The quarterly publication of the International Legal Technology Association
Issue link: http://read.uberflip.com/i/411912
WWW.ILTANET.ORG 71 are doing) to hacktivists to hacking groups and nation-state Advanced Persistent Threat (APT) actors. As we move into a more connected world, with more resources connected to the Internet, the surface area for external attacks grows and grows. It is important to be able to understand an external attack so you know where it is coming from. You also need to know the potential skill level of the attacker so you can better respond to events and reduce the harm to your environment. HOW AN ATTACK HAPPENS Each type of an attacker uses different methods to compromise an IT asset to perform actions or steal data. Be familiar with the different steps an attacker will take so you know where to better identify vulnerabilities and be proactive about remediating weaknesses before they are exploited. • Reconnaissance: Reconnaissance is the actions an attacker takes to "case the joint." This information gathering can be done by reviewing your own website, social media platforms, databases such as Public Access to Court Electronic Records (PACER), database lookups using Whois.net, and domain name system (DNS) records, and advanced tools to mine and correlate data. • Scanning: Scanning techniques use networks and networking technology to identify connected IT assets. The most common form of scanning uses tools to probe TCP/IP networks to map computers, routers and servers, identify the devices' operating systems and discover open ports and services. Because this method relies on the way networks and the Internet work at the most basic level, it is also used by system administrators for monitoring. In fact, network scanning is built into many free and commercial network vulnerability assessment tools. Another scanning technique involves wardriving, which scans for wireless networks and captures information about the wireless signal strength, channel and security. This again can be used for good or evil purposes, depending on who is doing the scanning. • Exploitation: Exploitation is an active attempt by an attacker to get a toehold in a system or network. This can come in the form of phishing email, a USB flash drive or a compromised host with a known vulnerability. The attacker may even try multiple methods on multiple systems or people in an organization to increase the likelihood of successful exploitation. • Maintaining a Presence: Attackers who get in want to stay in and be unnoticed. After a successful initial exploitation, an attacker scans an environment for new targets, harvests credentials, escalates privileges and pivots to new systems to exploit. The attackers try to blend in with regular user activity to maintain a low profile. They may also go to great lengths to obscure their actions by deleting files and logs. They may also hide in plain sight by placing malware in common operating system directories with file names that look like operating system files. • Exfiltration: In most common breaches, attackers are attempting to remove data from its environment. This is called exfiltration. Exfiltration can be done by insider threats with USB flash drives, cloud storage platforms such as webmail or cloud storage or even something as simple as printing confidential documents and walking out the door. External threats continue to use methods such as outbound email services, file transfer protocol (FTP), key stroke logging and channeling of traffic through common Web service Internet ports 80 and 443 (SSL). The use of port 443 is especially difficult to detect because the traffic is encrypted. About the Author Douglas Brush is the Director of the Information Security and Governance practice in the New York office of Kraft Kennedy. Douglas is an expert in digital forensics and cyber-investigations. He leads investigations into hacking, data breaches, trade secret theft, employee malfeasance and financial fraud. In addition to advising on compliance, Douglas assists clients with information technology security assessments, digital forensic investigations, and incident response programs. Contact him at brush@kraftkennedy.com. Have a plan. Make sure your organization has a documented set of policies and procedures. Stay calm. Adding further anxiety to a stressful situation impedes response efforts. Document. Include everything done in the response effort. It's easy to forget key details for a report. Use outside advisors. Seek outside counsel to maintain privilege. Contact your business insurance broker to see which costs can be absorbed by your policies. 4 Tips for Successful Incident Response