With Christmas around the corner, the shopping frenzy will begin as consumers find good deals and retailers increase their sales revenues, but they are not the only ones that benefit from the shopping craze, according to an expert.

Financial criminals are well aware that this is the best time of the year to steal credit cards and maximise their own earnings. Now is the most critical time for retailers and online businesses to be vigilant, said Lucas Zaichkowsky, enterprise defense architect, Resolution1 Security.

Although there are well-established phases of an attack in the data forensics and incident response world, a simplified version entails three: initial infiltration, lateral movement, and data exfiltration, he said.

Initial infiltration is the point of entry where an attacker gains unauthorised access to your network. Most legacy security investments attempt to prevent any and all systems from being compromised. Time has proven that preventative defenses amount to barriers with limitations.

Additionally, organisations can only secure what’s under their administrative control which makes things tough in an age of bring-ur-own-device (BYOD), remote workers, contractors, third party service providers, and connections to trusted partners.

Initial infiltration can be anything from a backdoor delivered by spear phishing to a web application exploit to compromised user credentials.

Lateral movement is what an attacker does once they have accomplished initial infiltration. If security today is failing miserably, this is the stage where it’s happening. Attackers perform reconnaissance inside the network. They steal passwords for users, administrators, and service accounts. They create their own accounts and access the network using VPN or another normal mode of access to blend in.

The attackers plant various backdoors on dozens or hundreds of systems to ensure persistent access. They snake their way to the data they’re after. Even in the most secure environments using two-factor authentication and tightly limited access, attackers will find overlooked paths, systems they can pivot from, and even modify network device configurations if they have to.

Meanwhile, companies secure and monitor servers housing sensitive data. They tend to forget that regular workstations and non-critical servers are a paradise for hackers to work from, avoiding detection. The data that attackers are after is accessible through means other than compromising specific servers.

There is always a data flow to and from servers with access mechanisms. Advanced attackers excel at uncovering and exploiting access to data flows. They often plant specialised software for RAM scraping, network sniffing, and keystroke recording. Other times, they modify production code to make copies of the data as it passes through.

Data exfiltration is what the attacker does to transport data from the point it’s being stolen from to a location outside the corporate environment.

Organisations can proactively hunt for attack into their networks with kill chain, intelligence and analytics, which are hot on the heels of Advanced Persistent Threats (APTs).

Kill chain analysis and attacking the kill chain are a part of intelligence-driven defense, popularised by Lockheed Martin. The kill chain is based on the core premise that attacks follow a lifecycle or sequence of progressive steps committed by the threat actor during an intrusion.

By cataloging and studying the tactics, techniques, and procedures of threat actors, you can effectively prioritise preventative defenses and detect an attack in progress. After all, attackers are human and predictable. They will reuse hacking tools and repeat what has worked for them in the past. Even personal habits such as naming conventions tend to get repeated.

In the case of targeted financial crimes, initial entry is usually accomplished by exploiting a web application or compromising the credentials of a vendor that has access into your environment. A firm can focus on those two points of entry for system hardening and access control while increasing additional monitoring mechanisms to be on the lookout for suspicious activity coming from those sources should they become compromised.

On gathering the threats, incident responders can analyse all these nasty binaries in a lab environment to identify key observable traits: what they look like in memory, network traffic patterns, endpoint changes, and logged activity.

Next, the data is taken and transformed into indicators of compromise, documented using standards like CybOX, Yara, or OpenIOC. Many endpoints are monitored, network traffic, log files and application data for matches against these indicators.

Follow the kill chain model by gathering intelligence on their attack methodology such as targeting domain controllers and servers where many users authenticate in order to harvest user credentials en masse. Attackers like to use scheduled tasks to execute commands against remote systems. They use well known staging directories like the Windows help folder and the root of Recycler.

During the process, the firm may identify places to harden its system and network configurations to slow an attacker down and frustrate them. Tripwires can be set up to detect attempted hacking activity that aligns with their methodology.

Whether its a retailer, online business or enterprise this holiday season, increasing proactive scans and hunts for suspicious activities will be the way to find an attack in progress, the expert concluded. - TradeArabia News Service