bas121 - Fotolia
Attackers are increasingly able to avoid detection by adapting their techniques to the tools security defenders are using, according to Jibran Ilyas, vice-president of cyber resilience at Stroz Friedberg.
A classic example of this is that attackers are relying less on malware and using administrative tools built into operating systems such as Microsoft Windows instead, he told the Palo Alto Networks Ignite ‘17 conference in Vancouver, Canada.
“Attackers are using tools like PowerShell to launch attacks rather than malware, and as a result they are going undetected because no security technology is going to block a legitimate administration tool.”
Similarly, fewer attackers are using round the clock communications with their command and control servers to avoid detection by security tools that monitor for such communications.
“Because attackers are finding it relatively easy to get into networks, they are going in, moving laterally, finding the data they are interested in, exfiltrating it and then shutting down operations without using any malware at all,” said Ilyas.
Attackers are also developing anti-forensics techniques, he said, by determining what artefacts such tools are using and then either avoiding using them or ensuring that they wipe then as part of the attack.
Increasingly common ways of getting into organisations, says Ilyas, include carrying out phishing attacks through compromised email accounts of the friend, partners, clients and colleagues of their target person and through subscribed mailing lists that tend to be trusted by recipients.
Stroz Friedberg is also seeing the use of publicly available information from a variety of sources to be able to reset account passwords to take control or to create subdomains of legitimate organisations to trick people into sharing their usernames and passwords.
“This is why it is becoming critical to use at least two-factor authentication to stop attackers from accessing accounts to send phishing emails or to hack domain registrars to manipulate subdomains,” said Ilyas.
Cyber defenders should also be aware that attackers are increasingly breaching branch or overseas office networks so they can use various techniques to hop over to the main network and exploiting undisclosed vulnerabilities in publicly available portals, such as password reset portals.
Stroz Friedberg is seeing attackers using a webshell on web servers to issue commands, using tools such as Mimikatz and Mimikittenz to extract passwords from computer memory, using task scheduler to execute commands, using tunnelling tools such as Tunna Webshell on a compromised webserver to hop around networks, and using signed binaries to run malicious code in dynamic link libraries (DLLs).
Steps to improve cyber security
In the face of these challenges, Ilyas said cyber defenders can prevent intrusions and minimise the impact in 10 key ways:
- There needs to be a mindset shift. Organisations need to understand that if they have any data of value, attackers will come after them. “Having a protection plan of highest risk assets is one thing, but organisations need to ask if they can detect unauthorised access to the assets,” said Ilyas.
- Know where there is a security risk. “We often hear that organisations are unaware of the existence of a server or that it contained sensitive data,” said Ilyas.
- Organisations need to understand that it is not enough to secure the data on servers because there is a lot of sensitive data on endpoints. According to Ilyas, organisations often overlook data in emails, spreadsheets, browser password and session cookies.
- Avoid single factor authentication, not just for the main VPN access, but whatever other public portals an organisation has, such as Outlook Web Access (OWA).
- Consider advanced threat detection systems to get more context on threats. “Remember, real attacks start when attackers get inside the environment and pose like insiders,” said Ilyas.
- Avoid burn out for cyber security administrators. “When you hire top talent for security innovations, don’t give them the day to day that consumes most of their time,” he said, adding that continuity in a security team is a good thing as it ensures defenders know as much or more than attackers about their IT environment, instead of the other way around.
- Pay attention to systems that have propagation capabilities. “This includes security tools like antivirus servers, Microsoft SCCM and file integrity management servers because attackers like to use a victim’s security tools against them,” said Ilyas.
- Whitelisting security systems are not enough. “Defenders need to understand what built-in Windows applications could cause them harm,” said Ilyas.
- Monitor logs like you mean it, not just for compliance. “Network metadata should be retained for monitoring and investigations. Tuning of Siem [security information and event management] systems should be an ongoing project,” said Ilyas.
- Invest in a threat hunting programme to scan proactively for attackers’ techniques, tactics and procedures. “The goal should be to stop attackers before they complete the full attack,” said Ilyas.
Read more about PowerShell security threats
- Administrators should upgrade to the latest version of Microsoft PowerShell and enable extended logging and monitoring capabilities in the light of a surge in related security threats, warn researchers.
- Security firm Carbon Black confirms widespread abuse of Windows PowerShell by attackers flying under the radar in line with the trend of exploiting operating systems.
- A newly discovered family of ransomware, dubbed PowerWare, uses Microsoft PowerShell to target organisations through macro-enabled documents.
- There are four common execution policies IT administrators can choose from to secure PowerShell against malicious attacks.