The First Blog in a Two-Blog Series on Persistent Binary Risks and Strategies.
By ‘getting your foot in the door’ you are getting a chance to do something more. It represents an opening, which is the first step on the path that can ultimately take you where you want to go. For cyber attackers, getting into the network is the first step to achieving their attack objectives. Once in, they can use other tactics to accomplish whatever it is they are trying to do.
If an attacker can establish a persistent foothold – a perennial foot in the door, so to speak – within your network, it greatly increases the risks to your organization and the likelihood they will succeed.
A persistent presence enables an attacker to operate in a target organization for a sustained period of time. A recent report by IBM found the average attack dwell time, from compromise to detection, in 2019 was 206 days, and the average lifecycle of a breach, from compromise to containment, was 314 days.
That gives an attacker plenty of time to operate in the network and figure out how best to succeed – if something doesn’t work, they can come back and start over. Ultimately, they can try again and again to reach their goal, which can be anything, from disrupting operations to stealing valuable IP and sensitive data. Damage related to cybercrime is projected to hit $6 trillion annually by 2021.
Given the payoff, attackers will do whatever they can to achieve persistence. Luckily for them, there are many different tactics they can use to bypass an organization’s defenses and establish a presence on a system, typically a server or endpoint, that will persist, even in the face of reboots, restarts, credential changes, etc.
MITRE ATT&CK® describes, “Techniques used for persistence include any access, action, or configuration changes that let [an attacker] maintain their foothold on systems, such as replacing or hijacking legitimate code or adding startup code.” MITRE lists 63 different known techniques attackers use to achieve persistence.
Interestingly, the majority of these techniques leverage a particular malicious binary to establish their foothold. Unfortunately, the sheer number of legitimate persistent binaries coupled with the wide variety of tactics attackers can use to compromise a system makes it nearly impossible to identify each and every persistent threat.
We developed this two blog series to help you determine how to spot persistent binaries and hone in on the ones that matter, so you can take steps to minimize the risks they pose to the privacy and integrity of your data and operations.
Before we can identify malicious binaries, we have to be able to detect persistent binaries in general. Persistent binaries don’t require any necessary user interaction – they are automatically launched when the system boots up. So, it follows that to detect a binary, we simply need to look for processes that launch right after the machine does, which can be implemented rather easily, as long as you have basic data processing capabilities.
This will allow you to catch every persistent binary because it works for:
Regardless of what you are using (EDR/HIDS/etc.), you likely have the visibility into your organization’s endpoints you need to identify the persistent binaries in your environment. Basically, you need to be able to identify:
The goal is to identify the specific boot time of a host and all the processes (by SHA-256) that were spawned in a 30 second time period after that boot time to detect all the binaries. Once detected, we can group the results together and analyze them to uncover the ones that are potentially malicious (which will be covered in the next blog).
For example, the image below shows the three steps we took, using SQL, to identify all persistent binaries and then hone in on the ones that are active on less than five hosts in our environment (which is a number we chose to represent a percentage of the hosts in our sample environment). We made the assumption that anything present on less than five hosts is anomalous and something we want to be aware of.
Input: Raw_event_table
Filter: Boot_time (event)
Output: Host_ID, Boot_time
Return_hash_in_boot_procedure:
Input: Raw_event_table , Host_ID, Boot_time
Filter: Process_creation_time > '30' from boot AND the total Amount of hosts with this persistent binary < 5
Output: host_ID, Hash256
After executing these queries, this is what the results looked like:
Even when we narrowed down the results to only those binaries present on less than five hosts, you can see there is a lot to go through. This list contains a number of legitimate auto run binaries and binaries that were quickly executed by users after boot, as well as malicious binaries.
The next blog will discuss how to separate the legitimate from the malicious. It will go into how to spot the interesting leads and how to accurately pinpoint the ones that matter, so you can take steps to get rid of those that have no business being in your network.
Stay tuned.