Attack Surface Management: Learning from a Real-world Cyber Attack

In order to understand the magnitude of an organization's attack surface, let's walk through a real-life attack scenario and see how Attack Surface Management (ASM) could have protected the organization from getting hit with ransomware.

What is it?

When we look at an organization's attack surface, we typically look at it from the viewpoint of a cyber-attacker. An organization's attack surface is the interconnected network of IT assets that can be the target of an attack. It is comprised of IT assets that are accessible from the internet, from within your organization, and through your supply chain partners’ infrastructure.  

Managing an attack

In order to understand the magnitude of an organization's attack surface, let's walk through a real-life attack scenario and see how Attack Surface Management (ASM) could have protected the organization from getting hit with ransomware.

Undercover and no one knows

Two hundred twelve days prior to the cyber-attackers deploying ransomware, there was a phishing attack against a subset of users to capture user-level credentials. One user happened to click on the link in the phishing email. Malware was deployed on the machine, and the cyber-attacker gained access to the machine, unbeknownst to anyone in the organization.

Over the next seven months, the cyber-attacker moved laterally throughout the environment performing reconnaissance, covertly discovering and collecting information about each system, and then executing a Pass-the-Hash (PtH) attack to gain access to administrative credentials. Essentially, they captured a password hash, meaning they did not have to crack the password characters. The hash simply passes through authentication.

Boom day

After about seven months of moving freely around the organization's environment, collecting information, and gaining credentials to systems, at 5 am, the cyber-attacker destroyed their backups before deploying ransomware across the enterprise. Employees started getting alerts that applications were down or not working and panic started to set in.

At 5:00 pm that same day, the company executives realized that they couldn't combat the attack themselves, and that is when they contacted Solutions II for help. Time is of the essence to prevent additional losses. After an initial 30-minute conversation, contracts had to be executed within hours, and an Incident Response (IR) Commander deployed shortly after. The Client lost twelve critical hours because they did not have an incident response plan in place.

The damage

Because the attacker had access to their systems for over seven months, the attacker did a significant amount of damage in that amount of time. Immediately, the response team began enterprise application architecture discovery techniques, searching for recoverable data, prioritizing resources, and recovery operations.

It took approximately another 45 days for recovery operations to complete. Eventually, top cybersecurity specialists found data that they could use to restore operations, albeit it was several months old. It took 12-15-hour rotating shifts during that 45-day period to achieve operational status. The company continues to have ongoing legal and regulatory issues because of the attack, not to mention their data recovery effort continued well past operations resuming. It was a painful experience.

Lessons learned

Several things went wrong in this scenario that caused such a devastating attack:

• In this case, a single employee who was not adequately trained clicked on a link in an email, and a bad actor gained access to company applications. Organizations need to better understand who their employees are via level and responsibility, what devices they are using, what resources they are accessing, where they are accessing resources from, and when they are accessing them.
• They didn’t have a cyber asset management process in place to help monitor what external and internal assets needed to be protected.
• They weren’t scanning for vulnerabilities on their systems, and they didn't know how exposed those systems were.
• The endpoint security tool did not alert the IT department that there was lateral movement out of that single employee’s system. Devices were not kept up-to-date and patched, which allowed the attacker to exploit a vulnerability allowing them to elevate privileges and deploy the ransomware.
• They were not logging and monitoring security events to a SIEM for investigation, making it difficult to retrace the attacker’s steps to see what was comprised and what still needed to be cleaned up.
• They did not have the ability to detect the threat that was living in their systems for seven months.
• They did not have an Incident Response retainer, let alone an IR plan that would have helped them immediately respond to this incident.
• Finally, the client lacked immutable backups (their last line of defense.)

If you want to prevent a breach or ransomware attack against your organization, then the appropriate security controls must be in place. However, having the capabilities to detect the bad actors when they get in is crucial, and your response to the breach will determine whether or not you are able to resume operations in hours, days, weeks, months, or even years.

Key Takeaways - Attack Surface Management

Prevention

• Discover your assets
• Assess them for vulnerabilities
• Remediate the vulnerabilities based on risk to Operations

Detection

• Monitor the attack surface 24/7/365
• Investigate 100% of all alerts
• Reduce dwell time

Response

• Document your Incident Response Plan
• Test the Plan
• Test the Plan, again
• Test the Plan, again
• Execute the Plan

How vulnerable is your attack surface?

Solutions-II, Inc

You might like this article by Jacob Haynes: Attack Surface Management: Designing a Robust Program in Seven Steps