Getty Images
How managed threat hunting helps bust malicious insiders
Managed threat hunting services can help take some of the pressure off security operations centres and help ensure potential breaches don’t escalate into something far worse. We explore one such case with a happy ending
Insider threats, defined as risk posed by people with access to a company’s physical or digital assets either acting maliciously or negligently, is a pervasive problem in the world of cyber security, and one that it is impossible to fully stamp out.
However, using a variety of techniques, it is possible to mitigate insider threats to some extent, as one unnamed EMEA-based consulting firm learned earlier in 2020, when through a combination of quick-thinking and collaboration with its technology suppliers, it successfully thwarted a cyber attack in real time, as it unfolded.
The incident took place back in March, and thanks to the support the target received from its supplier, Palo Alto Networks, and its Cortex XDR Managed Threat Hunting (MTH) service, was able to head off the malicious insider before they could do any lasting damage.
The firm concedes it could have easily become the next high-profile data breach victim and credits the help it received with keeping its name out of the news. So what is Cortex XDR? Bryan Lee, principal researcher at Palo Alto’s threat research arm, Unit 42, described it as an industry-first detection and response product that natively integrates endpoint, network and cloud data to stop sophisticated attacks.
It is used to detect attacks with “extreme accuracy”, backed by behavioural analytics and elements of machine learning. Lee said this can speed up investigations eightfold, while tight integration with enforcement points accelerates containment, enabling users to stop attacks before the damage is done.
“We recently announced Cortex XDR Managed Threat Hunting (MTH), a round-the-clock threat-hunting service powered by our internationally recognised Unit 42 threat research team. With Managed Threat Hunting, we can help our customers identify hidden attacks that would otherwise go undetected,” he explained.
“Our threat hunters use the unique data correlation and detection capabilities built natively into the Cortex XDR platform to help customers find the most advanced attacks. And like Cortex XDR, Managed Threat Hunting uniquely operates across integrated endpoint, network and cloud data for full visibility.”
Malicious activity
In this case, the insider attack was spotted by Alicia, one of the MTH team within Palo Alto, who was alerted to some of the telltale signs of malicious activity while investigating the client’s network. An expert in hunting and collecting threats, and reverse-engineering malware, Alicia’s core mission is to assist clients through offering context, explaining how attacks work, who is executing them, and why, all helping empower security operations centres (SOCs) to better defend their organisations.
Alicia first observed an employee apparently hacking their own laptop in order to obtain local admin credentials. This was done using a technique known as sticky keys, actually an accessibility feature built into Windows that can be launched with a specific key combination from the login screen.
“Although the technique is referred to as sticky keys, it is actually referring to exploiting the way certain versions of Windows will execute applications designed for accessibility features,” said Lee.
“In vulnerable versions of Windows, when these accessibility features are launched via a set of key combinations (shift five times for sticky keys, press ‘Windows+U’ for Windows Utility Manager, etc.), Windows will simply launch the associated application from a hardcoded path in a privileged state.
“The adversary exploiting this feature can simply replace the application binary with one of their choosing. As long as the filepath and filename are the specified ones for the shortcut key combination, Windows will execute it. This technique is fairly well-known as a way to recover Windows passwords and has been used by adversaries in the past.”
Lee added: “The combination of replacing one of the accessibility feature applications with something completely different, in addition to invoking the accessibility feature, should raise suspicion for any security specialist.”
Admin credentials
The endpoint agent logs within Cortex XDR signalled that by now the insider had already successfully given themselves local admin credentials and was continuing their attack. They first replaced the utilman.exe program on their machine with cmd.exe, the Windows command shell, which is what triggered the alert.
Alicia promptly notified the duty analyst at the customer’s SOC, who confirmed her analysis. The SOC analyst might have noticed this themselves eventually, but in this case had not, although this is not a reflection on their capabilities, said Lee.
“With the massive volume of network and endpoint activity that goes on in any organisation both due to automated, background behaviours as well as human driven behaviours, it can be extremely difficult to filter out the noise and look for the proverbial needle in the haystack,” he said.
“Using Cortex XDR, we are able to highlight these behaviours or combinations of behaviours to make sure they are prioritised and investigated further.”
Read more about insider threats
- Dealing with the human element in security is tough, but critical. This primer describes the types of insider threats and how to use a risk matrix to assess and rank them by importance.
- During these challenging times, organisations can't overlook the risk of insider threats as employees worry about layoffs, newly adopted remote working technology and more.
- Insider threat programmes may backfire if employees feel they are intrusive and violate privacy, Forrester Research warns. Making sure these programmes don't go too far should fall to HR.
Alicia then dug deeper into the Cortex XDR data and logs, and found that the employee had run commands to reset local admin passwords and list local user accounts that had previously logged into their laptop.
In the best-case scenario, the employee was only trying to level up their laptop to get their job done more easily, but more usually the enumeration of local accounts is a sign that someone is trying to gain access to other user accounts or even domain admin credentials.
User passwords could then be used to steal confidential information from users, while admin passwords could let the attacker shut the whole company network done with local admin rights.
Even so, the insider should not have been able to do this as a regular user – there are plentiful mechanisms within Windows to prevent such abuse, so Alicia kept digging into the logs to find more clues that might help the SOC analyst understand how the user had escalated their privileges.
She eventually found that they had physically attached a USB stick to their laptop, restarted the machine, launched a live Linux distribution from the stick, mounted the Windows partition, and then copied cmd.exe onto utilman.exe, overriding Windows security because Windows was not actually running.
They then restarted their system, removed the USB stick, booted back the Windows partition, pressed Windows+U on the login screen, and was faced with a blank command window running with elevated privileges, ready and waiting to execute their commands.
Preventative action
Armed with these insights, the SOC analyst was able to take quick, preventative action. They connected to the rogue laptop using the Cortex XDR Live Terminal, took it offline and disabled the employee’s accounts, before escalating to HR. What happened next can be reasonably inferred, and more importantly, the malicious actor was caught early enough in the attack that no lasting damage was done.
Besides managed services through third-party suppliers, there are a number of steps CISOs and their security teams can take to try to ensure that should they find themselves taking on a malicious insider they have an advantage. Begin by identifying and managing critical and sensitive assets, and implementing access management tools and policies, to ward off unauthorised access from within. Properly done, this can arrest an attacker’s progress before they even get started.
Security policies also need to be thoroughly documented and enforced. Sometimes, employees may become accidental insider threats if they don’t understand such policies. Take care to outline acceptable use of organisational assets, how privileged accounts are used, who owns intellectual property, and so on. These policies need to be justified to employees.
Finally, organisations can benefit from creating a response strategy for insider threats. While it’s not feasible to eliminate the possibility altogether, enabling security teams to swiftly respond to problems can help minimise damage to the business. One could also consider creating a working group across departments and functions for response management, or tasking dedicated personnel to take charge of insider incidents.