Tim Simons, UK Security Product Manager at Proact
We often get asked what cyber attacks really look like and it’s often hard to answer. The reality is the motivations and methods of cyber criminals can vary dramatically. That said, it’s a lot easier to demonstrate just how simple it can be to infiltrate an organisation’s systems and get hold of their critical data. Here’s a quick example.
In this instance it all starts with a well-targeted email. This email is crafted and sent to an employee at a company that collates medical research data. This was not random, the attacker did their research and selected this user specifically. A lot of data was publicly available via the company’s website, LinkedIn, Facebook and Twitter accounts, as well as on employee’s own social media channels. It didn’t take long to work out who to target. After all, the attacker didn’t need an important stakeholder or member of senior management, just somebody in the organisation to open the door.
Human resources seemed like a good bet because the company’s Twitter profile was proudly promoting a charity run in a couple of weeks’ time. Perhaps a spoofed email from the charity itself, containing a letter of thanks and expressing their gratitude, would do the trick. The attacker takes a punt that the HR manager won’t notice a slight misspelling in the charity name in the email sender domain, and puts the name of the charity director at the bottom of the email while using the charity’s branding. The email is then opened and so is the attached document which looks like a thank you statement…
… Now the attack begins
Although the document looks to be completely legitimate, it has a hidden and dangerous secret. The file contains hidden code than can take advantage of a vulnerability in a lesser known sub-component of Microsoft Office. The HR manager’s endpoint doesn’t have the latest patches installed which means the embedded malware is free to work its deadly curse.
The malware creates a basic communications channel to the attackers control platform which is hidden out on the internet. By bypassing the network security controls of the organisation, using seemingly legitimate traffic channels, the malware establishes a direct connection from the attacker’s system straight into the company’s network. This happens without any need to authenticate and bypasses all security controls.
Using this back door the attacker starts installing their tools on the endpoint. They can be used to explore the environment and to footprint the network and resources, thus learning the structure and layout of the organisation’s defences. This method leverages precompiled tools that elevate their privileges as they roam seemingly unnoticed, searching for the prize they’re looking for.
Soon they find the desktop of the company’s web developer and install a keylogger using their newly obtained administrator privileges. Patiently they wait and capture everything she types until eventually they capture her credentials to the web server.
Now the attacker can login to the web server and explore the configuration. They find credentials stored in a configuration file that is used to connect to the medical records database. With these credentials they are able to take a copy of the database and exfiltrate it out of the organisation using their previously established communications channel.
It’s somewhat clear to see that this was not an especially sophisticated attack and didn’t require the expertise of a technical genius or the resources of a nation state backed hacker group. It could have been carried out by anybody capable of running a set of publicly available tools coupled with enough knowledge to know how to use them. This is what the threat landscape really looks like today.
Cyber criminals vary in skill level and motivation. Whether it’s targeted data theft, a person with an axe to grind, or simply an opportunist who chose an organisation purely by chance, it’s clear to see that businesses need to be taking a proactive approach to cyber security.
That’s where we can help. Proact has a mature security operations centre (SOC) that can hunt down threats on your behalf to help you mitigate potential security breaches as early as possible. Our SOC can act as a virtual extension of your existing IT, providing 24/7 threat detection and remediation advice.
Running security logging and analysis in-house can be prohibitively expensive, and not having access to the right security skills can cost your business even more thanks to data leakages, reputational damage and legal consequences.
We’ve been keeping our customer data safe via our managed services for more than a decade and our SOC has naturally evolved from an internal-only security function. We’ve scaled this out to help organisations conduct cyber security surveillance round-the-clock on their own platforms, using the experience, knowledge and expertise of our analysts to help detect potential threats while offering guidance on how to proactively respond to them.
Want to know what this cyber attack looked like for the attacker’s perspective? Read this blog post to find out more.