As a result, many have invested in implementing multiple layers of defense, including expensive Intrusion Detection and Prevention Systems (IDS/IPS) and Security Information and Event Management (SIEM) solutions.  But, they’re still getting breached and their signature-based defensive stacks are bypassed time and time again.

So, why aren’t their security controls investments paying off? What is it that they’re missing?

Well, one of the main reasons why organizations are still failing to detect and stop cyber-attacks - especially those focused on stealing confidential information and intellectual property (IP) - is that they’re not thinking like modern-day, sophisticated threat actors. Their security controls and related security services are targeting the detection of obsolete offensive techniques. They’re not considering the fact that the most sophisticated data/IP theft attacks that are launched on an organization are not random; they’re very deliberate, targeted, planned attacks.

In such cases, the threat actors generally know either, (1) the general type of information they want, or, (2) the exact type of data or information they want to steal. They also often have general knowledge of the technology that exists within the targeted organization.  However, the main thing they don’t know… is where the targeted data/information resides within the targeted organization’s network.

In some cases, the threat actor may have a good idea of where the desired data/information most likely resides, based on their preliminary reconnaissance of the targeted organization and/or inside information they’ve been able to obtain.  But ultimately, they still have to figure out how to get to it. That’s the part of their campaign that takes the longest amount of time and effort; and, because of that, it’s also the part where they’re most likely to be detected and stopped.

With that in mind, two of the main questions organizations should be asking as part of their cyber defense strategies are: (1) How do threat actors go about locating the data/information they’re interested in stealing from within my network; and, (2) How can I detect that type of activity.

The answer to those two questions is based on the fact that threat actors need to sustain persistent access across the network to be able to find what they’re looking for within the targeted network environment. To do so, they have to move laterally within the network and gain privileged access to key systems on the network through the use of various tools. This in turn, enables them to gain access to servers that contain the valuable data/information they’re looking for (i.e., the organization’s “crown jewels”). The three best, proven methods for detecting lateral movement are:

  • Implementing Windows log collection rules and policies that are specifically designed to detect indicators of lateral movement
  • Conducting red teaming activities to gain a better understanding of the techniques attackers are most likely to use
  • Conducting proactive threat hunting for telltale signs of lateral movement and/or other suspicious or malicious activity within your network.

In summary, one of the main points that many organizations are missing from their cyber defense strategies is effective lateral movement detection and mitigation. Threat actors carrying out targeted attacks typically have a mission focused on obtaining sensitive data. To find that data, threat actors have to move laterally within the target network to figure out where it is. By implementing proactive threat hunting, red teaming and the correct set of Windows log collection rules and policies, an organization can significantly improve their ability to detect lateral movement within their network and stop cyber criminals in their tracks before they are able to cause any significant damage.

Learn more about how to understand and identify the attackers and defend against targeted attacks.  Download our new white paper, “Targeted Attacks: Why are we still missing them?” today.