[BreachExchange] 3 Steps to Disrupt Threat Actors Selling Access to Your Environment

[Destry Winant]

https://www.securityweek.com/3-steps-disrupt-threat-actors-selling-access-your-environment

Unmasking a threat actor at an individual level could help you to gain more
context, determine why the attack occurred, and quantify future risk

Imagine law enforcement reaches out to a security team to tell them a
threat actor is selling employee credentials or private access keys to a
sensitive business application. Even though there is no confirmation that
these threat actors accessed or stole data, it is very troubling. This type
of threat is growing increasingly common in today’s threat landscape. To
make sure these types of events don’t become full-blown breaches and damage
the company’s reputation, sophisticated enterprises know that they need to
take timely action and have visibility outside their perimeter. That action
typically consists of external threat hunting, forensics, and the unmasking
of the actors using open-source intelligence (OSINT). Successfully
attributing the actor goes a long way to determining if the company is the
victim of a targeted attack or just a target of opportunity.

However, there are three steps that organizations can follow to ensure
confidentiality, integrity, and availability of data systems.

Step 1: Initial Internal and External Triage

The first step is making sure you have a coordinated response.  This should
include the legal, human resources, information technology, and security
teams. The top priority should be ensuring the confidentiality, integrity,
and availability of your data systems.  You can do this by determining the
origin of leaked credentials. If law enforcement or a third-party vendor
initiates contact, they may hold those user credentials or private keys
while engaging directly with the threat actor(s).

Generally speaking, law enforcement will have the account names of the
forum users attempting to sell the credentials. Once you have this
information, you should research the threat actors to assess their
technical skills and how prolific they are in underground forums. For
example, the dark web sellers may not have the same technical acumen as the
actual malicious actor who obtained access into the environment. At this
stage of the investigation, the extent of the damage often remains unknown
and three paths should be pursued: 1) removing access, 2) determining the
extent of the damage, and 3)  deciding if the threat justifies unmasking
the actors to understand the nature of the attack.

Step 2: Remove Unauthorized Access and Identify Damages

Cyberattack Attribution

After confirming credentials and proper account access, you need to
determine the damage. This includes identifying evidence of unauthorized
access, lateral movement, the use of malicious tools, malware deployment,
and whether or not data was accessed and exfiltrated. Implementing a
combination of proper logging through a data acquisition strategy,
two-factor authentication (both on the edge and internally), endpoint and
network monitoring, some type of segmentation strategy--even if just
hardened access control policies-- and patch management, is likely to keep
the security event or incident from converting to a full-blown breach.

Hopefully, the attacker’s time in your network only resulted in malicious
authentication and no further damage occurred. If you have not implemented
those proactive threat deterrents, it makes sense to reevaluate your
security stack or engage with an expert for an overall security assessment.


In response to a specific attack, it’s important to do external threat
monitoring and threat actor engagement to determine if the actors are
attempting to exploit or monetize the security event. During this stage, it
may not be necessary to unmask the individual responsible for the attack.
If an assessment determines that the attackers gained access via re-used
credentials scraped from third-party repositories, brute force spraying for
the proper password, or discovered a re-used password from a previous data
breach; it’s possible no further malicious activity occurred inside the
environment.

If, on the other hand,  the investigation leads you to suspect an insider
or former employee is responsible for the attack, unmasking and attribution
can provide critical context and help you avoid a breach, and possibly take
legal action.

Step 3: The Case for Unmasking Attribution

If you are a victim of a targeted attack and not merely a target of
opportunity, unmasking the threat actor at an individual level will help
you to gain more context, determine why the attack occurred, and quantify
future risk. Making the determination does not need to be a
resource-intensive effort. The intelligence, forensics, and execution cycle
of an event determined in the previous steps will indicate whether a
security incident rises to the level of a breach. If the investigation
determines one of the following, then unmasking may be warranted:

1. Sold credentials from an insider

2. Default credentials left in place

3. Account created by the former employee remains active

4. Account not rotated for more than 6 months intentionally or accidentally
shared

Over the past decade, attribution was largely focused at a nation-state or
actor level, but depending on attack context, it is becoming increasingly
important to do attribution at an individual level. Remember, you can only
secure what you see. While it’s always important to ensure confidentiality,
integrity, and availability of your network through perimeter and internal
insight, it’s increasingly critical to have the same visibility outside
your firewalls.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20210506/43f2a821/attachment.html>