Chronicle of an Identity-Based Attack | Singularity™ Identity vs. Cisco Breach

While data breaches, ransomware, and supply chain attacks saturate news articles, the risk of identity-based threats is also on the rise. Threat actors are exploiting a common denominator across the current backdrop of remote workforces, IoT, and a global shift towards cloud services – the sheer number of digital identities needed per user, per technology, per organization. Each new identity is another attack vector exploitable by a threat actor and exposes a larger attack surface for many organizations.

In recent news, US networking giant Cisco confirmed that it was breached by a threat actor through a successful identity-based attack on an employee. This blog post explores the lessons learned from this incident, the need for identity threat detection and response (ITDR), and how SentinelOne’s Singularity Identity could have prevented the Cisco breach.

Breach Overview | What Happened at Cisco

In Cisco’s analysis detailing the May attack, a threat actor identified as an initial access broker to both UNC2447 and Lapsus$ cyber gangs and the Yanluowang ransomware group gained initial access to the network company’s VPN after successfully gaining control of an employee’s personal Google account.

Cisco stated that the threat group obtained legitimate employee credentials synced in the employee’s browser. Then, the threat actor executed a combination of sophisticated voice phishing attacks and MFA push notifications (also known as MFA fatigue) to achieve VPN in the context of the targeted employee. The threat actor escalated their administrative privileges, planted a variety of hacking tools such as Cobalt Strike and Mimikatz, and added backdoor accounts for future persistence efforts.

Cisco noted that while the threat actor exfiltrated the contents of a Box folder and the employee’s authentication data from Active Directory, no ransomware was deployed and there was no business nor customer impact in this particular event. Cisco’s article did however report that after the group was removed from the environment, they tried to establish email communications with company executives and attempted to regain access in weeks following the initial breach, though all subsequent attempts were unsuccessful.

Lessons Learned from the Cisco Breach

According to Cisco, they were unable to identify losses to any of their products, sensitive customer data, IP, nor supply chain operations. However, this successful identity-based attack is worth discussing from an educational perspective.

This particular type of attack is growing in number and businesses mobilizing their remote workforces on cloud services must be properly equipped to detect when attacks exploit, misuse, or exfiltrate digital identities. The COVID-19 pandemic especially highlighted many organization’s lack of knowledge when it comes to their attack surface. For example:

• Businesses began or accelerated their migration from on-premises to cloud to support more remote workers than they had ever planned for. Cloud environments are particularly susceptible to identify-based threats such as phishing, credential stuffing, and password spraying.

• Smart devices continue to become enmeshed in professional workflows and processes. In the early stage of the pandemic, some businesses loosened their bring-your-own-device policies in an attempt to get back to normal operation levels. Businesses that lack proper IoT security (internet of things) inherit the risk of adding more points of access for threat actors, weak password hygiene, unencrypted connections, and more.

It is clear that identity-based attacks are severe and require our attention as more human and non-human identities continue to increase. Identity Threat Detection and Response (ITDR) seeks to address this issue amongst the various threat vectors that make up the greater cybersecurity landscape. The Cisco breach discussed in this post shows the possible impact that a single failure in identity security could have, even on large-scale corporations with robust security measures.

What sets ITDR apart from other detection and response solutions (EPP, MDR, EDR, and NDR) is its ability to detect credential theft and privilege misuse on Active Directory and other vulnerable entitlements that may create avenues for attack. The primary benefits of ITDR solutions are gaining visibility to credential misuse, and exposing poorly managed access entitlements and privilege escalations from the endpoint through to Active Directory and, finally, the cloud environment.

Based on analysis shared by the networking company’s threat intelligence team, Cisco Talos, we break down the specific tactics used by the threat actor and how Singularity Identity could have thwarted both the initial access and the subsequent persistence mechanisms.

Solution:

• Singularity Identity hides credential storage from unauthorized application access to stop credential theft early in the attack cycle.

• Singularity Identity prevents unauthorized access by binding credentials to critical applications across the network.

• Singularity Identity deploys deceptive domain accounts on endpoints. Threat actors attempting to steal valid domain accounts from endpoints will get redirected to the decoys for engagement.

Solution:

• Singularity Identity detects bypassing attempts and privilege escalation and alerts on multiple failed attempts to perform a privileged operation by the same user.

Solution:

• Singularity Identity detects user account enumerations against Active Directory. In addition, it includes any targeted Active Directory objects a threat actor may query to understand the privileges and groups.

Solution:

• Singularity Identity detects credential dumping tools. Once identified, it injects deceptive credentials across the enterprise at the actual endpoints. These credentials are strategically cached for threat actors to discover, leading them to decoys for engagement.

• Singularity Identity scans and reports the credentials exposed on the endpoints. It can also remediate such exposure to address the risks of theft.

Solution:

• Singularity Identity prevents the discovery of AD objects using tools like ADfind and stops the dump of credentials from different credential stores.

• Singularity Ranger AD detects suspicious Service Creation on DCs and reports abusing system services or daemons to execute commands or programs.

Solution:

• Singularity Ranger AD Assessor detects the modification of authentication mechanisms on a domain controller, thwarting threat actors that attempt to patch the authentication process to bypass the authentication mechanisms.

  

Solution:

• Singularity Hologram deploys decoys host production applications (e.g., SSH Servers, VNC, RDP servers).

• Singularity Identity distributes deceptive keys and credentials to these decoy servers to lure attackers away from production systems, including RDP and other remote access tools.

Solution:

• Singularity XDR agents detect dropping payloads using behavioral and static AI engines. Once detected, the connection is terminated, blocking the ability of an attacker to gain access to the remote system. SentinelOne autonomous agents would then remediate the entire chain of activities leading to remote execution attempts.

Solution:

• Singularity Identity DataCloak prevents unauthorized applications from reading and exfiltrating protected data and storage locations from endpoints.

Learn More About Singularity Identity

The attack on Cisco discussed in this post shows that identity-based attacks are a leading threat vector used in data breaches. From the perspective of a threat actor, targeting identity and access management gaps through compromised credentials is the quickest path to reaching a target’s resources and critical data. Attackers are very aware that Active Directory is the crown jewel of a business, granting them the ability to exfiltrate sensitive information, install backdoors, alter security policies, and more.

With the rapid shift to remote working environments and the adoption of hybrid and cloud environments, identity has become the new perimeter, highlighting the importance of visibility. Businesses must be able to detect and respond effectively and protect all of their various digital identities through a comprehensive identity security solution. SentinelOne identifies Identity Threat Detection and Response (ITDR) as the missing link between holistic XDR and zero trust strategies in the mission to protect organizations from threats at every stage of the attack journey.

Leveraging our deep industry knowledge and experience with fighting back privileged escalation and lateral movement, SentinelOne delivers comprehensive identity security as part of Singularity XDR for autonomous protection including:

• Singularity Identity: End credential misuse through real-time infrastructure defense for Active Directory and deception-based endpoint protections. Singularity Identity defends Active Directory & Azure AD domain controllers and domain-joined assets from adversaries aiming to gain privilege and move covertly.

• Singularity Ranger® Active Directory Assessor: Uncover vulnerabilities in Active Directory and Azure AD with a cloud-delivered, continuous identity assessment solution. Ranger® AD Assessor delivers prescriptive, actionable insight to reduce Active Directory and Azure AD attack surfaces, bringing them in line with security best practices.

• Singularity Hologram: Lure network and insider threat actors into engaging and revealing themselves with network-based threat deception. Singularity Hologram decoys stand at the ready, waiting to be engaged by adversaries and insiders. The resulting telemetry supports investigations and contributes to adversary intelligence.

SentinelOne extends Singularity XDR capabilities to identity-based threats across endpoint, cloud workloads, IoT devices, mobile, and data wherever it resides, setting the standard for XDR and accelerating enterprise zero trust adoption. To learn more about SentinelOne’s identity and deception solutions, please request a demo.