5 ways attackers counter incident response, and how to stop them

Last month, the UK’s National Cyber Security Centre reported that one organization paid nearly $9 million to attackers for a decryption key after falling victim to a ransomware attack. The organization recovered its files, but it did not identify the root cause of the attack.

Then the same attacker victimized the organization’s network again, using the same mechanism as before to re-deploy its ransomware. “The victim felt they had no other option but to pay the ransom again,” said the report’s authors.

Evading detection is a key strategy for attackers of all kinds. Cybercriminals who can survive a company’s incident response and stay in its systems after a successful attack can strike again or resell their access to other attackers. Corporate spies or nation-state attackers in particular have the resources and will to linger in corporate systems even after detection and remediation.

Here are some techniques attackers are using to evade incident response teams—and how to counter them.

1. Re-exploit the exploit

If the incident response team can’t find the original attack vector, then the attackers can waltz right back in again, says Tony Harris, director of global incident response capability at Booz Allen Hamilton. This is why enterprises need to first ensure that they get snapshots of systems, network logs, and any other potential evidence before systems get wiped and restored. After an incident is also a good time to ensure that everything is patched and up to date.

What if the attackers originally came through a system that wasn’t on the corporate radar? “In quite a few cases we’ve responded to, the vulnerabilities have been the result of shadow IT,” says Harris. “Companies were patching, but some system or environment wasn’t in their inventory.” This is the time to do a complete inventory, he says, including using network analysis tools to identify traffic to systems that shouldn’t exist.

If a company doesn’t already have an endpoint detection and response (EDR) system in place, this is a good time to get it installed, to spot any suspicious behaviors or network traffic that could indicate that an attacker still has a foothold. “It’s important for those tools to be deployed as thoroughly as possible across the environment,” Harris says.

The fact that an attack has taken place will give security teams additional leverage to get the technology they need. “It’s the one time your CISO has ultimate authority to fix issues in the environment,” says Harris. “Never let a good incident go to waste.”

2. Ghost credentials

Once attackers are in a system, they will often try to create new user accounts for themselves, or hijack those of existing or former employees. “If they’re in the environment long enough to get credentials, first step they’re going to use the credentials they’ve extracted to get back into your environment,” says Harris.

If those accounts are not protected by multi-factor authentication (MFA), or if the attackers are able to bypass or reset the MFA credentials, then they might be able to get back in after a company-wide password reset.

However, if those accounts belong to shadow IT or shadow cloud systems that the security team doesn’t know about, there might not even be a password reset for the attackers to worry about. Companies need to do a credential inventory, too, he says. That includes turning off unnecessary accounts that employees haven’t used in the past or reducing privileges if employees don’t need all those capabilities to do their jobs. It will be painful—implementing least privilege always is—but security teams will have extra leverage because of the attack.

Incident responders should also survey all systems, including newly identified shadow IT, for recently created accounts or accounts where privileges were recently escalated or reactivated. “A lot of times organizations will disable accounts instead of deleting them,” says Harris. “Do I have accounts that are enabled that were supposed to be disabled?”

That includes non-human credentials as well. “Attackers will gain access to service accounts, such as those used by backup solutions or internal communications within the network,” says Harris. “Those credentials all have to be changed as well.”

What about systems that IT doesn’t even know about because they’re in the cloud? “Unfortunately, that’s happening quite often,” says Harris. For known cloud infrastructure and SaaS subscriptions, companies will usually have some controls over access rights and administrator-level accounts. When that isn’t available, they will have to work with individual providers to get passwords reset.

In the case of shadow cloud deployments, the first job is to track them down. “Use network monitoring tools to understand what activity you’re seeing,” Harris says. “Putting a cloud management layer within your network environment helps eliminate some of the shadow cloud and you can understand who’s using it and where you stand.”

Attackers can use rogue cloud accounts to connect with company employees or otherwise weasel their way back into the system. More critically, they can also continue to carry on their actual attack. “A lot of threat actors are using cloud environments to extract data and to connect to command and control servers,” says Harris. “This is the time to get all of these issues resolved.”

3. Password resets

One best practice of incidence response is to reset all passwords after a breach has been detected. “Companies are getting smart,” says Harris. “They’re putting multi-factor authentication solutions in place and making it harder for criminals to get back into the network.”

MFA can also make it harder for legitimate employees to get back into the network, and, for large companies, this can result in a flood of calls to the help desk asking for help. “Depending on the size of the organization, it could be tens of thousands of employees changing their passwords and calling the help desk,” Harris says. “We’ve seen criminal actors take advantage of this. They’ll call the help desk and try to get back in by emulating an employee or another person and ask to get a one-time password sent to their device—at their new phone number. In some cases they’ve been successful.”

To defend against this tactic, help desks need to have phishing awareness training, Harris says. “They need to understand the nuances of what folks are asking,” he says. “Ideally, they should be asking for some factor that a threat actor shouldn’t know.”

Some help desks are also using voice print analysis, which can help a help desk confirm an employee’s identity. “Anytime someone tries to get through MFA, if they’re asking for a change, it should raise a flag,” Harris adds. “Let’s ask a few more questions to check that we have an appropriate person on the line.”

User behavior analytics can also help detect if a user account has been compromised, Harris says. “If a user lives in Sandusky, Ohio, and logs in an hour later from California, we probably have an issue. There’s no way they can get from Ohio to California in an hour.”

Security awareness training can also help here. If an employee logs in and sees that their previous login was at a time they were offline, they should recognize and report the problem. If a company has been hit, employees will be more receptive to this kind of education.

4. Hiding out in IoT devices

One common attacker tactic is to use IoT devices as an entry point or as a place to hide out until the coast is clear, says Derek Manky, chief of security insights at FortiGuard Labs. “IoT devices are typically not inspected or segmented like they should be,” he says. “They’re prime targets to attackers to infect — and to stay resident on.”

To identify potentially infected devices, companies can take lessons from pandemic response. “Quarantine them,” says Manky. “Like with COVID-19, you have to contain the spread and contain the threat. There’s no reason that this IoT device that’s just been introduced should be on the same network and have access to a database of customers.”

Zero trust is a good approach to do this, or you can use a security information and event management (SIEM) system to identify suspicious traffic and then isolate the offending devices, Manky says. “Why is my printer making a connection to a rogue server overseas?”

User behavior analytics, where artificial intelligence and machine learning are used to spot unusual behaviors, is also becoming a powerful tool to defend against this threat, especially if the systems can automatically add policies to block malicious behaviors. “Humans are slow at things sometimes,” says Manky.

5. Hiding out in trusted software

The SolarWinds attack is turning out to be worse than we thought. This month, Trustwave researchers reported this month the discovery of three new security issues in SolarWinds products—all critical bugs, with one even allowing remote code execution with high privileges.

Security teams often don’t pay attention to the communication channels of trusted software systems, other than to check that the software itself is patched and up to date. SolarWinds proved that this can be a big mistake, and those attackers were able to stay undetected in systems for months—including in systems belonging to thesecurity firm FireEye and to systems owned by the Department of Defense and other government agencies.

When the compromised software is a network management tool or a software development tool, the results can be disastrous, says Joe McMann, CSO and cyber strategy lead at Capgemini North America. Attackers can access the servers on which that software executes, as well as to other systems attached to the same network, he says, and spread from there.

“You want to look for things that the software shouldn’t be doing,” says Jerry Bessette, head of Booz Allen Hamilton’s Cyber Incident Response program. Bessette was previously chief of the FBI cyber division’s technical operations section, where he managed the national cyber incident response team.

If resources allow, companies may even have to get third-party reviews done of software that they suspect of being involved in an intrusion or ask vendors about how the software is supposed to communicate with its makers to find out whether the connections its making are legitimate.

Nobody seems to be vetting partner communication channels, says Bryan Sartin, chief services officer at eSentire, a cybersecurity firm. “I would like to tell you that all kinds of scanning happens,” he says. “But very few—and very few big enterprises—practice that.”

In addition, if the security team suspects that a problem may lie in a third-party software product, and zero trust or network segmentation isn’t currently in place, it’s time to change that. “If it’s not fully turned on, you should absolutely turn it on,” Sartin says.  “You can limit the threat actor’s ability to move within your network. It’s the open, unfettered communications that allows stuff to propagate.”

That includes limiting outbound communications to third parties. Before the SolarWinds hack, security teams would often overlook that, Sartin says. At least for now this issue is getting some visibility. With time, however, those lessons may be forgotten. “That idea of really scrutinizing outbound traffic—I worry that’s going to get lost,” he says.