While data breaches, ransomware, and supply chain attacks saturate news articles, the risk of identity-based threats is also on the rise. Threat actors are exploiting a common denominator across the current backdrop of remote workforces, IoT, and a global shift towards cloud services – the sheer number of digital identities needed per user, per technology, per organization. Each new identity is another attack vector exploitable by a threat actor and exposes a larger attack surface for many organizations.
In recent news, US networking giant Cisco confirmed that it was breached by a threat actor through a successful identity-based attack on an employee. This blog post explores the lessons learned from this incident, the need for identity threat detection and response (ITDR), and how SentinelOne’s Singularity™ Identity could have prevented the Cisco breach.
In Cisco’s analysis detailing the May attack, a threat actor identified as an initial access broker to both UNC2447 and Lapsus$ cyber gangs and the Yanluowang ransomware group gained initial access to the network company’s VPN after successfully gaining control of an employee’s personal Google account.
Cisco stated that the threat group obtained legitimate employee credentials synced in the employee’s browser. Then, the threat actor executed a combination of sophisticated voice phishing attacks and MFA push notifications (also known as MFA fatigue) to achieve VPN in the context of the targeted employee. The threat actor escalated their administrative privileges, planted a variety of hacking tools such as Cobalt Strike and Mimikatz, and added backdoor accounts for future persistence efforts.
Cisco noted that while the threat actor exfiltrated the contents of a Box folder and the employee’s authentication data from Active Directory, no ransomware was deployed and there was no business nor customer impact in this particular event. Cisco’s article did however report that after the group was removed from the environment, they tried to establish email communications with company executives and attempted to regain access in weeks following the initial breach, though all subsequent attempts were unsuccessful.
According to Cisco, they were unable to identify losses to any of their products, sensitive customer data, IP, nor supply chain operations. However, this successful identity-based attack is worth discussing from an educational perspective.
This particular type of attack is growing in number and businesses mobilizing their remote workforces on cloud services must be properly equipped to detect when attacks exploit, misuse, or exfiltrate digital identities. The COVID-19 pandemic especially highlighted many organization’s lack of knowledge when it comes to their attack surface. For example:
Businesses began or accelerated their migration from on-premises to cloud to support more remote workers than they had ever planned for. Cloud environments are particularly susceptible to identify-based threats such as phishing, credential stuffing, and password spraying.
Smart devices continue to become enmeshed in professional workflows and processes. In the early stage of the pandemic, some businesses loosened their bring-your-own-device policies in an attempt to get back to normal operation levels. Businesses that lack proper IoT security (internet of things) inherit the risk of adding more points of access for threat actors, weak password hygiene, unencrypted connections, and more.
It is clear that identity-based attacks are severe and require our attention as more human and non-human identities continue to increase. Identity Threat Detection and Response (ITDR) seeks to address this issue amongst the various threat vectors that make up the greater cybersecurity landscape. The Cisco breach discussed in this post shows the possible impact that a single failure in identity security could have, even on large-scale corporations with robust security measures.
What sets ITDR apart from other detection and response solutions (EPP, MDR, EDR, and NDR) is its ability to detect credential theft and privilege misuse on Active Directory and other vulnerable entitlements that may create avenues for attack. The primary benefits of ITDR solutions are gaining visibility to credential misuse, and exposing poorly managed access entitlements and privilege escalations from the endpoint through to Active Directory and, finally, the cloud environment.
Based on analysis shared by the networking company’s threat intelligence team, Cisco Talos, we break down the specific tactics used by the threat actor and how Singularity™ Identity could have thwarted both the initial access and the subsequent persistence mechanisms.
Step: Initial access to the Cisco VPN was achieved after successfully compromising a Cisco employee’s personal Google account.
Singularity™ Identity hides credential storage from unauthorized application access to stop credential theft early in the attack cycle.
Singularity™ Identity prevents unauthorized access by binding credentials to critical applications across the network.
Singularity™ Identity deploys deceptive domain accounts on endpoints. Threat actors attempting to steal valid domain accounts from endpoints will get redirected to the decoys for engagement.
Step: The threat actor bypasssed multi-factor authentication (MFA) using a variety of techniques, including voice phishing (aka “vishing”) and MFA fatigue. They enrolled a series of new devices for MFA and authenticated successfully to the Cisco VPN.
Singularity™ Identity detects bypassing attempts and privilege escalation and alerts on multiple failed attempts to perform a privileged operation by the same user.
Step: Once in the system, the threat actor began to enumerate the Active Directory (AD) environment, using common built-in Windows utilities to identify the user and group membership configuration of the system, hostname, and the user account context under which they were operating.
Singularity™ Identity detects user account enumerations against Active Directory. In addition, it includes any targeted Active Directory objects a threat actor may query to understand the privileges and groups.
Step: The threat actor laterally moved into the Citrix environment, compromising a series of Citrix servers, and eventually obtained privileged access to domain controllers (DC). After obtaining access to the DCs, the threat actor dumped NTDS using the “ntdsutil.exe” command.
Singularity™ Identity detects credential dumping tools. Once identified, it injects deceptive credentials across the enterprise at the actual endpoints. These credentials are strategically cached for threat actors to discover, leading them to decoys for engagement.
Singularity™ Identity scans and reports the credentials exposed on the endpoints. It can also remediate such exposure to address the risks of theft.
Step: The threat actor leveraged machine accounts for privileged authentication and lateral movement across the environment, created an administrative user called “z” on the system using the built-in Windows “net.exe” commands, and executed additional utilities such as ADfind or secretsdump. Additionally, the threat actor was observed attempting to extract registry information, including the SAM database on compromised windows endpoints.
Singularity™ Identity prevents the discovery of AD objects using tools like ADfind and stops the dump of credentials from different credential stores.
Singularity™ Ranger AD detects suspicious Service Creation on DCs and reports abusing system services or daemons to execute commands or programs.
Step: On some victim’s endpoints, the threat actor used MiniDump from Mimikatz to dump LSASS. They also leveraged the “wevtutil.exe” utility to identify and clear event logs generated on the system.
Singularity™ Ranger AD Assessor detects the modification of authentication mechanisms on a domain controller, thwarting threat actors that attempt to patch the authentication process to bypass the authentication mechanisms.
Steps: The threat actor leveraged Remote Desktop Protocol (RDP) and Citrix by modifying the host-based firewall configurations to enable RDP access to systems. They installed additional remote access tools, including TeamViewer, LogMeIn, Cobalt Strike, PowerSploit, Mimikatz, and Impacket. They also added custom backdoor accounts and persistence mechanisms.
Singularity™ Hologram deploys decoys host production applications (e.g., SSH Servers, VNC, RDP servers).
Singularity™ Identity distributes deceptive keys and credentials to these decoy servers to lure attackers away from production systems, including RDP and other remote access tools.
Step: The threat actor dropped a series of payloads that take commands from a command and control (C2) server and executes them on the end system via the Windows Command Processor.
Singularity™ XDR agents detect dropping payloads using behavioral and static AI engines. Once detected, the connection is terminated, blocking the ability of an attacker to gain access to the remote system. SentinelOne autonomous agents would then remediate the entire chain of activities leading to remote execution attempts.
Step: The threat actor attempted to exfiltrate information from the environment. The data exfiltration during the attack included the contents of a Box folder on the compromised employee’s device and employee authentication data from Active Directory.
Singularity™ Identity DataCloak prevents unauthorized applications from reading and exfiltrating protected data and storage locations from endpoints.
The attack on Cisco discussed in this post shows that identity-based attacks are a leading threat vector used in data breaches. From the perspective of a threat actor, targeting identity and access management gaps through compromised credentials is the quickest path to reaching a target’s resources and critical data. Attackers are very aware that Active Directory is the crown jewel of a business, granting them the ability to exfiltrate sensitive information, install backdoors, alter security policies, and more.
With the rapid shift to remote working environments and the adoption of hybrid and cloud environments, identity has become the new perimeter, highlighting the importance of visibility. Businesses must be able to detect and respond effectively and protect all of their various digital identities through a comprehensive identity security solution. SentinelOne identifies Identity Threat Detection and Response (ITDR) as the missing link between holistic XDR and zero trust strategies in the mission to protect organizations from threats at every stage of the attack journey.
Leveraging our deep industry knowledge and experience with fighting back privileged escalation and lateral movement, SentinelOne delivers comprehensive identity security as part of Singularity™ XDR for autonomous protection including:
Singularity™ Identity: End credential misuse through real-time infrastructure defense for Active Directory and deception-based endpoint protections. Singularity™ Identity defends Active Directory & Azure AD domain controllers and domain-joined assets from adversaries aiming to gain privilege and move covertly.
Singularity™ Ranger® Active Directory Assessor: Uncover vulnerabilities in Active Directory and Azure AD with a cloud-delivered, continuous identity assessment solution. Ranger® AD Assessor delivers prescriptive, actionable insight to reduce Active Directory and Azure AD attack surfaces, bringing them in line with security best practices.
Singularity™ Hologram: Lure network and insider threat actors into engaging and revealing themselves with network-based threat deception. Singularity™ Hologram decoys stand at the ready, waiting to be engaged by adversaries and insiders. The resulting telemetry supports investigations and contributes to adversary intelligence.
SentinelOne extends Singularity™ XDR capabilities to identity-based threats across endpoint, cloud workloads, IoT devices, mobile, and data wherever it resides, setting the standard for XDR and accelerating enterprise zero trust adoption. To learn more about SentinelOne’s identity and deception solutions, please request a demo.