Log and Load – post penetration detection

Log and Load – post penetration detection
September 24, 2019 chris

Imagine discovering that you had been burgled 250 days ago; unthinkable right, yet businesses across the world still take on average 250 days to identify a root admin breach and the substantial damage to bottom line and brand that these professional hacks inflict.

Security gurus inform their audience that ‘it is not if but when’ you are the target of malicious activity. At shows and seminars exhibitors paralyse attendees with fear before unveiling a mitigating solution, and yet despite years of technological development the average post penetration detection period still hovers around 250 days.

Protection arrives in many forms, from DDoS proxies, through physical and virtual penetration tests, onward to version control, zero trust and good old virus checkers.
What brought the root admin problem home to me was the excellent services offered by Threat Status https://www.threatstatus.com and a demo of their Trillion digital risk monitoring platform which illustrates data breach information sold on hacker forums or the dark web. Combinations of potential innocuous user-ids and passwords which could trigger detailed phishing events or worse still.

In hacking terms root admin access that remains the holy grail. Once inside the professional hacker attempts invisibility, utilising tools like Mimekatz (pass-the-hash abuse) and Powershell . Privilege are escalated and credentials harvested enabling the attacker to move laterally across the network undetected building in persistence and the subsequent data breaches.

Real damage can occur within a 20 minute window, so what can be done to mitigate?

With each root/admin action comes associated logs, which if correctly searched can identify integrity indicator failure. But where do you start? Answer Blockchain.

Now I know what you are thinking. Currently blockchain is a battlefield of competing frameworks and associated service; why would anyone write their own code?

Well at its core blockchain delivers immutability. So what if you take an abstraction layer that sits above various frameworks and you simply feed it data? Sure, you loose the specialist options like smart contracts, but if all you need is to monitor changes go with a simple solution.

If you utilise AWS Managed Elastic Search ELK then Pencil Data’s AWS marketplace application with ELK plugins is service ready to identify Integrity Indicator failures around user selected logs. Pencil Data https://chainkit.com/pencildata takes the logs into a blockchain and verifies changes against defined criteria.

Outside of ELK, Pencil Data can be used to verify the illegal manipulation of centralised PowerShell scripts. In traditional systems the attacker needs to compromise one device/element to successfully tamper with one or more scripts via their newly found administrator rights. If however the underlying framework is a blockchain onto which various elements connect attackers would need to compromise a distributed 3rd party service to avoid detection.

Suddenly, you have two simple cost effective services that can reduce those 250 days to potentially under 20 minutes!


Leave a reply

Your email address will not be published. Required fields are marked *


Social media & sharing icons powered by UltimatelySocial