I don’t know about you, but when I hear how today’s hybrid attackers (more on them in a minute) behave — my mind wanders straight over to the animal kingdom. Relentless tactics with room to run in large domain. They are the honey badger. A snake bite or a few hundred bee stings might delay their attack for a moment, but they’ll find a way to take down the entire hive or wait until the venom wears off to satisfy their appetite.
Fortunately, you don’t have to tread too far into the Sub-Saharan region with me because we’ve been taking a close look at what cyber attackers actually do post compromise — how they move, what tactics they use to progress and what it takes to stop them once they’ve already gained access. Our published attack anatomies are an easy way to see what’s actually happening during a cyberattack — and they also keep me from discussing attack progressions without using images grassland predators.
To stay the course, we recently took a close look at five hybrid attack examples in the eBook: A Breakdown of Emerging Attacker Methods to see how today’s attackers infiltrate, escalate privileges, move laterally and progress their attacks. You can use the attack details covered to get a good idea of what attackers are doing post compromise as we’ve aligned their tactics to MITRE ATT&CK techniques, while also showing where each tactic can be detected and prioritized with the opportunity to stop earlier in the attack progression. For this blog, let’s jump into some of the key takeaways.
We empathize — defending against hybrid attacks is extremely difficult
First, let’s state what we mean by a hybrid attack.
The main factor being that since enterprises are now hybrid, attackers are using this to their advantage, thus all attacks are now hybrid attacks. You can read more about that concept from Vectra AI’s VP of Product, Mark Wojtasiak (aka Woj) in his recent post.
Some of the most common traits that make stopping hybrid attacks difficult are how they bypass prevention, compromise identities, elevate and hide in privileges to move laterally across domains — often at high speed. In many cases, security tools are adding fuel to the fire. On average, SOC teams receive 4,484 alerts per day and over two thirds (67%) of them are ignored according to the 2023 State of Threat Detection report. As Mark puts it, it’s like trying to find “the needle” in a stack of needles.
In fact, 97% of analysts from the same report said they worry about missing a relevant event because it’s buried in a flood of alerts. We’ve often referred to this as the “Spiral of More” — more attack surface, more exposure, more gaps, more blind spots driving more tools, more detections, more alerts and more false positives. The spiral creates an unmanageable volume of noise and work for SOC teams that hybrid attackers use to their advantage to hide, move laterally and progress their attacks. What does it matter how many detections or alerts you have if most of them can’t be addressed?
Hybrid attacks occur across multiple surfaces
Because environments are now hybrid, threat exposure exists everywhere you operate. Beyond just the data center, maybe it’s your public cloud, SaaS, IaaS, PaaS, identity instances, endpoints, etc. that open ways for attackers to compromise? Each attack we highlighted in the eBook included multiple attack surfaces. For example, an attacker will be stopped trying to compromise an endpoint if you have EDR (endpoint detection and response), but that doesn’t mean they won’t try honey badger their way in through a different route, or completely bypass endpoint protection all together. It could be with stolen credentials, by gaining VPN access, maybe both or something entirely different — the key to stopping them will be how soon you are able to see them once they’re already inside.
Hybrid attacks are identity-based tactics
Similar to how each of the five evaluated attacks include multiple attack surfaces, all five attacks also leveraged stolen admin credentials or passwords. Coincidentally, Google Cloud’s 2023 Threat Horizons Report found that “credential issues continue to be a consistent challenge, accounting for over 60% of compromise factors.” As we continue to learn more about identity-based attacks, the expanding hybrid enterprise is also impacting our ability as defenders to secure every identity. Even with MFA (multi-factor authentication) which is an effective way to help prevent unauthorized account access if a password has been compromised, attackers are finding other ways to expose identities — Scattered Spider being one that cracked this nut effectively. Regardless of how an identity is compromised be it spear phishing or through newer AI-driven methods — stopping them will again come down to how soon identity compromise is detected and prioritized.
The diagram below shows a few different views of the documented cloud identity techniques. You can read more about this topic in Vectra AI’s recent Scattered Spider threat briefing blog.
Hybrid attackers hide to thrive post compromise
Woj, VP of Product at Vectra AI often says, “Security thinks in terms of individual attack surfaces, but attackers think one giant hybrid attack surface.” It’s been reported that 25% of all cyberattacks involve lateral movement. All that really means is that an attacker is moving throughout your hybrid environment. By that definition, the statistic is probably much higher than 25%. Most of the attacks we evaluate contain some form of lateral movement. In general, attackers figure out how to move from one attack surface to another, gain credentials to help blend in, live off the land or move where they can with whatever access they have so they can conduct recon and learn about the environment. Lateral movement is just one example, but the takeaway is that stopping hybrid attackers comes down to — you guessed it — the ability to detect, prioritize and stop them once they’re already inside regardless of where that is.
Hybrid attacks can be stopped... early in their progression
We know why they’re hard to find, we know what they want to do (gain access, steal credentials, move laterally in order to progress and ultimately cause damage) and we know that adding more alerts to SOC analysts’ queue isn’t going to solve the problem — we already can’t address all the ones we have (who could forget the number 4,484?). Sometimes the tools we have make us feel confident that we’re covered, but that may not necessarily be true being that 71% of SOC analysts admit that their organization may have been compromised and they don’t know about it yet. That doesn’t exactly scream confidence.
Interestingly though, if we take look at the hybrid attack examples that have been broken down you can see that while there are still detections alerting about various attacker methods — they are being prioritized so defenders have the right information to confidently respond with the right action at the right time. There’s a difference between having another detection and an attack signal that lets SOC defenders know how, when and where something is happening that needs urgent attention, time and talent.
For a deeper look into what hybrid attackers are doing, take a look at the free eBook or discover how to go beyond detections with an AI-driven attack signal.