So What Should the Outcome of Controls Look Like?: An Attack Lifecycle View

Introduction

The cybersecurity landscape is constantly evolving, with adversaries employing sophisticated tactics to breach defenses. By understanding common attack methods and implementing effective controls, organizations can better protect their assets and data. Sometimes it can be easy to forget exactly why we recommend and implement certain controls. We all know the common cast of control characters: Patching, Traffic Inspection, MFA, DLP, Configuration Hardening, Anti-Malware. We push hard for effectiveness in these areas. And we should! This article highlights prevalent attacks in the order they typically occur during an attack lifecycle and outlines controls to mitigate these risks, including references to the CIS Controls and examples of industry-leading third-party solutions. Towards the end, we also look at an example use case. I hope you find this useful in how you think and reason about Cybersecurity risks and defenses, as well as helping you to rationalize and prioritize you cybersecurity investments.

1. Initial Access

Attack Methods:

• Phishing (T1566): Deceptive emails trick users into revealing credentials or downloading malware.

• Drive-by Compromise (T1189): Visiting compromised websites leads to unintended malware downloads.

• Exploit Public-Facing Applications (T1190): Attackers exploit vulnerabilities in internet-facing applications to gain access.

Effective Controls with Examples:

• Email Security Solutions: Deploy advanced email filtering to detect and block phishing attempts.

  • Examples: Proofpoint Email Protection, Mimecast Secure Email Gateway, Microsoft Defender for Office 365.

  • Relevant CIS Controls:

    • CIS Control 9: Email and Web Browser Protections

    • CIS Control 13: Network Monitoring and Defense

• Security Awareness Training: Educate employees on recognizing and reporting suspicious emails.

  • Examples: KnowBe4 Security Awareness Training, SANS Security Awareness, Cofense PhishMe.

  • Relevant CIS Control:

    • CIS Control 14: Security Awareness and Skills Training

• Regular Patching: Keep systems and applications updated to fix known vulnerabilities.

  • Examples: Qualys Patch Management, Ivanti Patch Management, Microsoft WSUS.

  • Relevant CIS Controls:

    • CIS Control 7: Continuous Vulnerability Management

    • CIS Control 4: Secure Configuration of Enterprise Assets and Software

• Web Content Filtering: Use secure web gateways to block access to malicious sites.

  • Examples: Cisco Umbrella, Zscaler Internet Access, Symantec Web Security Service.

  • Relevant CIS Control:

    • CIS Control 9: Email and Web Browser Protections

2. Execution

Attack Methods:

• Scripting (T1059): Use of scripts like PowerShell to execute malicious code.

• Malicious Macros (T1137): Embedding harmful code within documents to execute upon opening.

Effective Controls with Examples:

• Application Whitelisting: Restrict systems to run only approved applications and scripts.

  • Examples: Carbon Black App Control, Microsoft AppLocker, Symantec Endpoint Application Control.

  • Relevant CIS Controls:

    • CIS Control 2: Inventory and Control of Software Assets

    • CIS Control 10: Malware Defenses

• Macro Security Settings: Disable macros by default and enable them only when necessary.

  • Examples: Microsoft Office Group Policy settings, CrowdStrike Falcon Prevent.

  • Relevant CIS Controls:

    • CIS Control 4: Secure Configuration of Enterprise Assets and Software

    • CIS Control 10: Malware Defenses

• Endpoint Protection Platforms (EPP): Utilize solutions that detect and prevent malicious code execution.

  • Examples: Symantec Endpoint Protection, McAfee Endpoint Security, Trend Micro Apex One.

  • Relevant CIS Control:

    • CIS Control 10: Malware Defenses

3. Command and Control

Attack Methods:

• Standard Application Layer Protocol (T1071): Using common protocols to blend in with normal traffic.

• Web Service (T1102): Leveraging legitimate web services for malicious communications.

Effective Controls with Examples:

• Network Anomaly Detection: Monitor for irregular communication patterns.

  • Examples: Darktrace, Vectra AI Cognito, Cisco Stealthwatch.

  • Relevant CIS Controls:

    • CIS Control 13: Network Monitoring and Defense

    • CIS Control 12: Network Infrastructure Management

• Threat Intelligence Integration: Use up-to-date threat feeds to block known malicious IPs and domains.

  • Examples: FireEye Threat Intelligence, Recorded Future, Anomali ThreatStream.

  • Relevant CIS Control:

    • CIS Control 17: Incident Response Management

• Protocol Inspection: Deep packet inspection to identify and block malicious use of standard protocols.

  • Examples: Palo Alto Networks Next-Generation Firewalls, Fortinet FortiGate, Check Point NGFW.

  • Relevant CIS Controls:

    • CIS Control 13: Network Monitoring and Defense

    • CIS Control 12: Network Infrastructure Management

4. Persistence

Attack Methods:

• Startup Items (T1547): Adding programs to startup folders or registry keys to run upon boot.

• Scheduled Tasks (T1053): Creating tasks that execute malicious code at set times.

Effective Controls with Examples:

• System Hardening: Configure systems to limit unauthorized changes to startup items and scheduled tasks.

  • Examples: CIS Benchmarks, Microsoft Security Compliance Toolkit, Red Hat Ansible.

  • Relevant CIS Controls:

    • CIS Control 4: Secure Configuration of Enterprise Assets and Software

    • CIS Control 5: Account Management

• Monitoring Tools: Implement solutions that detect changes to critical system configurations.

  • Examples: Tripwire Enterprise, Splunk Enterprise Security, SolarWinds Server & Application Monitor.

  • Relevant CIS Controls:

    • CIS Control 8: Audit Log Management

    • CIS Control 6: Access Control Management

• Least Privilege Access: Ensure users have only the necessary permissions to perform their roles.

  • Examples: BeyondTrust Privileged Access Management, CyberArk Endpoint Privilege Manager, Thycotic Privilege Manager.

  • Relevant CIS Control:

    • CIS Control 6: Access Control Management

5. Privilege Escalation

Attack Methods:

• Exploitation for Privilege Escalation (T1068): Leveraging system vulnerabilities to gain higher access levels.

• Valid Accounts (T1078): Using compromised credentials to access privileged accounts.

Effective Controls with Examples:

• Vulnerability Management: Regularly scan and patch systems to address security flaws.

  • Examples: Tenable.sc, Rapid7 InsightVM, Qualys Vulnerability Management.

  • Relevant CIS Control:

    • CIS Control 7: Continuous Vulnerability Management

• Multi-Factor Authentication (MFA): Implement MFA for all privileged accounts.

  • Examples: Duo Security, Okta Adaptive MFA, RSA SecurID.

  • Relevant CIS Controls:

    • CIS Control 6: Access Control Management

    • CIS Control 5: Account Management

• Privileged Access Management (PAM): Monitor and control the use of administrative accounts.

  • Examples: CyberArk Privileged Access Security, Thycotic Secret Server, BeyondTrust Password Safe.

  • Relevant CIS Control:

    • CIS Control 6: Access Control Management

6. Credential Access

Attack Methods:

• Keylogging (T1056): Recording keystrokes to capture sensitive information.

• Credential Dumping (T1003): Extracting passwords and hashes from system memory.

Effective Controls with Examples:

• Credential Guard Technologies: Use tools that protect against credential dumping.

  • Examples: Microsoft Windows Defender Credential Guard, Dell Safeguard and Response.

  • Relevant CIS Controls:

    • CIS Control 3: Data Protection

    • CIS Control 10: Malware Defenses

• Password Policies: Enforce strong, unique passwords and regular password changes.

  • Examples: ManageEngine ADSelfService Plus, LastPass Enterprise, Thycotic Password Policy Manager.

  • Relevant CIS Controls:

    • CIS Control 5: Account Management

    • CIS Control 6: Access Control Management

• Security Monitoring: Detect and respond to unauthorized access attempts promptly.

  • Examples: Splunk Enterprise Security, IBM QRadar SIEM, LogRhythm NextGen SIEM.

  • Relevant CIS Controls:

    • CIS Control 8: Audit Log Management

    • CIS Control 17: Incident Response Management

7. Discovery

Attack Methods:

• Network Service Scanning (T1046): Identifying open ports and services for exploitation.

• System Information Discovery (T1082): Gathering details about system configurations.

Effective Controls with Examples:

• Network Segmentation: Divide the network to limit access and reduce attack surfaces.

  • Examples: VMware NSX, Cisco TrustSec, Juniper Networks SDN.

  • Relevant CIS Controls:

    • CIS Control 12: Network Infrastructure Management

    • CIS Control 13: Network Monitoring and Defense

• Access Controls: Implement strict permissions to limit information accessible to users.

  • Examples: Okta Identity Management, Microsoft Active Directory Group Policies, SailPoint IdentityIQ.

  • Relevant CIS Controls:

    • CIS Control 6: Access Control Management

    • CIS Control 5: Account Management

• Intrusion Detection Systems (IDS): Monitor for reconnaissance activities within the network.

  • Examples: Snort, Suricata, Cisco Secure IDS.

  • Relevant CIS Control:

    • CIS Control 13: Network Monitoring and Defense

8. Lateral Movement

Attack Methods:

• Remote Services (T1021): Exploiting protocols like RDP or SMB to move between systems.

• Pass the Hash (T1550): Using hashed credentials to authenticate without knowing the password.

Effective Controls with Examples:

• Network Monitoring: Use tools to detect unusual internal network traffic.

  • Examples: ExtraHop Reveal(x), NetWitness Network, SolarWinds Network Performance Monitor.

  • Relevant CIS Controls:

    • CIS Control 13: Network Monitoring and Defense

    • CIS Control 12: Network Infrastructure Management

• Credential Hygiene: Limit the use of high-privilege accounts and clear cached credentials.

  • Examples: CyberArk Endpoint Privilege Manager, Microsoft Local Administrator Password Solution (LAPS), BeyondTrust Endpoint Privilege Management.

  • Relevant CIS Controls:

    • CIS Control 6: Access Control Management

    • CIS Control 5: Account Management

• Host-Based Firewalls: Configure firewalls to restrict unnecessary lateral communications.

  • Examples: Windows Defender Firewall, Symantec Endpoint Protection Firewall, McAfee Host Intrusion Prevention.

  • Relevant CIS Control:

    • CIS Control 12: Network Infrastructure Management

9. Collection

Attack Methods:

• Data Staging (T1074): Aggregating data in preparation for exfiltration.

• Input Capture (T1056): Capturing user input to obtain sensitive data.

Effective Controls with Examples:

• Data Loss Prevention (DLP): Monitor and control data transfers within and outside the organization.

  • Examples: Symantec Data Loss Prevention, Forcepoint DLP, McAfee Total Protection for DLP.

  • Relevant CIS Control:

    • CIS Control 3: Data Protection

• Encrypt Sensitive Data: Protect data at rest and in transit with strong encryption.

  • Examples: BitLocker Drive Encryption, Vera Encryption, Vormetric Data Security Platform.

  • Relevant CIS Controls:

    • CIS Control 3: Data Protection

    • CIS Control 11: Data Recovery

• Access Monitoring: Track access to critical files and systems.

  • Examples: Varonis Data Security Platform, Netwrix Auditor, Imperva File Security.

  • Relevant CIS Controls:

    • CIS Control 8: Audit Log Management

    • CIS Control 6: Access Control Management

10. Exfiltration

Attack Methods:

• Exfiltration Over Web Protocol (T1041): Using HTTP/HTTPS to transfer data unnoticed.

• Automated Exfiltration (T1020): Scheduled or scripted data transfers to external locations.

Effective Controls with Examples:

• Outbound Traffic Filtering: Restrict and monitor outbound connections to unauthorized destinations.

  • Examples: Palo Alto Networks NGFW, Cisco ASA Firewall, Check Point Firewall.

  • Relevant CIS Controls:

    • CIS Control 12: Network Infrastructure Management

    • CIS Control 13: Network Monitoring and Defense

• Anomaly Detection: Identify unusual data transfer patterns indicative of exfiltration.

  • Examples: Exabeam Advanced Analytics, Splunk User Behavior Analytics, Securonix UEBA.

  • Relevant CIS Controls:

    • CIS Control 13: Network Monitoring and Defense

    • CIS Control 8: Audit Log Management

• Encryption Controls: Prevent unauthorized encryption of data that could hide exfiltration activities.

  • Examples: McAfee DLP Endpoint, Symantec Endpoint Encryption, Trend Micro Endpoint Encryption.

  • Relevant CIS Controls:

    • CIS Control 3: Data Protection

11. Defense Evasion

Attack Methods:

• Obfuscated Files or Information (T1027): Hiding malicious code through encryption or compression.

• Disabling Security Tools (T1562): Turning off antivirus or firewall protections.

Effective Controls with Examples:

• Advanced Threat Detection: Use security solutions capable of detecting obfuscated malware.

  • Examples: FireEye Endpoint Security, CrowdStrike Falcon Insight, SentinelOne Singularity.

  • Relevant CIS Control:

    • CIS Control 10: Malware Defenses

• Tamper Protection: Enable features that prevent unauthorized modification of security tools.

  • Examples: Symantec Tamper Protection, McAfee Self-Protection, Microsoft Defender Tamper Protection.

  • Relevant CIS Controls:

    • CIS Control 4: Secure Configuration of Enterprise Assets and Software

    • CIS Control 10: Malware Defenses

• Behavioral Monitoring: Detect unusual activities indicative of defense evasion attempts.

  • Examples: Microsoft Defender for Endpoint, Cisco Secure Endpoint, Sophos Intercept X.

  • Relevant CIS Controls:

    • CIS Control 8: Audit Log Management

    • CIS Control 13: Network Monitoring and Defense

Conclusion

By mapping common attack methods to the attack lifecycle, organizations can better anticipate adversary behaviors and strengthen their defenses accordingly. Implementing the outlined controls, along with industry-leading solutions and alignment with the CIS Controls, not only mitigates risks at each stage of the attack lifecycle but also enhances overall cybersecurity resilience. Regularly updating security strategies to align with emerging threats is essential in maintaining robust protection against cyber attacks.

Note: Always refer to the latest MITRE ATT&CK framework and CIS Controls for the most current tactics, techniques, and recommended practices, as attackers continuously evolve their methods.

Case Study: How Controls Could Have Mitigated the WannaCry Ransomware Attack

To illustrate how implementing these controls can prevent or mitigate cyber attacks, let's examine the WannaCry ransomware attack that occurred in May 2017.

Overview of the WannaCry Attack

WannaCry was a global ransomware attack that infected over 230,000 computers across more than 150 countries. The ransomware encrypted data on infected computers and demanded ransom payments in Bitcoin. It exploited a vulnerability in Microsoft Windows SMB protocol (CVE-2017-0144) using an exploit known as EternalBlue, which was developed by the NSA and leaked by the Shadow Brokers hacking group.

Attack Lifecycle Mapping

1. Initial Access

   • Attack Method: Exploit Public-Facing Applications (T1190)

     • Details: WannaCry spread by exploiting the SMB vulnerability in unpatched Windows systems, allowing attackers to gain initial access without user interaction.

   • Effective Controls:

     • Regular Patching

       • Applying Microsoft's patch MS17-010 would have closed the SMB vulnerability.

       • Examples: Microsoft WSUS, Qualys Patch Management.

       • CIS Controls:

         • CIS Control 7: Continuous Vulnerability Management

2. Execution

   • Attack Method: Scripting (T1059)

     • Details: The malware executed code to encrypt files and propagate to other systems.

   • Effective Controls:

     • Endpoint Protection Platforms (EPP)

       • Advanced EPP solutions could detect and block ransomware behavior.

       • Examples: Trend Micro Apex One, Symantec Endpoint Protection.

       • CIS Control 10: Malware Defenses

3. Credential Access

   • Attack Method: Credential Dumping (T1003)

     • Details: WannaCry attempted to access credentials to facilitate lateral movement.

   • Effective Controls:

     • Credential Guard Technologies

       • Prevents unauthorized access to credentials stored in memory.

       • Examples: Microsoft Windows Defender Credential Guard.

       • CIS Control 3: Data Protection

4. Lateral Movement

   • Attack Method: Remote Services (T1021)

     • Details: The worm used SMB to spread to other vulnerable machines on the network.

   • Effective Controls:

     • Network Segmentation

       • Limiting network access can prevent the spread to critical systems.

       • Examples: Cisco TrustSec, VMware NSX.

       • CIS Control 12: Network Infrastructure Management

     • Host-Based Firewalls

       • Blocking unnecessary ports (like SMB port 445) can prevent propagation.

       • Examples: Windows Defender Firewall.

       • CIS Control 12: Network Infrastructure Management

5. Impact

   • Attack Method: Data Encrypted for Impact (T1486)

     • Details: Files were encrypted, and a ransom note was displayed demanding payment.

   • Effective Controls:

     • Data Backup and Recovery

       • Regular, tested backups ensure data can be restored without paying ransom.

       • Examples: Veeam Backup & Replication, Veritas NetBackup.

       • CIS Control 11: Data Recovery

     • Anti-Malware Solutions

       • Behavioral analysis can detect and stop ransomware encryption processes.

       • Examples: CrowdStrike Falcon Prevent, SentinelOne Singularity.

       • CIS Control 10: Malware Defenses

How Controls Could Have Mitigated the Attack

• Regular Patching (CIS Control 7): Timely application of security patches would have closed the SMB vulnerability exploited by WannaCry, preventing initial access.

• Endpoint Protection (CIS Control 10): Advanced EPP solutions with ransomware protection could have detected and blocked the execution and encryption activities.

• Network Segmentation and Firewalls (CIS Control 12): Proper segmentation and strict firewall rules would have limited the worm's ability to move laterally across the network.

• Credential Protection (CIS Control 3): Implementing credential guard technologies would have minimized the risk of credential theft, hindering lateral movement.

• Data Backup and Recovery (CIS Control 11): Regular backups would allow organizations to recover data without succumbing to ransom demands, mitigating the attack's impact.

• User Awareness (CIS Control 14): While WannaCry did not rely on phishing, general security awareness can help users recognize and report unusual system behavior promptly.

Conclusion of the Case Study

The WannaCry ransomware attack highlights the critical importance of basic cybersecurity hygiene and adherence to established controls. By implementing the recommended controls aligned with the CIS Controls and the MITRE ATT&CK framework, organizations could have significantly reduced the attack's effectiveness. Regular patch management, advanced endpoint security, network segmentation, and robust backup strategies form a multi-layered defense that can thwart similar attacks.

By studying real-world attacks like WannaCry, organizations can understand the practical applications of cybersecurity controls and the necessity of a proactive, defense-in-depth strategy. Implementing these controls not only defends against known threats but also strengthens the organization's posture against emerging cyber risks.