Most security practitioners view compromise as an event in which a malicious actor successfully leverages an attack against a vulnerability. They are correct but only looking at one aspect of what a compromise is.
While the adversary must breach our defenses, it is just as crucial for them to maintain access once they do. They will not achieve their goals if an attack only gives them access but does not provide a persistent presence on our networks.
Breaking in provides a beachhead on the targeted network.
Long-term success requires other compromised systems, which will require the adversary to pivot from one system to another in our networks.
It is an infrequent occurrence where an adversary can achieve its overall objective without moving beyond the initially compromised system. If the target is our most critical intellectual properties, they must move deeper into the network with an eventual goal of gaining access to our internal databases and storage repositories.
Pivoting involves moving beyond the initially compromised system to another system and then another. Security practitioners refer to this movement as an internal compromise. It is a result of an attacker successfully leveraging vulnerabilities on one system after another.
Pivoting is also known as lateral movement. It enables the malicious actor to increase their scope of access to our systems. They will continue to target other systems until they achieve their overarching goal.
Persistent access will enable the insertion of code designed to provide command and control (C2). Breaking into a system is often called Stage 1. Unfortunately, it is often too easy for an adversary to achieve this. Stage 2 is usually where the adversary will experience the most significant challenge. Their success is entirely dependent on actions taken after the initial compromise. You might hear someone refer to these actions as “post-exploitation behaviors.”
Adversaries need our networks to achieve their goals. They will gain access to one system and then work to pivot to another and then another until reaching the data that they seek to exfiltrate from our organization. I mentioned earlier that they would rely on our network as much as we do and hope it becomes more evident to you why this is so as we continue our study.
Most of the network training offered today includes minimal discussions of security. Networks are the foundation of our operations and therefore must continue to be always available. In many organizations the operational capacity of a network trumps everything, including security. For this reason, it is common to find security baked in as an afterthought.
Fundamental to our security efforts is an updated network security diagram. Our teams should have the ability to detect any changes within their assigned operating environments at any given point in time. Unfortunately, most teams do not have this capability.
Historically, it has been the case that most organizations have been unable to maintain accurate network diagrams or asset inventories. Can you imagine any situation where it would be possible to successfully secure a network without a precise understanding of what should be allowed to operate in or connect to it?
Our adversaries hope to gain persistent access and hide their presence. They will use things like a rootkit to remain out of sight. Regardless, the one place that they cannot hide from us is on the network.
There is no way to hide on a network if we have visibility into its communications. The exception might be when an adversary successfully encrypts its communications. Encryption may hide the actual content but not the fact that unauthorized message traffic is occurring.