Andrea Danti - Fotolia

Attackers turn the tables on incident response strategies

Attackers expect incident response strategies and have a plan for when they encounter them. Find out how to take IR to the next level against attacker incident response counterstrategies.

If you're looking at cybersecurity as a matter of detecting threats and squashing them, you're missing the point. The opposition -- cyberattackers -- treats defenders' incident response strategies as avoidable obstacles rather than impermeable blockades, and successful defenders will always be on the alert for malicious actors who have developed their own cybersecurity incident response strategies.

Rick McElroy, head of security strategy at Carbon Black Inc., explained how attackers develop their own incident response strategies when they attack well-prepared targets. Instead of simply moving on to the next target, attackers have well-planned roadmaps for achieving their goals, even if the target is able to detect and respond to their attacks.

As threat actors of all skill levels and sophistication increasingly have access to extensive toolkits of effective tactics, techniques and procedures, defenders must acknowledge that their incident response strategies must continue to monitor and police persistent attackers.

Editor's note: This interview has been edited for length and clarity.

What do you mean by 'counter-incident response strategies?'

Rick McElroy: It's fairly typical that, at some point, someone notices attack activity; at which point, the incident response team is going to move on that issue with the hypothesis that you have a breach.

Rick McElroyRick McElroy

What's happening on the attacker side is they understand that we've gotten better with incident response; they understand that the technology to defend against some of this stuff is better. So, what you see them doing is very manual, iterative changes on their side.

A typical scenario could look like this: I'm an adversary, I get a user to click on a thing, that thing then enables PowerShell to start running around all these systems, doing all kinds of stuff. It's noticed by the team, the team calls in incident responders and they start to shut that activity down.

Well, I just notified adversaries on the other side that I have a team that's responsive and that is actually disrupting their activity. So, what's going to happen is they'll iterate: They're either going to iterate their code to do something, like better defensive evasion techniques, or you'll see them start to do things like log destruction or destruction of certain events that occur on certain systems. In the most disturbing cases, you'll see them use destructive attacks against the organizations that are battling them.

What does such an attack look like?

McElroy: At each point in the kill chain, if they're disrupted in their activity, they'll go back and iterate to get to the next step. As an example, I landed on an endpoint because a user clicked on a thing, but I want to get their credentials. I have to do a certain set of techniques, tactics and procedures on that box to then obtain the credentials that exist on that box. We have tooling for that activity now -- we can see into it, and so we're better tooled on the defender side. This means, if we stopped two of the most prevalent techniques to do credential harvesting, they're going to iterate through that and push code or interact again with that system because their goal is to get a shell on it, interact with it and then be able to do any number of things. You see this played out even in normal commodity malware where a lot of this activity will be automated.

Cyber kill chain
Attackers understand how the kill chain works and defend against incident responders who use the kill chain to map response.

People think attacks are a point in time and that, once we kicked that behavior out, the attackers stop and move on to someone else. We're finding that's not true; what happens is the attackers absolutely want to remain persistent and then have humans on their side interact with your systems. It's really human on human out there, not machine prevention or detection code against what the attackers are doing.

What types of defenders' incident response strategies are most susceptible to attackers' counterstrategies?

McElroy: One of the areas that we've been keenly interested in is what we refer to as 'hunting with less noise.' Threat hunting is the proactive activity of a security team going out into their big log sources and looking for patterns of compromise -- these techniques, tactics and procedures that the bad guys do because lots of times technology can't detect it.

People think attacks are a point in time and that, once we kicked that behavior out, they stop and the attackers move on to someone else. We're finding that's not true; what happens is the attackers absolutely want to remain persistent and then have humans on their side interact with your systems.
Rick McElroyHead of security strategy, Carbon Black

You'll see teams go out to do this activity, and what they start to do over time is automate the responses to that activity. As an example, if Adobe Flash injects a dynamic link library into memory, that's probably always bad in my environment, and I should do something about it. Well, teams don't have the scale to be able to do that individually; they have to do it with automation, and so they'll take automated steps. Those steps are going to alert the attackers; the attackers are going to change what they're doing, and so a lot of times, the defenders are going to think they've stopped that access -- and we really haven't.

The other issue that's coupled with it is what we refer to as 'command-and-control [C2] channel' -- how the attackers are interacting with systems that they have access to. So, what will happen in environments is the incident response team notices an activity and they start killing the attacker's access -- they shut down the C2 channel, they go out to a thousand-plus endpoints, they clean up that infection and they close the incident: 'Hey, we're good; I don't have to report a breach.'

Well, the attackers know we're doing that, and they'll have one system inside the environment that is set up differently. That system is set up to monitor all these other channels, and so, when that C2 channel goes down -- which is critical for the attackers -- they'll spin up another one.

So, we think we've booted the attackers, and we were really loud about it that we had defensive measures in our environment, and we missed a different type of infection that was then the vector to continue to repersist in the environment.

What type of threat actor is using these counter-incident response tactics?

McElroy: Years ago, the specialization of those kind of skills were generally going to be in large cybercrime rings and nation-states. But, subsequent to 2018, what you start to see is that a number of these techniques, tactics and procedures -- whether they're caught in the wild or there's a leak -- you start winding up with all of these really extensive tools that took a lot of time to develop that make their way into everyone's hands.

So, now, you see this proliferation of, for example, ransomware. Ransomware's goal is to extort someone to get them to pay money. Well, the last big versions have had maybe two or three pieces of nation-state-developed tools in there. It's what I like to refer to as the 'trickle-down cybereconomy' -- where someone invents a thing, it's seen in the wild and then everybody replicates and starts using it -- and the cycles are becoming smaller and smaller.

Are there particular verticals or industries that are targeted with this type of tactic?

McElroy: We're seeing it everywhere, regardless of vertical. There are certain actors and nation-states that develop these tools; those are then seen out in small and medium businesses.

I had a recent discussion with federal law enforcement where this is seen in small retail shops, places you probably wouldn't expect to see hit with stuff like this.

What should companies do to defend against attackers' counter-incident response strategies?

McElroy: First, they need visibility. Consider that the attackers are inside your house. The first thing you're going to do if you were sleeping is turn your lights on. So, you're going to need technology to enable you to actually see what the bad guys are doing; we need to do a better job planning how we react.

I would also tell everyone out there not to fully automate their incident response playbooks. That's going to be a balance for defenders out there -- how much automation they actually put into this – because, again, they have to keep up with the rising number of events that are occurring.

The term we like to use is 'hunt silently.' It used to be we wanted people to know that we have tools and don't come into my environment again. But, now, I think a better understanding of all of the vectors of infection before you actually start to react and clean your environment up is a better way to go.

What else should people know about attackers using countermeasures to incident response?

McElroy: The really disturbing trend is how many people out there are getting infected through partners -- supply channel attacks, island hopping attacks and watering hole attacks. So, a little bit better rise in sophistication from bad actors, but when you start to put that picture together, a lot of the teams out there are overwhelmed. Don't automate too much, but there is a level of automation you'll need to achieve to keep up with the scale.

Island hopping is super prevalent. We've talked to folks that send notifications out to partners on a daily basis. So, the bad guys know that the large upstream providers are probably spending a bunch more money on security, and they probably have a team, but that group that brings food into your organization to feed everybody probably doesn't.

Next Steps

Update incident response runbooks to meet new requirements

Dig Deeper on Security operations and management

Enterprise Desktop
Cloud Computing