One Article Review
| Source |  ProofPoint |
|---|---|
| Identifiant | 8456440 |
| Date de publication | 2024-02-28 06:00:52 (vue: 2024-02-28 14:07:31) |
| Titre | Briser la chaîne d'attaque: développer la position pour détecter les attaques de mouvement latérales Break the Attack Chain: Developing the Position to Detect Lateral Movement Attacks |
| Texte | In this three-part “Break the Attack Chain” blog series, we look at how threat actors compromise our defenses and move laterally within our networks to escalate privileges and prepare for their final endgame. If one phrase could sum up the current state of the threat landscape, it is this: Threat actors don\'t break in. They log in. Rather than spend time trying to circumnavigate or brute force their way through our defenses, today\'s cybercriminals set their sights firmly on our users. Or to be more accurate, their highly prized credentials and identities. This remains true at almost every stage of the attack chain. Identities are not just an incredibly efficient way into our organizations, they also stand in the way of the most valuable and sensitive data. As a result, the cat-and-mouse game of cybersecurity is becoming increasingly like chess, with the traditional smash-and-grab approach making way for a more methodical M.O. Cybercriminals are now adept at moving laterally through our networks, compromising additional users to escalate privileges and lay the necessary groundwork for the endgame. While this more tactical gambit has the potential to do significant damage, it also gives security teams many more opportunities to spot and thwart attacks. If we understand the threat actor\'s playbook from the initial compromise to impact, we can follow suit and place protections along the length of the attack chain. Understanding the opening repertoire To continue our chess analogy, the more we understand our adversary\'s opening repertoire, the better equipped we are to counter it. When it comes to lateral movement, we can be sure that the vast majority of threat actors will follow the line of least resistance. Why attempt to break through defenses and risk detection when it is much easier to search for credentials that are stored on the compromised endpoint? This could be a search for password.txt files, stored Remote Desktop Protocol (RDP) credentials, and anything of value that could be sitting in the recycle bin. If it sounds scarily simple, that\'s because it is. This approach does not require admin privileges. It is unlikely to trigger any alarms. And unfortunately, it\'s successful time and time again. Proofpoint has found through our research that one in six endpoints contain an exploitable identity risk that allows threat actors to escalate privileges and move laterally using this data. (Learn more in our Analyzing Identity Risks report.) When it comes to large-scale attacks, DCSync is also now the norm. Nation-states and many hacking groups use it. It is so ubiquitous that if it were a zero-day, security leaders would be crying out for a patch. However, as there is general acceptance that Active Directory is so difficult to secure, there is also an acceptance that vulnerabilities like this will continue to exist. In simple terms, a DCSync attack allows a threat actor to simulate the behavior of a domain controller and retrieve password data on privileged users from Active Directory. And, once again, it is incredibly easy to execute. With a simple PowerShell command, threat actors can find users with the permissions they require. Add an off-the-shelf tool like Mimikatz into the mix, and within seconds, they can access every hash and every Active Directory privilege on the network. Mastering our defense With threat actors inside our organizations, it is too late for traditional perimeter protections. Instead, we must take steps to limit attackers\' access to further privileges and encourage them to reveal their movements. This starts with an assessment of our environment. Proofpoint Identity Threat Defense offers complete transparency, allowing security teams to see where they are most vulnerable. With this information, we can shrink the potential attack surface by increasing protections around privileged users and cleaning up endpoints to make it harder for cybercriminals to access valuable identities. With Proofpoin |
| Envoyé | Oui |
| Condensat | about acceptance access accurate across active activity actor actors add additional adept admin adversary again alarms all allowing allows almost along already also analogy analyzing any anything appear appears approach are around artifacts assessment assets attack attacker attackers attacks attempt automatically back because becoming behavior behind better bin blog break breakdown brute but can cannot cat centric chain chain: chain” chess circumnavigate cleaning close come comes command complete compromise compromised compromising confident connections contain continue continuously controller could counter course credentials critical crying current cybercriminals cybersecurity damage data day dcsync deception deceptive defense defenses defense defensive desktop detect detection developing difficult directory does domain don easier easy efficient encourage endgame endpoint endpoints environment environments equipped escalate escalation even every execute exist expanding exploitable exposed files final find firmly follow force found from further gambit game general get gives giving got grab groundwork groups hacking harder has hash helps highly hone how however human identities identity imitate impact increasing increasingly incredibly inevitable information initial inside insight instead interact just know landscape large late lateral laterally lay leaders learn least length like limit limiting line log logins long look majority make making malicious many mastering methodical mimikatz mix more more most mouse move movement movements moving much must nation necessary network networks next norm not now off offers once one open opening opportunities organizations other out over part password patch people perceived perimeter permissions perspective phrase place playbook position potential powershell preparation prepare privilege privileged privileges prized procedures processes proofpoint protect protections protocol queen rather rdp real recycle remains remediate remote repertoire repertoire report require research resistance rest result retrieve reveal revealing risk risks run scale scarily screenshots search seconds secure security see sensitive series set shelf shrink sights significant simple simulate sitting six smash solutions sounds spend spot stage staging stand starts state states steps stop stored successful suit sum sure surface systems tactical take teams techniques tempt terms than that them these this: threat three through thwart time today too tool tools traditional transparency trigger true trying txt ubiquitous understand understanding unfortunately unlikely use useful users uses using valuable value vast view vulnerabilities vulnerable watch way webinar week well when where why will within would your zero “break |
| Tags | Tool Vulnerability Threat |
| Stories | |
| Notes | ★★★ |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.