A reasonable question to ask is: with so much at stake, why is the failure rate so high? One answer may come from our recent Cyber Weapons Report1. The report shows that malware is not used in post-intrusion attack activity, such as reconnaissance, lateral movement, or data exfiltration. Once an attacker had a foothold in a network, 99% of attack activity involved the use of standard networking, IT administration and other tools that could be used by attackers on a directed or improvisational basis. No malware! To be sure, malware may often be part of the initial intrusion, but once that has occurred, we saw very little evidence of malware being used.
At the same time, most security groups are still primarily focused on malware. Almost all internal detection systems used by organisations revolve around identifying malicious software threats defined by a known technical artefact, such as a signature, hash or the exhibition of a particular behaviour from a pre-established list. Instead, our research showed that virtually no post-intrusion attack activity involved such threats.
Malware, of course, may be involved in the creation of botnets or even advanced persistent threats that are significant security risks. Even the detrimental effects malware has on system performance poses an important issue. Detecting and removing malware is still important. Yet, focusing on malware will not stop a data breach once an attacker has gained access to a network.
Attackers use common networking tools in order to conduct “low and slow” attack activities while avoiding detection. Sophisticated attackers using these tools—rather than known or unknown malware—can typically work undetected for an average of five months, according to multiple industry reports.
When an attacker lands in a new network, they have to quietly look around and gain an understanding of the unfamiliar environment. In particular, they need to know where valuable assets are located and how to gain access to them. They need to know how to create a path from their initial foothold of control to the assets. What are the other machines on the network? Where are they located? How are they configured? Are there any vulnerabilities? All of these things and more must be answered. To do this, an attacker relies on standard tools and utilities. Since these are in regular use in most networks, an attacker’s employment of them will not draw notice.
Attackers often rely on network scanners and even native operating system tools to perform reconnaissance. The 2016 Cyber Weapons Report reveals that SecureCRT, an integrated SSH and Telnet client, topped the list of admin tools used for lateral movement, representing 28.5 percent of incidents from the ten most prevalent admin tools. TeamViewer, a remote desktop and web conferencing solution, accounted for 37.2 percent of security events from the top ten remote desktop tools. TeamViewer was associated with command and control (tunnelling) behaviour, while other remote desktop tools, such as WinVNC, primarily aided lateral movement.
Clearly, it would be difficult to ban the use of these tools internally, as they all have a legitimate purpose. Even if they were banned, attackers would find other ways to conduct their business while staying undetected. A better approach would be to use behavioural profiling to establish a baseline of learned good behaviour for each user and device. From this vantage, it is possible to detect anomalous behaviour that may be indicative of an attack.
To find an active attacker and thwart a data breach, one needs to understand how an attacker operates. By detecting their operational activities, attackers can be caught early and a breach or other significant damage curtailed.
12016 Cyber Weapons Report: http://lightcyber.com/wp-cyber-weapons-report-lp/