The last few months have been dense in cyber news, with ransomware attacks and revelations of espionage cases.
Let’s take advantage of these increasingly dense and recurring news stories to revisit the attack process, either directly or through the outsourcing chain, while reminding you of good practices to secure your systems.
During an espionage attempt on a targeted network, the usual attack chain (“kill chain”) is composed of several steps
- Everything starts from an initial compromise through exploited vulnerabilities in services, to a confirmation of access and elevation of privileges. The attacker then has the ability to move laterally across the network on the asset to ultimately exfiltrate and/or encrypt the data.
- Your cybersecurity solutions, such as those in the TEHTRIS XDR Platform, detect the binary at runtime.
- They analyze it to identify whether it is a known or unknown threat and stop it at the first sign of trouble. The various modules also detect suspicious behavior, such as privilege escalation or lateral movement.
- The attacker is thus stopped before the malicious load is set up. His action is immediately stopped, without him having been able to make use of offuscation and persistence techniques leading to the modification of the production chain.
Why focus on the supply chain?
Supply Chain is the term used to describe the flows between subcontracted service providers and large companies. Subcontractors manufacture components or provide services used by end customers in various sectors of activity (industry, transport, retail, finance, etc.). These customers often receive just-in-time components and results, in order to avoid tied-up inventory and optimize their working capital requirements. Supply Chain experts usually work with high-tech companies with unique know-how.
In large-scale espionage operations, attackers take up positions on service providers’ networks in order to retrieve data or even access their customers’ networks.
Indeed, although a large company’s information system is properly managed, in the context of its outsourcing, some of its partners prove to be a prime target for attackers. A successful and stealthy penetration within this chain offers hackers the opportunity to bounce back to the parent company via intermediate subcontractors. The espionage is done remotely and exploits vulnerabilities in these supposedly trusted partners, where security rules and monitoring may sometimes be less operational.
How TEHTRIS remedies cyber espionage attacks by the supply chain?
The fight against espionage is in the DNA of TEHTRIS, it is a permanent fight and it is our commitment to bring you the best weapons to defend you.
TEHTRIS has already intervened many times with companies that were victims of large-scale espionage cases, and more particularly defended a large French company, present on an international scale and victim of espionage through its Supply Chain. Although the group was not protected by our solutions at the time of the attack, we were able to deploy the TEHTRIS XDR Platform in record time within the infrastructure in order to best combat the threats that the structure was targeting.
Data feedback on the unified console allowed us to locate attackers in the estate via third-party IoC lookups and learn more about the techniques used by the attackers. We were also able to quickly estimate the damage done, including Active Directory compromise or data theft. Once the information was taken, TEHTRIS EDR expelled the attacker from the network by working together with the company and the parties involved. The mission to save the organization’s infrastructure by significantly limiting the damage from the attack was thus successful.
What recommendations should be made?
The basic principles to be applied in a general way are the following:
- Securely administer information systems
- Implement a watch on the vulnerabilities that can impact the information systems, to ensure the maintenance in security condition (MCS) through security updates
- Implement a security supervision capacity
- Carry out an inventory of interconnections with its customers and partners and ensure their supervision
- For service providers, set up a partition between the different customers
- For large entities using service providers, apply the principle of least privilege for access granted to providers (accounts, interconnections, approvals).
If you suspect that your organization, a client or a service provider may be affected, it is first critical to use known indicators of compromise and user activity logs to track lateral movement and determine whether or not the organization is truly affected.
Next, we recommend that you contact your security vendor to quickly learn about suggested updates and analysis workflows. You can engage a qualified incident response organization, such as TEHTRIS, which can be engaged at the first sign of compromise.
You will also need to refresh or clean up your IT estate so that the hosts and credentials on it are secure. Afterwards, we recommend that you engage in more active monitoring of your networks for potential anomalies.
It is important to have a supply chain risk management function in place if possible; at a minimum, have a documented list of critical suppliers and vendors in case a breach is reported.
In the event of a cybersecurity crisis involving espionage, the priority is to deploy a solution such as an EDR combined with an EPP on your fleet. The objective of the latter is to obtain a global visibility on your information system in order to detect, analyze and respond to threats by eliminating them. At the same time, our experts strongly recommend that you install a solution such as a SIEM to have an extended vision of your peripherals (VPN, etc.). Finally, we recommend solutions such as DNS Firewall to detect possible persistent contacts with the attackers’ “command and control” servers, or our Deceptive Response with the installation of honeypots to deceive the attackers.
TEHTRIS, expert in cyber security, fights against cyber espionage.
At TEHTRIS, our experts work daily to analyze the health of our customers’ information systems. Our technologies are deployed throughout an entire organization and allow us to detect, analyze and neutralize a threat in a matter of seconds.
As soon as the perimeter is covered by our solutions, the organization is protected, from the service provider to the large international group, whether it is private or public. For several years, our solutions have been detecting stealthy, malware-free cyber espionage operations.
We regularly perform penetration tests on our technologies, on all integrations and perform audits to guarantee our customers the best possible protection.
How does an espionage attempt work and how can it be detected?