It should come as no surprise by now that attackers are doing their best ninja impressions when trying to monetize the data on your network, whether it be credit card data, intellectual property, health records, or something else entirely. The longer their presence remains unknown, the more reconnaissance they can perform and valuable data they can access. Rapid7's InsightIDR team is constantly looking to detect behaviors that expose someone taking the slow, methodical approach to expanding their reach within your network. I previously blogged about some of the lateral movement, but here I want to cover two other examples: log deletion and rapid domain registrations, as always with 90's movies.
The concept is simple: if you never want something you did to reach the Incident Response team in an organization, delete the system's logs that contain this information. You probably think that you know all possible movies this could draw to my mind: "Hackers" or "Sneakers" might make sense, but I think of the Keanu Reeves classic "Speed" (in which Keanu and Dennis Hopper simply play themselves). Remember how Keanu got everyone off the bus? Once he realized that Dennis had tapped into the bus's video feed to watch passengers, Keanu's team automagically looped the video feed for something like 90 seconds.
Well, log deletion is similar because it theoretically could keep an attacker's activity secret forever, unless InsightIDR is there to alert you when someone deletes event logs on any asset accessible by our endpoint monitor. Why doesn't this violate our "don't be noisy" motto? I have yet to hear a legitimate reason for deleting these logs, unless you consider "none of your business" or "penetration test" as legitimate reasons. You should be alerted every time this rare activity occurs.
Rapid Domain Registrations
This second technique is a bit more complex: in order to avoid triggering alerts you currently have in place around domain or URL blacklists, attackers use the ease of registering a new domain to their advantage. Basically, the attackers know that we are tracking the domains they use and adding to our blacklists on a daily basis (if not faster), so they just make up new ones to stay off the blacklists. For those die-hard Adam Sandler fans out there, this is similar to how the Fonz finally turned the tables against his evil protege: stop using the plays in the stolen playbook and make up a new one every time. Okay, it is the same in "Varsity Blues" and "Little Giants" (and, really, any sports movie): make up a new play whenever the game is of enough importance. Similarly, if really valuable data is being exfiltrated or a high value user is being spearphished, attackers simply register a new domain and only use it for that sole purpose to ensure it is unknown to blacklists.
Anyway, how does InsightIDR help? Thanks to the awesome Rapid7 Research team and their contributions to Project Sonar, we are constantly on top of domain registrations and will alert you when data is sent to newly registered ones. Is this a silver bullet? Of course not, but in combination with blacklists and other alerts, it makes it that much more challenging for the attackers to hide their activities... and we'll keep raising that bar, whether it is based on experience of our research team, penetrations testers, or elsewhere.
If you want to better detect and investigate stealthy attackers on your network, please start here and contact us as soon as possible.