Blog | Jul 21, 2020

Gray War: Deterrence by Cyber Denial
Part Two

In part one of “Gray War” I looked at the threats posed by gray zones looking to destabilize our economy by attacking non-military targets such as small and medium businesses. I also introduced the Cold War notion of deterrence by denial. In part two, I will explore how our security operations teams identify these attacks and stop them before they become business disrupting.

In multiple instances, our security operations stood between our clients and the malicious intent of these gray zone actors. In one case, a law firm was targeted in retaliation for their representation of a client, deemed a dissident by their home nation. In another, a manufacturer in the 5G supply chain was infiltrated using remote access tools. It doesn’t take much of an imagination to link 5G to security concerns around vendors from suspicious “friendemy” countries.

In one case, a state court was targeted. This case is worth exploring to first highlight the risk, but then demonstrate how quick detection and response means the difference between minor infection and terminal metastasization.

In the first, eSentire Security Operations Center (SOC) received an alert from esENDPOINT that a computer on a client’s network was conducting suspicious activity. The computer belonged to a legal assistant at the state court system. They had received an email from an attacker posing as a student from a local university asking if they would be interested in participating in an interview for an assignment the student (attacker) was working on about the legal profession. The legal assistant agreed and the fake student (attacker) sent her a link to a document with the interview questions.

Embedded in that document was a malicious macro that installed malware on the victim’s laptop. Cyberattackers often leverage Microsoft Office macros as a means of installing malware undetected (often a few windows open and close before the user becomes concerned).

The victim downloaded the malicious document from Amazon storage via an encrypted HTTPS connection, providing no opportunity to sandbox it before the assistant triggered the macro on their machine.

What’s worse, and all too common, their anti-virus software failed to identify the malware as

malicious. The sophisticated attacker knew how to bypass all the usual prevention and detection mechanisms. Again, all too common.

In this case, the attacker knew that spawning the malware via a Command line in Microsoft Word would have triggered an alert by most endpoint defense products, so the malware was designed to inject itself into a legitimate Windows process to avoid detection. Total time from the victim’s click on the malicious hyperlink to the end of the initial infection activity was twelve minutes.

Approximately three hours after the initial infection, a flurry of follow-up activity was recorded by esENDPOINT. The attacker connected through the backdoor opened by the malware and was attempting to escalate network privileges through the compromised machine. Despite the attacker’s best attempt to cover their tracks, as soon as they used a PowerShell command in their attempt to gain admin privileges, eSentire’s proprietary and patented BlueSteel machine learning tool picked up on the suspicious activity and the SOC generated an alert via esENDPOINT.

While the eSentire SOC was investigating the initial attack, the attacker began lateral movement and compromised a second host on the network. Over the next two hours, the attacker continued lateral movement - infecting a third, fourth and fifth host. At that point, continued investigation by eSentire uncovered evidence of the lateral movement.

Using esENDPOINT, the SOC began isolating the compromised hosts. At the same time, the attacker continued spreading through the network and the chase was on. The SOC analysts caught up to the attacker at the seventh compromised host, isolating the host and terminating the attacker’s access to the network.

The attacker’s total dwell time on the network was approximately 7.5 hours, with lateral movement beyond the first infected device occuring five hours after initial compromise. Utilizing machine learning from BlueSteel that detected the malicious PowerShell command via esENDPOINT, eSentire was able to isolate the compromised hosts and stop the attacker in their tracks, before they achieved their objective. Read the full report.

Like my comparison of gray zone adversaries to the Cold War, Jacob Helberg made a similar comparison. He talked about employing the strategy of “deterrence by denial.” It’s a Cold War theory that stresses the criticality of using tactics to deter the enemy without escalating the threat, in order to avoid an all out war. He further stressed the need to understand how global events can affect your business, identify those that target you, understand their objectives, and build a strategy to prevent them from succeeding at your expense. They can be stopped. But it takes hands on keyboards to defend against their gray zone, sophisticated attacks.

In this gray war, you must be prepared to deter gray actors by denying them access to your assets and critical operations. Like NATO, you must be prepared to quickly respond to enemy state intrusions, and intercept and disrupt them before they cripple your business. We do this everyday to keep our customers safe from gray threats. We stand on guard for thee. So, ask yourself, David, are you prepared to deter a gray zone Goliath?

Mark Sangster

Mark Sangster

Vice President and Industry Security Strategist

Mark is a cybersecurity evangelist who has spent significant time researching and speaking to peripheral factors influencing the way that legal firms integrate cybersecurity into their day-to-day operations.