Get Started with a One-to-One Personalized Demo
Dramatically reduce the mean time to detection, response and remediation of all potential security incidents, ensuring no alert goes untouched.
See IncMan SOAR in Action.
In recent weeks we have discussed the first and second phases of the hacker lifecycle. Phase 1: Reconnaissance and How IncMan SOAR Playbooks Enable Protection and Phase 2: Scanning Penetration Testing and IncMan SOAR’s Protective Mechanisms. In this blog we will discuss Phase 3.
Let's now explore one of the most exciting phases of the hacker lifecycle which is ‘Gaining Access’ into the system. Now that the hacker has completed the second phase of ‘Scanning and Enumeration’, plus all of the “Reconnaissance” work from phase one, gaining access into the system or asset begins. This is only possible if a vulnerability has been discovered and can be exploited to grant access into the system. Once access into the system has been achieved, it will be possible to accomplish any task one so desires, although, certain security solutions like IncMan SOAR support integrations with other third-party tools and automate processes that make it extremely difficult on the hacker to obtain their goal.
Gaining access is considered to be one of the most detrimental phases within the hacker lifecycle. It is during this stage that the threat actor has the capacity to perform the most amount of damage possible. Any number of attack types could occur at this point such as ransomware attacks, deploying viruses and worms, installing spyware and keystroke loggers, and installing rootkits. There are numerous ways in which the threat actor could have gained access into the system. A few of the methods that may have been used might include exploiting a vulnerability found in an application or network asset, some form of social engineering, or even through the means of an insider threat.
Additionally, once inside the network, they will carry out lateral movements and traverse in-between different systems to determine where the most valuable intelligence is located. However, depending on the privileges of the hackers user profile specific capabilities may be restricted preventing the hacker from achieving there end game goal. This is why privilege escalation plays such a vital role in this distinct phase.
Escalation from a normal user account to an administrative account will authorize the hacker to gain access into systems and areas un-obtainable through standard user profiles. Therefore, the actor will try to find a user within the system that has administrative capabilities and replicate their profile. The hacker can now traverse anywhere within the network and deploy certain types of malware like rootkits which can only be successfully implemented through administrative rights. Additionally, if there are certain applications that have been found to have vulnerabilities that can be exploited it will be possible to manipulate these applications to perform functions outside of their normal intentions.
IncMan’s SOAR automated Playbooks are designed to provide a step by step linear approach to assist in the Incident Response lifecycle. In the case of ‘Gaining Access and Privilege Escalation’, there are a number of actions that can be defined within each phase of the Incident Response process. Each one of these tasks can be tailored to accommodate the needs of the organization. For example, a few of the tasks or actions that could be included in this explicit scenario might include:
Formal validation of firewall rules to include updated black/white listings of IP, Domain Name, and URL Reputation
Periodic auditing of user accounts verification of privileges and administrative capabilities
Continuous scanning to ensure that all network systems, applications, and assets are hardened and patched with no available vulnerabilities to exploit
Assuring that all network assets are devoid of any default login credentials
Ensuring that the alerts provided by the security tools network environment are regularly monitored and validated for false positives or potential compromises
These are just a few examples that should be included in the specially crafted IncMan Playbook that will be needed to aid in the prevention of a hacker being able to gain access and escalate privileges.
This summarizes the third phase of the hacker lifecycle known as ‘Gaining Access & Privilege Escalation’. We illustrated how IncMan’s proprietary Playbook workflows provide its users and their organization with a step-by-step process to combat against this attack. This proprietary Playbook will not only prevent the probability of gaining access but if access has already been gained will supply the necessary actions for breach remediation. Stay tuned for our next blog that will cover the second to the last phase of the hacker lifecycle known as ‘Maintaining Access.’
Cody Mercer / 8 Jan 2019
The second in the hacker's life cycle blog post series discusses scanning and penetration testing along with DFLabs IncMan protective mechanisms.
Julie Tillyard / 25 Sep 2018
Protecting your organization today is a never-ending and complex process. Learn how SOAR technology can help overcome some of the common security challenges and pain points to improve the effectiveness and efficiency of your security program.
John Moran / 7 Mar 2018
The 1st step in reducing the risk from the Meltdown and Spectre vulnerabilities is to create a runbook to handle alerts for newly detected vulnerable hosts
Cody Mercer / 18 Dec 2018
Discover how IncMan SOAR Playbooks not only define a systematic approach, but also help support defense and automation effectiveness.
See IncMan SOAR in Action.