For many years, hackers and cybercriminals have used social engineering techniques to gain unauthorized access to confidential information. It is easy to predict that these attacks will continue to advance in sophistication and frequency. Whether they are using AI to create better lures or cyber criminals are just getting more adept at exploiting human nature, the success of these attacks proves the tactics are winning. For example, ransomware is booming, with 324,000 phishing attempts reported to the FBI in 2021.
2023 is also proving to be a successful year for cybercriminals. Recently, attacks against hospitality giants MGM Resorts and Caesars Entertainment successfully got the latter to pay upwards of $15M to regain access to their systems.
MGM formally announced on Wednesday, September 13, that a cyber incident “has significantly disrupted properties across the United States for the past three days,” but earlier reports indicate they started seeing issues on Sunday, the 10th. Caesars announced on Thursday, Sept. 14th, that they experienced a data breach on Sept. 7th. While cyber professionals are still piecing together the specifics, we know that threat actors known by different names, Scattered Spider / UNC3944 / Oktapus / Scatter Swine, utilized social engineering techniques to gain an initial foothold.
Social engineering attacks remain difficult to detect and defend against. Once successful, attackers have good credentials to use as insiders to the organization. Based on the information Mandiant shared, the attackers used social engineering techniques to gain an initial foothold. In the case of Caesars, it was confirmed that the bad actors called an IT Contractor pretending to be calling from Okta. Once given good credentials, the bad actors scanned their systems, found ways to elevate their privileges and completed a ransomware attack. While this attack didn't use a particularly novel technique, it reminds us of the importance of good training, hygiene, and the needed focus on security best practices.
Let's explore what organizations can do before and during an attack like this.
Ante-up before the attack
Prevention seems like the best option with sophisticated social engineering attacks. Maintaining your cybersecurity hygiene plus having an active disaster recovery/business continuity plan and accurate backups of your critical data can go a long way toward your recovery. An important aspect is your security awareness training for your users, admins, and helpdesk and having a plan to identify and combat social engineering attacks. But training alone is not enough, and organizations should adopt an “assume breach” mentality when threat modeling for these types of attacks.
In addition, there are other avenues available for organizations to cover should end-users fall victim to social engineering attacks:
- Review and monitor your firewall policies
Create a default deny outbound policy, explicitly allowing access to known and required destinations only on necessary ports. While this may not be possible for every system on your network, critical assets such as domain controllers or identity servers should have their traffic profiled with an appropriate firewall policy applied.
Create a default deny inbound policy, explicitly allow traffic inbound from the public IPs on the internet and only on the ports necessary (avoid all ports other than 443 if possible)
Configure firewall or proxy solutions to detect protocol abuse or DNS Tunneling
Configure network, micro or nano segmentation to minimize the blast radius
- Manage privileged user accounts and services
Create separate administrative accounts for individuals needing administrative rights to IAM or other critical infrastructure and systems
Remove administrative rights for all users on their workstations, use an endpoint privilege manager solution to elevate permissions for certain programs to run as “admin”
Enable user access control (UAC) for all administrative actions
Passwords vaults need to be treated as “Tier 0” assets - monitor who logs into these systems and what actions are performed
Systems that contain agents that provide hybrid identity/functionality ( Entra ID Connect / Okta Connect, etc.) should also be treated as “Tier 0” assets - only authorized administrators should be logging into these systems
- Conduct regular security hygiene
Defense against credential theft malware requires that customers audit their networks for where credentials are stored – file shares, cloud information repositories and other areas in networks contain sensitive credentials, the Sumo Logic Threat Labs team has covered defenses against these types of attacks in depth for both Windows and Linux operating systems
Monitor for installation of remote management tools like AnyDesk - command lines are a very valuable data source in this regard.
The threat actor has been known to deploy cloud resources - “basic” monitoring, such as when a new Azure Virtual Machine is deployed, is valuable here
- Perform active monitoring
Threat actors have been observed deploying drivers to vulnerable systems to circumvent security controls - Cloud SIEM provides UEBA functionality to monitor for “First Seen” driver installation/loads
Anomaly detection can also be applied to authentication scenarios, looking for odd or abnormal authentication patterns, such as user authenticating to a system from a new geolocation since an established baseline period
Monitor for changes in multi-factor authentication methods, correlate these changes back to their respective service desk tickets and if possible, create automations that confirm these sensitive actions with the user that performed the action, particularly for users with administrative access to identity systems
- Employ additional tactics
Practice tabletop authentication scenarios and flows to identify which systems handle what portion of the authentication flow, particularly in hybrid environments
Require photo ID and/or live video verification for all high-risk transactions and compare evidence against your trusted internal HR or badge systems.
The four cards played in any cyberattack
Even though I come with a bias, I truly believe the center of your SOC is your security information and event management (SIEM) solution. While many organizations can have over seventy security tools, your SIEM pulls your security posture together. Use this lens to give your security teams the focus they need during an attack.
System and user behavior analysis is a cornerstone to recognizing adversarial actions on endpoints and networks that are not known in advance. Logs incrementally produce textual data that reflect events and their impact on technical systems. Quick and efficient security log analysis is key for operational cybersecurity.
Ensure you’ve put in place the necessary tools and processes to aid you along the four stages of a cyberattack:
Detect - Logs from the endpoint, IAM, and network traffic collected and correlated in a single location to normalize and perform custom queries and advance behavioral analytics.
Contain - Use automation technology to respond and contain compromised endpoints or cloud workloads. Practice and test your playbooks to certify success.
Eradicate - Clean up infected malware and determine the attack's blast radius or full impact by reviewing connected systems and IP addresses.
Recover - Restore compromised devices or systems using recent data backups and conduct post-mortem analysis.
Dealing in Sumo Logic Cloud SIEM
Between preventative controls and active threat hunting, it's clear that social-based attacks and ransomware are some of the most difficult to contend with. Many organizations have told us they need a way to centralize their detection methods and monitor for unusual behaviors. No longer can they rely on a single flashlight in the dark, they need a lens that can focus their efforts. Sumo Logic Cloud SIEM is that lighthouse.
Sumo Logic Cloud SIEM automatically ingests, normalizes, correlates, analyzes and visualizes alerts across your cloud, hybrid cloud and on-prem environments with 900+ out-of-the-box rules. In particular, our Cloud SIEM’s Outlier and First Seen Rules can be used in the following ways:
Looking for password reset activities
Use of an API that someone has never accessed before
Looking for encryption keys being changed and making copies
Watching for additions to superuser/admin groups, especially across your Active Directory (e.g., Domain admins, Forest admins, Schema admins)
In addition, Sumo Logic Cloud SIEM provides security analysts and SOC managers with enhanced visibility across the enterprise to understand the scope and context of an attack thoroughly. Streamlined workflows automatically triage alerts to detect known and unknown threats faster.
Customers choose Sumo Logic for these differentiated SIEM features:
- Reduce the noise
Does your security team need to align regarding critical threats? Sumo Logic Cloud SIEM combines event management with an interactive heads-up display to deliver threat intelligence and analytics to prioritize alerts.
Cloud SIEM parses, maps and creates normalized records from your structured and unstructured data and correlates detected threats to reduce log events.
- Signals and Insights
Reduce alert fatigue with our Insight Engine, which aligns with the MITRE ATT&CK framework. Its adaptive Signal clustering algorithm automatically groups related Signals, accelerating alert triage. Once the aggregated risk surpasses a threshold, it automatically generates an Insight to help you focus on the threats that matter most.
- User and Entity Behavior Analytics (UEBA)
SIEM correlation rules aren’t enough. Identify a potential security threat based on user and Entity behavior. With Cloud SIEM’s UEBA features, you can report deviations from baseline user and Entity behavior, assign risk ranking and prioritize with smart Entity Timelines.
- Entity Relationship Graph
Investigating threats in isolation is hard. View and explore how Entities are connected via a panoramic visualization to see the full scope and breadth of a cyber breach. Reduce mean time to respond (MTTR) with visibility into related Signals and Insights.
- Built-in automation and playbooks
Choose from hundreds of out-of-the-box integrations and playbooks—or write your own. Sumo Logic Cloud SIEM Automation Service allows you to execute playbooks manually or automatically when an Insight is created or closed.
Going all in
Again, this is a good reminder to maintain your cybersecurity hygiene and have an active DR/BC plan, along with accurate backups of your critical data. Organizations of all sizes can benefit by having an active user security awareness program in place (and testing it often for gaps and identifying potential areas of improvement). But, it’s also clear that organizations dramatically benefit from improved threat visibility when they get all of their security data in one central location, which also helps teams collaborate better together. Organizations NEED advanced analytics to detect users' anomalous (and potentially malicious) behaviors to identify indicators of attack against the growing backdrop of false positive alerts.
Complete visibility for DevSecOps
Reduce downtime and move from reactive to proactive monitoring.