Post Perimeter Compromise

The World of "Post perimeter compromise"

Most organization today are aware of the cyber threats that they face on a daily bases.  They might not have the full picture but they have a sense of what is out there and the evolved capabilities of amateur hackers to the more sophisticated highly sponsored attacks by organized crime and governments.

Before we dig deeper, lets define what we mean by an attacker.  Attackers come in all sizes, colors and shapes.
- Young kids, upcoming technology gurus that are having fun they are creative and getting really good at maneuvering their way slashing through technology 
- Youth that are out to conquer the world and defy everything and everyone.  They are out to prove themselves
- blackhats, Grayhats and whitehats that are out there breaking stuff 
- Competitors that want to be better, bigger and richer 
- Funded Government agencies, cybercrime or organized syndicates that can employee any of the above or each other to get things done. 

So trying to stop attackers from getting into your organization is like living on the first floor in an apartment building and thinking that you will never find ants walking across the kitchen counter.  As Mr. Smith from the "Matrix" once said. It is inevitable.  It is not if an attack will succeed it is when and how bad will it be?

So the attacker is in now what.  What will they be doing and should i be afraid?

When the attacker is in they are in the phase of "post perimeter compromise" as i would like to call it as exploitation will be a continuous process across the infrastructure. So depending on what they are looking for and where they are right now their direction could be north, south, east or west. 

Motive is key here as it will govern the behavior of the attacker.  Staying stealthy, hidden or persistent.  They could have already compromised the system they are after and got what they wanted and now move north outside your organization deleting all records of their presence.  Or they still want to dig deeper so they will move south.  Once they have pinpointed the depth they want into your organization they will start exploring east and west until they get what they want. 

Dissecting the cyber kill chain we need to understand that attackers will work internally to extend their foothold and achieve their objectives after the initial compromise. 

The cyber kill chain stages such as information gathering, weaponization, delivery, exploitation, installation, Execution and target manipulation works as continuous cycle 

Information gathering

The attacker will start gathering information about the initial compromised system including; network configuration, network services, installed software, missing patches, username, passwords, private keys, cloud services, backups, file shares, browsing history, network traffic, screenshots, vpns, video conferencing, messaging paltforms, wireless keys, documents and confidential files, etc   


Depending on running OS, OS patch level, client side applications and missing patches, installed malware type and capabilities that attacker will develop their exploit to further sink his/her teeth into the system.  local escalation, specific vulnerable service or client side software.   


Once the venom is prepared the attacker will make sure to deliver the tools required to further extend his/her foot hold through a specific delivery mechanism.  A simple downloader, cloud service, or any other encrypted channel to reduce the risk of the exploit or malware being detected through sandboxing or intrusion detection mechanisms. 

Scanning (if needed) 

If the attacker wishes to move south, east or west then they will initiate further scans to identify firewall and segmentation configuration to reach other hosts with potential vulnerable services or remote access services if credentials already are compromised. 


The attacker will use weapons to further exploit vulnerable systems and devices to spread across the enterprise.  


Once the attacker has the required access and privileges and depending on their motives the attacker will install further tools and scripts that will ensure his/her success. 

Execution and Target Manipulation

The attacker will execute various actions and activities across the compromised systems and manipulate the systems and users environment  to ensure their stealth and persistence are not discovered by HIPS, Malware protection, SIEM correlation rules, FIM solutions and other security and monitoring controls. 

A Threat Hunting Team with a very strong understanding of ones environment and the attack techniques of hackers will help find the needle in the haystack and pinpoint anomalies and indicators of an attack across the enterprise 

Post a Comment