Hackers Systematically Reverse Incident Response Actions Mid-attack

We want to think that the attackers only move in a game of cyberattack chess is “attack.” Then once you begin to mitigate their intrusion, lateral movement, modification of user accounts, etc., the threat actor gives up and you win. But a new analysis of several attacks by security vendor Crowdstrike shows that while your team is busy trying to undo everything attackers have done to facilitate their access, hackers are equally busy either reversing your actions or setting up additional means of entry, privilege, and access.

According to the analysis, Crowdstrike observed the following activity mid-attack when response actions weren’t being taken swiftly:

• Setup of additional VPN access
• Setup of multiple RMM tools
• Re-enabling accounts disabled by security teams

It’s like chess; you make a move, and your adversary makes another.

There are two takeaways from this story:

• Response actions need to be swift; you need to cut off attacker access quickly and effectively
• Based on the initial attack vectors – mainly social engineering designed to harvest credentials, Security Awareness Training for every user is needed to keep users vigilant whether they’re using email, the phone, or the Internet.

Want to learn more about improving your cybersecurity resilience? Visit Yeo & Yeo Technology’s website.

Information used in this article was provided by our partners at KnowBe4.