Sophisticated malware can make for sexy news headlines, but it is hardly the only challenge businesses need to worry about to defend against a data breach.
By living off the land and using minimal malware, hackers are able to reduce the risk of detection by masking their malicious activities with legitimate actions by trusted users and applications. For security defenders, perhaps now more than ever, the answer to thwarting this activity lies in understanding how criminal hackers operate once they are in the targeted environment.
This is where solutions such as Dell SecureWorks' AETD Red Cloak service can be brought to bear. Red Cloak focuses on endpoint monitoring, and uses a mix of behavioral analysis and threat intelligence to identify and flag attacker activity in the user's environment.
While many talk about the importance of stopping attackers from getting in and blocking data exfiltration, the middle step of detecting adversaries as they pivot around the network seems to get less attention. Once advanced adversaries have a foothold in the targeted network, malware is only used when necessary. Instead, attackers will use compromised credentials to move laterally using tools such as Windows Scheduled Tasks or mapped network drives.
In August, our researchers released a report about Threat Group-3390, a sophisticated attack group believed to be based out of China. These attackers did not use any zero-days, but managed to compromise organizations around the world. The adversaries used mix of known malware such as PlugX and custom malware such as ASPXTool. They also sought to live off the land by using native Windows tools to execute code on remote systems.
Armed with the right technology however, security defenders can still detect the maneuvers of these hackers. Red Cloak's monitoring and analysis capabilities offered several opportunities to disrupt the attack. For example, PlugX can be difficult to detect using traditional security controls due to it being loaded by legitimate, digitally-signed software. However, the final payload is typically injected into another process on the system, creating an opportunity for Red Cloak, which can detect the process allocation where the code is injected. The technology is also capable of capturing activity such as Scheduled Task creation, explicit credentials use and psexec and wmiexec commands.
During the first six hours, Red Cloak could have detected the attack through six ways:
- A tactical rule to detect the group's httpbrowser tool running in memory
- The detection of a mapped network drive using explicit credentials
- A strategic rule to detect web shell on exchange server
- Recording NetFlow flow to detect horizontal internal network scanning against internal subnets
- Identifying the hash of a credential stealing tool run on the domain controller
- Suspicious parent child process relationship indicative of ChinaChopper webshell usage
Using malware signatures and bad network addresses is no longer enough to thwart sophisticated attackers. The focus must be on disrupting the actions on objective stage of the cyber kill chain, which requires high levels of visibility as well as an understanding of how attackers are moving laterally throughout a network and stealing data. Distinguishing legitimate activity from legitimate applications from malicious behavior from those same apps can be the difference between stopping an attack in its tracks and allowing that attack to linger on for months or years.
In the coming weeks, the Counter Threat Unit (CTU) research team will share real-world case studies in a "Tales from the Trenches" series.