Blog

Watching Hackers Getting to Your Data

November 13th, 2015 by Steve Schick

This lightcyber_magna_v2.8_tn1week we unveiled the first public version of the Cyber Attack Training System (CATS) we developed to help professionals understand how network attacks progress and how to detect them quickly. 35% of the total participants representing a variety of industries and across 16 countries won the CATS Hacker Challenge by exfiltrating data as instructed. Many others participated but lacked the time or experience to get to the target data.

The Hacker Challenge simulated the network of a small healthcare company complete with a database of 10,000 fake patient records. We provided each registered participant with access to a compromised computer on the fabricated network, giving them a head start in the contest.

In real life, most attacks start with a compromised host or credentials. An attacker gains access to a user account through spear phishing, social engineering or the use of malware. Once the attacker has this crucial foothold, they begin to explore the unfamiliar network (reconnaissance) and work to gain additional points of control, eventually positioning themselves to access target assets (lateral movement). The process, meant to be conducted in complete stealth, usually takes weeks or months in a fair-sized network. In the case of the Hacker Challenge, we allotted 12 hours for the participants to pull off a data breach. The fastest completed the challenge in two hours, while others never completed it at all.

During the course of the event, the LightCyber team was able to watch each attack unfold, step by step. With our Magna active breach detection platform silently operating in each attackers environment, we could clearly see each activity and identify whether it was successful or not. With such vision, we could have easily curtailed each attack and prevented anyone from reaching the data.

Many of the participants used port scanning in their early stages of reconnaissance. While this is typically difficult for most legacy security infrastructure to identify as anomalous and malicious, the Magna platform caught it handily. Once the database server was identified by the reconnaissance, some contestants attempted brute force attacks, which Magna also detected. Similarly, Magna saw a great deal of Remote Code Execution used to improve and advance each attacker’s position. Once they finally found the file server and script containing credentials to the database with patient records, most figured out how to compromise that database for full command-line access. A few used remote access and others used Metasploit, but both approaches worked in getting the patients’ records.

Nearly everyone who participated remarked that it was a great exercise and simulation. Even to seasoned professionals it was eye-opening to varying degrees. Had they received the same vantage we had through the Magna platform, their experience would have been all the more remarkable. Having Magna gives organizations a critical advantage in being able to detect network attackers whether they are external or internal rogue employees, contractors or vendors.

We are happy to announce that we’re partnering with the leader in IT Security education, the SANS Institute, to provide a full debrief on the attack methods used by attackers and recap the events of this attack simulation. Please join us and John Pescatore of the SANS Institute for a webinar to review the mechanics of active attacks and how to spot the various activities quickly and accurately. We will recount other observations from the Hacker Challenge and provide other valuable insights. To register for this webinar please click here.

 

Leave a Reply

Your email address will not be published. Required fields are marked *