Understanding threat actors powerful defense: FireEye

Recently April 13th had marked the release of the FireEye Mandiant M-Trends 2021 report. M-Trends brings together the best of cybersecurity expertise and threat intelligence with statistics and insights from frontline Mandiant investigations around the globe. We all know how 2020 offered plenty of cyber activity.

Shrikant Shitole, Shrikant Shitole, Vice President & Country Head- India & SAARC,  FireEye, tells us more. Excerpts from an interview.

DQ: How can you prevent the common man from cyberattacks?

Shrikant Shitole: The data and technology stored in your networks, and in the cloud are vulnerable. While the tactics, targets and technology of attacks are all important, your most powerful defense against cybercrime is to understand threat actors.

To effectively prevent and respond to cybercrimes, you need to establish the motivations and methodology of threat actors. Here are two ways advanced cyberattacks work:

Targeted is a malware such as spear phishing, is used to reach a specific machine, individual, network, or organization. This malware tends to be signature-less, or otherwise that evades antivirus and other traditional cyber security efforts using the criminal's knowledge of the target.

Persistent is advanced cyberattacks are initiated via a series of email, file, web, or network actions. These individual actions might remain undetected by antivirus or other traditional defenses, or be ignored as harmless or low-priority. However, the malware becomes entrenched and pervasive, and culminates in a devastating attack.

Malware that uses both of these methodologies simultaneously presents an advanced persistent threat, or APT. And any organization in any industry can be a target.

Defending against today's sophisticated attackers requires a security solution that prevents and detects advanced threats by being aware of the top threat vectors and malicious activity across those vectors, spotting new threats, including never-before-seen (zero-day) attacks, and well known and commodity threats, identifying advanced multi-stage and multi-vector attacks, using cutting-edge intelligence to quickly recognize serious threats and threat actors.

Cyber security has never been more challenging. Almost daily, new threats expose companies' vulnerabilities, forcing them to purchase more products and hire more talent. Such reactive approaches lead to escalating complexity -- yet another vulnerability that the attackers can take advantage of.

Detection and prevention only solve half the problem. It is equally critical to analyze and respond to the technical, legal, financial and public relations impact of an unforeseen incident. FireEye strongly recommends establishing a response plan, ideally with a security partner. FireEye and its partners offer services for response plan development, managed security validation and incident investigation.

DQ: What is the latest on growing insider threats?

Shrikant Shitole: The number of incidents in which malicious insiders destroyed critical business systems, leaked confidential data, stalked employees and extorted employers is increasing every year.

To properly mitigate the frequency and impact of insider threats, security conscious organizations must not only implement data loss prevention processes, but also deploy and establish dedicated staff, behavioural analytics and security information event management capabilities. Protecting your organization against insider threats requires more than a data loss prevention solution. To ensure your organization possesses a mature security posture against insider threats, it's critical to assess your existing environment and implement effective, continuous security program capabilities.

Insider threat events impact organizational reputation, customer trust and investor confidence. In 2019 and 2020, Mandiant responded to numerous customers who experienced corporate and economic espionage, data and backup destruction, and intentional data theft and leakage.

Mandiant has also launched two new services to counter dynamic insider threats - "Insider Threat Security as a Service" and "Insider Threat Program Assessments" that offer customers protection from insider threats using unparalleled frontline incident response expertise and Mandiant Threat Intelligence.

Mandiant uses a "follow the data" security model to deliver actionable, organization-specific recommendations. This approach is designed to identify weaknesses and vulnerabilities across existing safeguards, improve program capabilities and reduce the overall risk of insider threats.

Insider Threat Program Assessment:

The Insider Threat Program Assessment is a purpose-built, point-in-time service to assess organizations with a nascent or existing insider threat security program. Designed to follow the data rooted in three core domains - people, processes and tools - Mandiant leads dedicated workshops to identify gaps and vulnerabilities in the client's specific environment. Available in three tiers to meet situational client needs, the Insider Threat Program Assessment delivers detailed, organization-specific recommendations and actionable roadmaps for tailored program outcomes.

Insider Threat Security as a Service:

The Insider Threat Security as a Service is a holistic, subscription-based program that provides organizations with continuous, full-spectrum insider threat visibility, prevention, incident response, remediation and real-time threat intelligence. Powered by Mandiant Threat Intelligence, this service is imperative for organizations with a remote workforce and sensitive data that could be stolen or leaked. The Insider Threat Security as a Service provides delivery of regular executive briefings, insider threat activity case files and reporting, and threat intelligence specific to the client's environment. Available in three tiers, this service has comprehensive coverage and expertise to accommodate program needs of all sizes, at scale.

DQ: Elaborate on the attacker techniques and malware.

Shrikant Shitole: When making security decisions, organizations must consider the likelihood of specific techniques being used during an intrusion. In 2020, Mandiant experts observed attackers use 63% of MITRE ATT&CK techniques and 24% of sub techniques. However, only 37% of the techniques observed (23% of all techniques) were seen in more than 5% of intrusions.

The MITRE ATT&CK is a globally accessible knowledge base of adversary tactics and techniques based on real-world observations. The ATT&CK knowledge base is used as a foundation for the development of specific threat models and methodologies in the private sector, government and the cyber security product and service community.

In more than half of the intrusions investigated in 2020, Mandiant observed that adversaries used obfuscation, such as encryption or encoding, on files or information to make detection and subsequent analysis more difficult (T1027). Adversaries regularly used a command or scripting interpreter to further intrusions (T1059) and 80% of those cases involved the use of PowerShell (T1059.001). System services (T1569) were also a popular execution method, represented in 31% of intrusions, all of which used Windows services (T1569.002). Adversaries also used Remote Services (T1021) to further intrusions, with 88% of those using the Remote Desktop Protocol (T1021.001). Adversaries often take advantage of what is available in a victim's environment; this tendency is highlighted by how frequently adversaries used PowerShell, Windows services and Remote Desktop.

In 2020, significant changes were made to the MITRE ATT&CK framework with the introduction of sub-techniques and the incorporation of PRE-ATT&CK in Enterprise ATT&CK. Due in part to these changes and the continued refinement of its data model, Mandiant now has MITRE ATT&CK techniques mapped to more than 1,800 Mandiant techniques and subsequent findings.

DQ: There are growing ransomware and remediation techniques. How can we stop or check this?

Shrikant Shitole: Ransomware has evolved into multifaceted extortion where actors not only deploy ransomware encryptors across victim environments, but also employ a variety of other extortion tactics to coerce victims into complying with demands. A major factor contributing to the increased proportion of incidents with dwell times of 30 days or fewer is the continued surge in the proportion of investigations that involved ransomware, which rose to 25% in 2020 from 14% in 2019.

Traditional security solutions, including anti-virus software, next-generation firewalls, secure email and web gateways and intrusion preventions systems rely on static analysis and signatures to detect and block known threats. An attacker can test those defenses and adjust their tactics to bypass them. More and more frequently, ransomware is being delivered by sophisticated persistent cyberattacks. To defend against the ransomware attacks, organizations need a combination of technology and robust threat intelligence.

Most reported ransomware infections are introduced via email attachments or embedded links. Attackers often target key personnel and high-value computers with spear phishing to maximize their gains. They get the user to execute the file or click on the link through social engineering techniques.

Users should set up and tighten security controls to monitor email, IPS, network and endpoints to detect behaviour that can indicate ransomware activity. Many common-sense measures are still recommended as part of a complete security solution. For network security, these include appropriate network segmentation, access controls and regular backups, preferably offsite. For email security, include basic spam and antivirus filters.

For endpoint security, implement effective endpoint visibility that can help detect threats, enable analysts to determine the nature of a threat and take action. Organizations should also educate their employees about the latest ransomware campaigns and how to avoid them.

Cyber criminals are continually improving their tools and tactics, security solutions must provide real-time protection to prevent or interfere with the activation of ransomware. This includes actionable threat intelligence that's updated as quickly as possible and continually looking for threats across all critical attack vectors.

Advanced detection and prevention supported by actionable threat intelligence is the best defense against ransomware and other advanced attacks. The FireEye solution defends against the growing and ever-changing ransomware threat. It provides real-time protection for multiple attack vectors to prevent or interfere with the activation of ransomware and protect you from financial losses and business disruption.

DQ: How can one prepare for expected UNC2452/SUNBURST copycat threat actors?

Shrikant Shitole: As organizations transitioned into the "new normal," UNC2452, a suspected nation-state threat actor, conducted one of the most advanced cyber espionage campaigns in recent history.

On December 13, 2020, FireEye published a report which detailed a supply chain attack called SUNBURST-an implant in the SolarWinds Orion platform being used to compromise target environments. Mandiant has observed UNC2452 take advantage of areas in an environment that may be monitored less intensely than others, and remain within those areas as long as possible to reduce opportunities for detection.

The ability to tie specific indicators and methodologies to the Targeted Attack Lifecycle allowed Mandiant to apply a tiered approach to triage potential incidents. The UNC2452 campaign was extremely challenging to uncover and address. The attacker was sophisticated enough to implant SUNBURST in the widespread and broadly respected SolarWinds Orion platform.

While UNC2452's knowledge of operational security was higher than most incident responders are likely to witness first-hand, it doesn't change the mission: security professionals must work to guard against similar attacks from copycat threat actors. Well-designed environment monitoring practices and procedures, along with rigorous investigation methodologies serve as consistent ways to shine a bright light on the actions of advanced attackers.

DQ: What are the other threat factors that one should look out for? Is there any protection?

Shrikant Shitole: We recently responded to multiple security incidents involving the exploitation of Pulse Secure VPN appliances. We examined a new zero-day vulnerability, multiple techniques for bypassing single and multifactor authentication, and malware that persists across upgrades and factory resets on Pulse Secure devices. These techniques are being used by at least two groups, including UNC2630 (a group with suspected ties to APT5). We have identified 12 families of malware specific to Pulse Secure appliances used in this campaign.

Three zero-day vulnerabilities have been discovered among SonicWall's hosted and on-premises email security products.

Given that in at least one known case these vulnerabilities have been observed to be exploited 'in the wild', it's imperative that SonicWall Email Security customers on Microsoft Windows Server immediately upgrade to the respective SonicWall Email Security version.