The first signs of hacker penetration into the network, or how to understand that you have been hacked

This year I visited the cyber festival again. Positive Hack Days. And, as usual, I took many interviews on various topics in the field of cybersecurity. One of them was a conversation with the head of network expertise in the PT NAD (PT Network Attack Discovery) product of Positive Technologies, Kirill Shipulin – about how to determine that a corporate network is under attack, how anomalies in user behavior are detected, and much more. Enjoy reading!

What might be the first signs of a hacker's presence on the network?

The network is the face of the company. And by analyzing the network requests and network activity of a specific person, you can almost completely schedule his day. And if you watch him for a long time, you can understand his usual behavior on the network and make a so-called snapshot of his activity: what resources he usually accesses and what he does during working hours. And when the user begins to behave chaotically – make requests that he has never made or access systems he has never visited – it is worth taking a closer look, and whether a hacker has penetrated his computer to develop his attack further. A classic example is when an HR employee begins to access websites for programmers, download some tools and visit the internal resources of developers. Suspicious!

Am I right in understanding that there is some technology to determine whether a hacker is present in the network, whether he has gained some initial access, whether the network is hacked or not. What is this technology?

Within the large segment of traffic analysis systems, there are different classes of solutions, such as NGFW (next-generation firewall) or NTA (network traffic analysis). At the heart of most of them is DPI (Deep Packet Inspection) technology.

This technology looks something like this: there are application protocols, for example, those that we use to make web requests on the Internet. And in a local network, for example, computers communicate using other protocols: SMB, LDAP and DCERPC. Devices use them to receive and request information about the services they need and the entire network. Remote control tools (TeamViewer, AnyDesk, etc.) already have other, their own protocols, by which they can also be reliably identified.

How does this happen? First, they communicate over the network with a certain list of “their” servers with known IP addresses and domain names, this is their network infrastructure. Information about these same domains is transmitted within secure TLS connections and they are even visible in accompanying DNS requests even before TeamViewer has established a network connection. As you can see, we have enough detection methods, and such utilities, by the way, are used not only by remote employees, but also by hackers for entrenchment. By the way, they have their own trends and fashion for tools, so some tools sooner or later become obsolete.

But here's what's also interesting: hackers usually use Linux systems for their work, and they attack Windows. And there, in Windows-based networks, there are a bunch of special network protocols that Microsoft has been developing for decades and which a hacker needs to be able to communicate with in order to carry out attacks. Are these complex protocols? Yes, but in order to make their life easier, they developed the Impacket framework. Now it is very popular for attacks on corporate networks, although due to the fact that the Impacket library implements only the necessary set of functions for hacker needs, there are small differences in behavior and network artifacts by which a hacker can be detected on the network.

It comes down to something simple: a popular method of lateral movement — moving from computer to computer in the network — is to create services on hosts, for which the Impacket kit mentioned has a script called Smbexec. This script creates a service on the attacked machine, which then executes a specific hacker command. But the default name this service is created with is “DUMMY”. Such an artifact is extremely difficult to ignore when developing network security tools. Of course, this name can be changed, especially since advanced attackers do so, but overall, it is a completely working life hack.

There are other artifacts, too. For example, instead of the name of the Windows command interpreter CMD.EXE, which is used by both hackers and regular users, Impacket uses its alias “%COMSPEC%” – and this is another clear sign of hacker activity related to the nuances of operating systems. And there are plenty of such nuances.

As I understand, such attributes are easy to find? Perhaps there are other attack tools?

Yes, the listed artifacts are very easy to attribute to determine an attack. And as easy as they are to detect, they are also easy to hide. But with skill, attention, and with the help of such seemingly small errors, you can determine the hacker presence and the beginning of an attack.

In addition to this framework, there are, of course, other hacker utilities, such as various DNS tunnels (a technique that allows arbitrary traffic to be transmitted over the DNS protocol). There are also other anomalies that indicate the presence of an attacker: spikes in traffic volumes or an increase in the number of unusual requests. A simple example: some strange connection to a remote desktop at night from an accountant's computer. This is clearly not overtime work.

What other systems are there for finding anomalies in user behavior?

NTA systems do not just look for attack artifacts in traffic, but also record and store it in its entirety: meta-information, source, protocol fields, and the network requests themselves in “raw” form. Moreover, this data can be stored for a week or two — as long as the client’s storage allows or as long as the regulation requires. Then, using this data, you can train mechanisms to detect abnormal behavior. Deviation from the norm is also one of the ways to detect a threat, and this technology has a name: Behavioral Anomaly Detection, it is based on machine learning ML.

Thanks to all these systems, once an attacker is spotted, the security operator can investigate the entire chain of his actions from the beginning to the end. This allows one to understand what systems he has taken over, what compromised account he used, and what other actions he has taken. Thus, gradually, as the tangle of events unravels, the operator comes to understand how the hacker penetrated the network, when the attack began, how long it has been going on, and what to do in the end.

How do defenders know what legitimate tools hackers are using?

In general, if we are not talking about secret APT groups with unique and unrepeatable tools, there is no problem understanding how hackers operate. Their techniques are also known to everyone, they remain unchanged. But not everyone can afford to make, let's say, exclusive tools: this requires spending time, money and specialist resources. And as I have already said, it is worth the attackers to give themselves away just once – and their entire super-toolkit will be immediately revealed: there are many such examples.

In addition, companies that deal with cybersecurity, publish their research, reports on groups and investigations. These documents contain important and necessary sections with technical details. And the communities of white hackers themselves are quite open: they also publish their research and share materials. It turns out that to stay up to date with the latest news from the world of cyberattacks, you do not need to analyze the dark web or have access to some closed Telegram channels.

Am I right in thinking that solutions based on the right technologies find some kind of anomalous activity using a database? And the program itself determines which group the attack belongs to? Or is it still done by one of the specialists?

This is the job of threat intelligence and incident response specialists. They research malware and participate in investigations. And these specialists can already guess which group is behind a particular attack based on the analysis of malicious addresses and hacker tools.

As I understood from our conversation, a hacker can be identified thanks to the markers placed: these are like bells on strings that start ringing if they are touched. It is interesting now to understand how a hacker can identify these markers in order to try to hide his presence on the network from information security tools and cybersecurity specialists. Well, for this I will go look for a hacker who will explain to me how to do this.

Similar Posts

Leave a Reply

Your email address will not be published. Required fields are marked *