Incident Response Actions are Systematically Reversed by Hackers to Maintain Persistence
Analysis of attacks on two cellular carriers have resulted in the identification of threat actions designed to undo mitigations taken by security teams mid-attack.
We’d like to think that the attackers only move in a game of cyberattack chess is “attack” and then once you begin to mitigate their intrusion, lateral movement, modification of user accounts, etc. the threat actor just gives up and you win. But new analysis of several attacks by security vendor Crowdstrike show that while your team is busy trying to undo everything attackers have done to facilitate their access, they are equally busy either reversing your actions or setting up additional means of entry, privilege, and access.
According to the analysis, Crowdstrike observed the following activity mid-attack when response actions weren’t being taken swiftly:
- Setup of additional VPN access
- Setup of multiple RMM tools
- Re-enabling of accounts disabled by security teams
It’s just like chess; you make a move and your adversary makes another.
There are two takeaways from this story:
- Response actions need to be swift; you need to cut off attacker access quickly and effectively
- Based on the initial attack vectors – mostly social engineering designed to harvest credentials, Security Awareness Training for every user is needed to keep users vigilant whether they’re using email, the phone, or the Internet.