Sergey Nivens - Fotolia
Most cyber security strategies and defence systems do not take into account the way that attackers really work, a report has revealed.
Most organisations focus on detecting malware, but attackers are going undetected because most of the tools they use are standard, legitimate software, according to LightCyber’s Cyber Weapons 2016 report.
The best attackers use sophisticated tools – or cyber weapons – to compromise machines, to “land and expand” inside a network, and to steal or destroy information.
But while malware is a part of their arsenal, the report said threat actors mainly use hacking, as well as admin and remote access tools, such as TeamViewer, Ammyy Adminn and LogMeIn, to expand across the network and exploit more machines to access sensitive data..
Attackers use common and well-known networking tools to map out the network, probe clients and monitor activity. Standard utilities such as NCrack, Mimikatz and Windows Credential Editor can be used to steal or crack user credentials.
Attackers also use a variety of command line shells to remotely administer machines, admin tools to move laterally and steal data, and ubiquitous apps such as web browsers and native operating system tools to carry out attacks.
“This approach is common among nation state actors, organised cyber crime groups at the forefront of data theft and malicious insiders,” said David Thompson, senior director of product management at LightCyber.
“Most security technology focuses on prevention at the perimeter of the network, but there is very little in place to detect automatically what happens once an attacker gets inside,” he told Computer Weekly.
Majority of tools used by attackers not malicious
Analysis of anonymised data collected from LightCyber customer installations of its behaviour anomaly detection technology, which links anomalous behaviour to specific processes and users, reveals that once attackers gain access to a network, most of the activity makes use of benign processes and tools, not malware.
“To my knowledge, this is the first report that catalogues what attackers are doing on a quantitive basis and the specific tools they are using to perform those actions,” said Thompson.
Research underlying the report identified 1,109 different tools used during attacks to find vulnerabilities, steal credentials and move laterally inside an organisation, but the majority of those tools were not malicious.
According to the report, 99% of internal reconnaissance and lateral movement did not originate from malware, but from legitimate applications or from riskware such as scanners.
Malware was detected in a wide variety of cases, but researchers found that while attackers often use malware as the initial exploit to gain access in targeted attacks, they often rely on admin tools and even native utilities and web browsers to expand their reach inside networks while avoiding detection.
Read more about behaviour analytics
- Behavioural analysis could have prevented Salesforce.com employee inadvertently handing over access to customer database.
- There is a growing trend in the industry towards merging big data and security.
- Many logs are generated and then ignored as resources to review and analyse them in a timely and useful manner are lacking.
- Deploying a successful network behavioural analysis project begins with co-operation and involvement from many teams in your organisation.
The malware that was detected did not match known malware or anti-virus signatures. Many of the malware strains were found only on a single site, re-confirming the rise of vast amounts of targeted malware, as well as polymorphic malware with seeming endless variants to bypass signature-based security systems.
This approach ensures the success of an attacker getting into a network undetected, but it is where the use of malware almost always ends.
The report also highlights how attackers use IT administration tools, network monitoring software and other non-malware to gain access to network resources and data.
By using these tools, attackers can remain undetected for months and quickly regain access despite the malware used to enter the network being identified and removed.
It is time for the industry to understand the scope of tools in play, the report said, and explore mechanisms for detection of such anomalous attack activity.
Reconnaissance most prevalent threat
Another key finding of the research is that reconnaissance is the most pervasive threat for organisations, topping the list at 50.75% of all identified threats.
Reconnaissance consists of more than ten types of non-destructive anomalous behaviour, including port scans, excessive failed logins and failed attempts to access network devices or ports.
“Although it would be best to stop attackers at the perimeter, if that fails, this part of the attack phase presents one of the best opportunities for spotting attackers,” said Thompson.
“This is because attackers typically do not know a lot about the IT environment and have to do a lot of exploration before they can do any real damage or steal data.
“Internal reconnaissance to map the network, find out what devices are connected, what vulnerabilities can be exploited, where data is stored and where stolen credentials can be used, is naturally rather noisy.
“Therefore, it is a good opportunity to catch attackers and kick them out before they can perform lateral movement or data exfiltration, even if you have not been able to prevent the intrusion,” he said.
According to the report, organisations can detect reconnaissance by monitoring internal network traffic and profiling normal host to-host communication. This behavioural monitoring can distinguish administrators from standard users, ensuring that administrative tasks do not raise alarms.
Then, organisations can spot anomalies in protocol, application and file share usage. This helps identify “low and slow” recon that might not be detected by threshold-based alarms.
Organisations must act beyond blocking malware
To mitigate threats, organisations must assess vulnerabilities and attempt to thwart intrusions, but their efforts should not stop at blocking malware.
“Threat actors use networking and hacking tools, admin utilities and remote desktop apps once inside the network, for activities such as reconnaissance and lateral movement. Such tools can only be found by detecting the anomalous behaviour they are used to create,” the report said.
According to Thompson, automatic data analysis tools, and specifically network traffic analytics and user behaviour analytics tools, enable organisations to detect anomalies that can be linked to malicious activity on their networks.
“Some form of detection tool that is anomaly-based, versus signature-based, is really what is needed in organisations today in the light of the way attackers actually work,” he said.