Why monitoring monitors is the key to cyber threat resilience

Discover cybersecurity’s overlooked but critical aspect: monitoring the monitors. Learn why it’s vital to protect against cyber threats by monitoring human and technical monitors, says Yotam Meitar, director of incident response at Sygnia.

While responding to one of the most sophisticated attacks we’ve encountered in recent years, our team was repeatedly impressed with the level of stealth and detection evasion achieved by the attacker. The attacker could exfiltrate tens of gigabytes of susceptible data without triggering any alerts or suspicion. Masterfully deleting logs and replicating the behavior of internal applications and company employees, the attacker was so effective at covering their tracks that they seemed to know the organization better than most of their security people. As our investigation progressed, we were able to prove the unthinkable – the entire attack was perpetrated by a malicious insider, leveraging their intimate knowledge of company systems to plan and execute a highly stealthy and sophisticated cyberattack. 

Organizations constantly invest resources and time in procuring and managing a comprehensive security stack to detect and prevent cyber incidents in their environments. Despite this investment, relatively little attention is given to monitoring a key risk factor attackers leverage during attacks – the monitors themselves, both technical and human. Many attacks leverage privileged IT or security systems to distribute malicious payloads and operate under the radar, evading the most common detections by hiding in the standard “noise” created by these tools. In addition, malicious insiders or external attackers compromising privileged credentials will often go undetected because their accounts are expected to perform “loud” activities regularly. While this growing problem has led to some of the most devastating attacks we’ve seen in recent years, it has a sensible solution – monitoring the monitors.

See More: How to Tackle Cybersecurity Threats

Monitoring the human monitors

The scenario described above, a malicious security insider, maybe the ultimate nightmare scenario for any CISO. Protecting organizations from the very people charged with their protection may seem daunting, made even less appealing by the relative rarity of such attacks. However, the potential damage a compromised or skilled IT insider can do is so great that it mandates serious attention.

In a major cyber incident targeting a cryptocurrency exchange, we discovered that attackers spent months establishing relationships with a senior IT person, gaining their trust, and eventually socially engineering them into installing “research software” on their company laptops. Once attackers had access to this highly privileged laptop, they could stealthily leverage the IT person’s privileged credentials to establish a foothold in the environment and create transactions transferring millions of dollars in cryptocurrencies from the company’s wallet. When anyone noticed the missing funds, it was too late to recover them.

Security organizations must adapt and monitor the monitors to address this significant risk. Security and IT employees may need high privileges to perform their jobs effectively. However, establishing individual activity baselines and alerting can often prevent such attacks. When creating and maintaining such detections, the following two key principles prove most effective:

Enforcing dual human control on access to the most critical assets

When IT or security employees require access to the most privileged accounts or sensitive data, this access should be made possible only with the approval of at least two privileged users, each with their own enforced multi-factor authentication. Such Privileged Access Management practices may not apply to all data access as they could significantly slow operations. Still, they should be selectively enforced on the most critical assets to protect them from compromise and enable the detection of suspicious or irregular activity by more than one person.

See More: How to Get Identity & Access Management (IAM) Right

Creating tailored alerts on privileged account activity

Generic detection and security solutions will often need help differentiating between legitimate administrative activity performed by privileged users and malicious activity performed by the same users. This often leads to limited monitoring or quick dismissal of alerts for these activities and creates a major visibility gap. To address this problem, organizations should create tailored alerts to each privileged user and account based on their standard activity baselines and ensure they are continuously monitored and updated by members of other teams. This process enables the continuous fine-tuning of such alerts and immediate detection of rogue activity leveraging compromised privileged accounts, leading to a swift and effective response.

Monitoring the technical monitors

In addition to monitoring human users for suspicious activity, organizations must monitor their security and IT stack. In recent years, attackers have become more adept at leveraging security and IT tools to execute malicious payloads, evade detection, and exfiltrate data. The notorious SolarWinds supply chain attack made it abundantly clear that the risk of an attacker compromising a privileged IT tool within the environment cannot be overstated. 

Leverage multiple visibility sources

By employing multiple data sources to gain visibility and establish alerting, organizations can detect tool tampering or compromise through additional tools. For example, while it would not be advisable from a cost or security perspective to install multiple EDRs on a single endpoint, an EDR agent can be complemented by a SIEM forwarder collecting OS event logs. Such a configuration enables the early detection of malicious activity targeting or originating from one of these tools, leveraging the additional visibility to quickly respond and prevent the attack from progressing.

Tailor tamper alerting to environment baselines

While sophisticated security and IT tool tampering may go undetected by the tools’ built-in detection capabilities, they can be detected by environment-specific tailored alerting. By creating alerts to identify deviations from standard network and execution activities performed by these tools, we can detect many of the more sophisticated attacks. As tools are typically managed consistently within a given environment, simple alerts identifying irregular peaks in communication volume, traffic targeting irregular hosts, and execution of rarely seen commands enable the rapid detection of potential tampering. These alerts must be continuously maintained and updated to ensure a low rate of false positives.

Perform periodic proactive threat hunting

Effective proactive threat hunting is the most apparent mitigation to monitoring and visibility gaps, which should detect what continuous monitoring misses. A crucial point that enables the detection of security and IT tool tampering is threat hunting begins where automation ends. Automated analyses are helpful and should be incorporated into standard monitoring. However, only manual comprehensive threat hunting designed to hunt for sophisticated attacks missed by existing alerts will have a real chance of identifying them. 

Research from Cybersecurity at MIT Sloan (CAMS) has shown that despite investments of time and money, 65% of board directors  believe their organizations are at risk of a material cyberattack within the next year. The continuous improvements made to security tools and protections of critical data are leading more attackers to search for novel solutions, leading to more security improvements. This adversarial cycle incentivizes targeting privileged credentials and security stacks as a quick and effective method of bypassing evolving defenses. As attacks targeting both human and technical monitors continue to rise, implementing robust mechanisms to combat them by monitoring the monitors is becoming more crucial than ever.  

To learn more about Sygnia’s Velocity MXDR click here.

If you were impacted by this attack or are seeking guidance on how to prevent similar attacks, please contact us at contact@sygnia.co or our 24-hour hotline +1-877-686-8680.