Here at Graylog, we have recently had an increase in conversations with security teams from leading companies and were inspired by Rob Joyce’s presentation at the USENIX Enigma 2016 conference. We want to share our key findings with the Graylog community!
This will be a 3 part series covering specific ways log management can be used to tighten security. To kick off Part 1, we have an overview of the 5 phases of intrusion and how to best combat attackers that are trying to infiltrate your networks and computer systems.
In order to stay protected, one must think like an infiltrator. The good thing is that cyber criminals use a methodical approach when planning an attack. By understanding their process and knowing your network, you will be better prepared and able to stay one step ahead.
Stage 1 of Intrusion: Reconnaissance
Attacker's Focus: Analyzing the Target
In this stage, attackers act like detectives, gathering information to truly understand their target. Detail is everything! From examining email lists to open source information, their goal is to know the network better than the people who run and maintain it. They hone in on the security aspect of the technology, study the weaknesses, and use any vulnerability to their advantage.
The reconnaissance stage can be viewed as the most important because it takes patience and time, from weeks to several months. Any information the infiltrator can gather on the company, such as employee names, phone numbers, and email addresses, will be vital. Attackers will also start to poke the network to analyze what systems and hosts are there. They will note any changes in the system that can be used as an entrance point. For example, leaving your network open for a vendor to fix an issue can also allow the cyber criminal to plant himself inside.
By the end of this pre-attack phase, attackers will have created a detailed map of the network, highlighted the system’s weaknesses, and then continue on with their mission. Another point of focus during the reconnaissance stage is understanding the network's trust boundaries. With an increase in employees working from home or using their personal devices for work, there is an increase in areas of data breaches.
How to Combat: Know your network
It is important to fully inspect your network, know the technologies inside, and any possible cracks in your system. The best way to fully understand the network and have information readily available for research is to centrally collect the log messages from your network hardware. A tool like Graylog provides a visual of your network communications and path of connections using the one source of truth: log messages about established or rejected connections. In addition, hiring a red team is a great way to put your security to the test. The red team will test your system to identify vulnerabilities in the infrastructure. If they successfully breach your network, they'll show you which areas need more protection and how to correct the errors.
Stage 2: Initial Exploitation
Attacker’s Focus: Intrusion
Persistence is key and infiltrators use numerous methods in exploitation. Water-holing is used by an attacker to compromise a popular website that is visited by company employees. Once the employee visits the infected site, the cyber criminal can attack their computer in hopes of gaining credentials and access to the company network. Other examples of vectors used by attackers is by spear phishing, SQL injection, infecting emails, and tainting removable media.
How to Combat: Logs and Procedures
In order to protect your system, you need to focus on the most detailed information about the network, the logs! Logs are the key to spotting any anomalies or breaches in your system. Having an enterprise-ready log management system, such as Graylog, will make it more difficult for cyber criminals. You need to be constantly monitoring your network traffic and looking for anomalies and signs of attacks. Also, to make intrusion harder, among other measures, add two factor authentication to the services your users use or implement the principle of least privilege as extra security methods.
Stage 3: Establish Persistence
Attacker’s Focus: Digging into the System
At this point, cyber criminals are in your system and focused on gaining additional access to build up presence. In order to take over the network, they will need to obtain more control and dive deeper into the system. One method is through privilege escalation in which the attacker uses any error or flaw in the system to either vertically or horizontally obtain extra privileges or ones that were not intended for the user. Other points of entry could be through too open systems or finding SSH keys.
How to Combat: Monitor connection pathways
With the infiltrator in your network, most likely there will be a command and control channel from the outside into your infrastructure. Your task is to detect and disarm the control channel before the attacker can start to move laterally inside your network, causing more harm. You can use network and operating system logs to find connections from the outside that should not be there. Just like the detection of attackers who are poking on your perimeter security measures, this is also a constant task that should be partly automated or managed with an easy to access dashboard.
Stage 4: Move Laterally
Attacker’s Focus: Finding Key Pieces
Cyber criminals usually do not land in the exact spot of their target, thus, they need to move laterally in order to find their key pieces to complete their mission.
How to Combat: Protection Throughout Network
If an attacker has made it inside your system, it is imperative to halt their movement. The amount of protection around your network needs to have the same strength as inside. You can strengthen your defense through network segmentation, monitoring your logs, and limiting administrator privilege.
Stage 5: Collect, Exfil, and Exploit
Attacker’s Focus: Get in, Get Out
The attackers have succeeded. They compromised your network and your sensitive data is moved out. The attackers can now leak this information and the ultimate goal of their mission is complete.
How to Combat: Always Be Improving!
You need to be continually improving your defense systems, implementing policies and procedures, and always be analyzing your logs, because it is the first place to detect malicious activity.
How to monitor your network logs with Graylog
Our Graylog engineers are always helping the community with using log management to detect anomalies and hardening their infrastructure. Check back next Tuesday for Part 2 where we will discuss the use of log management for network security using Graylog examples.