Modern attacks targeting supply chains, using zero-day exploits, and exploiting vulnerabilities in security appliances have been flooding newsrooms, boardrooms and threat reports in recent months. Some examples have been unique and interesting, including the 3CX software supply chain compromise linked to Trading Technologies software supply chain compromise, and the supply chain compromise of JumpCloud that was made possible by a sophisticated spear phishing campaign. Other examples have been slightly more traditional, such as exploitation of vulnerabilities in security appliances such as Barracuda Email Security Gateway, network security devices, foundational IT platforms  and application software. The modern day nuance is the frequency and widespread use of these techniques against a wide variety of targeted technologies, especially those used for security, with cascading impact that potentially allows access into numerous user networks. 

Today's compromises are challenging for even the most security mature organizations. Many vulnerabilities and exploits do not reveal themselves out-of-the-box; some happen after installation or with software updates. This means point in time detection would have to be really lucky, even for the best of security teams. Overall, we feel most blue teams would struggle to prevent or detect the initial compromise, and endpoint detection likely won’t catch early signs of compromise given the way many new attacks target firewalls, software, and other security applications that fall outside of currently popular endpoint detections. 

Security teams need to be ready to react to situations that unfold following these modern day compromises. The purpose of this blog post is to highlight how we must revisit secondary detections and post-compromise detections if we want to enhance our defense in depth, and increase visibility in those “hard-to-detect” problem areas. 

Let's start with a high-level example. An attacker has access to a pre-compromised firewall device. What type of actions would they have to take that can be detected (yes, we are back to examining the good old attack lifecycle)?

Mandiant’s data indicates that attackers of this sort still go after credentials. It is also very likely that some form of network communication would take place, be it the internal traffic, such as reconnaissance, data access and data staging, or actual extraction of stolen data. In M-Trends 2023, we identified that in 40% of intrusions in 2022, adversaries prioritized data theft.  

Overall, recent attacks teach us that while the initial exploits vary dramatically, attacker’s post-exploit operations are much more consistent. This means that we have a more consistent post-exploit and secondary stage detection experience.

The following are a few tricks that a detection and response team can have up their sleeve to simplify detection at this late stage:

• Credentials: Look for many types of credential abuse, theft, reuse, and scans. For many organizations, this could mean focusing on Active Directory or other identity management systems.
• Internal network traffic: Look for reconnaissance, data staging, sensitive repository access, and access to backups. Disable trust relationships between systems and alert when jumps occur. Use MFA everywhere you can and alert to anomalous access attempts (inside to inside). Look for unusual activity near holidays and weekends too. 
• External network traffic: Naturally, we are talking about detecting the attacker’s command and control as well as data theft. Here, real-estate principles apply — location, location, location. Where should your connections and data go or never go? 
• Sensitive data access: Think like attackers and protect beyond your crown jewels. Set alerts when data of interest to threat actors is accessed, including cyber insurance documents, configuration management databases, emails (bulk email compromise tools could be detected), financial statements, network maps, and client lists. In 2022, one in seven ransomware intrusions with data theft contained sensitive OT information. If you have this type of data, protect access to it and alert to access attempts, especially those that don't look like the others.
• Data theft: If the attacker is after the data, such data would likely cross your network perimeter. While there are many reasons this is often missed, there are anomalies, locations, and permissions that could help you detect potential theft. Attackers often access data from your backups (since attackers guess you backup data most valuable to you), so build up security around your backups with encryption, detections, and auditing. In cases of various types of supply chain compromises and zero-day exploits, look for data leaving in unusual ways or to unusual places.

In recent breaches involving VMWare, Fortinet and Barracuda compromises, the attackers aggressively harvested credentials, mapped out the hosts and engaged in internal reconnaissance, disabled security controls (e.g. host firewall), accessed many types of data (e.g. asset repositories), connected to attacker infrastructure (such as via reverse shell) and of course, stole data via various methods. These activities present potential detection and response opportunities.

Here are more often overlooked security fundamentals that security teams should shift from “good ideas” to “must-dos” in today’s world:

• Use technology for continual testing coupled with periodic third-party testing to identify your assets and their vulnerabilities. Technology can do this on an ongoing basis, while experts can reveal your blindspots and help you manage your attack surface, assets, and vulnerabilities.
• Use a risk-based approach for patching and vulnerability management. There are so many CVEs, you will deplete precious resources trying to patch them all. Instead, know your environment, and use threat intelligence to assess which ones are likely to cause you harm and prioritize those.
• Use technology for continual testing and periodic third-party testing to test your internal controls and their ability to detect, defend, or miss current threats.
• Harden systems, and leverage MFA everywhere possible. Use tokens (e.g. FIDO2 keys) and other modern methods to make it fast and manageable.
• Analyze and maintain logs for a year or more. Mandiant encourages security teams to collect, maintain, and review logs whenever possible, including in cloud, macOS, VMware, and PowerShell. Logs can help security teams identify actions an attacker has taken, and the longer they’re available for analysis, the more opportunities for an organization to have a successful remediation.
• Use deception such as honey tokens that, if used, would alert you to anomalous, potentially dangerous, activity related to the compromised assets.
• Focus on evolving your identity and access management, and network security following the zero trust ideas and principles to systematically reduce these risks.

To many of the readers, this list sounds like 25-year old security advice. However, the current threat landscape makes some of the old “good idea” advice more of a “hard must do” today. Saving logs for a year used to be about compliance, and now it may be one of the few ways to detect that a device that was compromised during manufacturing or software updates.

Attackers are always finding new ways to evade tools, processes, and other forms of detection. Advancing your abilities to keep up while continuing to implement fundamentals sounds easy, but it isn’t. Despite hearing the “same old advice” for years, it’s as relevant now as it ever has been. In 2022, 70% of the ransomware attacks Mandiant investigated, the victims were notified by an external source. To bring that number down, detection practices require continual attention and refinement.