Successful Network Attacks - Phase Four: Maintaining Access
by Daelphinux
After gaining access to a network, an attacker has a goal they need to accomplish. This goal will require them, usually, to be attached to the network long enough to copy/modify files, deliver a payload, or cause system instability. This part of the attack is the last that can be actively defended against during the event.
There are three things that have and are occurring during Phase Four. First, the attacker has successfully breached the network. Second, the attacker is attempting to achieve their goal. Third, less experienced attackers tend to get overly comfortable with their success at this point. An attacker is, arguably, most vulnerable during this phase of the attack. They have very few options at their disposal to actively offset the chance of getting caught, and they are performing their desired tasks. This means that they are, essentially, out in the open to be found. Much of this step is hope that their connection will not be terminated; although a skilled attacker will have taken precautions to avoid this. The key precaution they will take is to either cease, overwhelm, or otherwise take ownership of network monitoring strategies.
Networking monitoring will be crucial to detecting this attack. As such, it is the first thing an attacker will try to disable. For this reason it is necessary to have redundant network and system monitoring. This will allow an entity attempting to stop or defend against an attack to know if one of their monitors has gone down. When a network monitor goes down, the first response from any entity should immediately be to start looking at other monitors and metrics. Check everything from number of active connections to bandwidth utilization. While part of an IT team or incident response team is looking into other causes, there should always be a dedicated person or group looking at the event as an active incident. This healthy measure of paranoia can be the difference between a successful attack and an averted attack. Often, IT teams will become complacent with a system - such as a monitoring service - going down. This needs to never happen in any entity that wants to be able to defend against an attack.
Other indicators for this include network monitors pinging administrators regarding long network sessions, sessions being engaged on uncommon protocols, or activity that happens outside of normal hours. Generally, much as in the previous steps, this will require network monitoring solutions, an IDS, an IPS, or a Security Information and Event Management (SIEM) system.
A SIEM is a single point of collection for all security information and event logs from systems, networking, and endpoint monitoring solutions. This single location can be critical for an incident response team to instantly get all of the information they need to begin preparing for, and initiating, a strong defense. However, much like network monitoring solutions, SIEMs are often targets when an attacker hits a network. As such, it is suggested that multiple instances be utilized to prevent an unreported takedown.
It is of note that if an attacker knows to take down one SIEM or other monitoring solution, they would think to look for another one. This is a true statement, however, network attacks are rarely capable of simultaneously taking down two systems. As such, when the first monitor is taken down, ideally, the second monitor will trigger an alert to administrators who can go looking at the problem. In these instances, if one monitor goes down, it is likely valuable to dedicate resources, as mentioned above, to both treating the incident as an attack and treating it as a simple systems failure. This will allow a team to diagnose both ends and resolve the issue. However, if it is found that both monitors have been taken down simultaneously, or temporally close together, that incident should more heavily be treated as an attack.
Although maintaining access may seem unpreventable once access is gained, there are ways to prevent this phase of an attack from being successful. Most often, this will involve using network rules on networking hardware, and various rules on systems to immediately kill connections that fit certain criteria. This could be something as simple as killing any connection that goes on longer than 25 minutes to something as complex as killing any connection that attempts to access a file in a given location. Another solid option that can be used to actively disrupt the maintenance of action is to, quite simply, disconnect the network altogether. Given the impact this measure may have on productivity; a business case will need to be made for the implementation. Usually these preventative measures are reserved for the most sensitive systems.
Phase 1: Reconnaissance - Gathering as to much useful information about the target as possible.
Phase 2: Scanning - Gathering useful information about the target's networks and any possible exploits.
Phase 3: Gaining Access - Getting into the network to be able to accomplish the attack's goal.
Phase 4: Maintaining Access - Ensuring access to the network persists long enough to accomplish the attack's goal.
Phase 5: Covering Tracks - Obfuscating the attacker's presence on the network such that they cannot be traced.