Attackers go on malware-free diet

To avoid detection, some hackers are ditching malware and living "off the land"

To avoid detection, some hackers are ditching malware and living "off the land" -- using whatever tools are already available in the compromised systems, according to a new report from Dell SecureWorks.

In fact, this has been the case for nearly all the intrusions analyzed by the Dell SecureWorks’ Incident Response Team last year.

The cyber criminals typically start out with compromised credentials, said Phil Burdette, senior security researcher at Atlanta-based Dell SecureWorks, Inc.

"For example, they might use phishing attacks," he said. "They'll send an email purporting to be from the IT staff, asking users to log in and test their credentials because the IT staff has just created a new email server. Once a user logs in, those same credentials would then be used to access the company's virtual private network solutions."

In one recent case, for example, attackers used a manufacturing company's Citrix solution, which allows remote employees to connect to company systems. The company had not yet set up two-factor authentication for the remote employees, so the login and password were all the bad guys needed.

Then, to get to the intellectual property, industrial secrets, financial data or the other information they're looking for, they use the same tools as those used by a company's own employees.

Often, these are tools commonly used by systems administrators and help desk staff.

If they do use malware, they use it sparingly and briefly, and try to leave as few traces behind as possible, so that traditional malware-based detection techniques won't spot them.

For example, they might use a company's own administration tools to create scheduled tasks, but the tasks are to steal credentials on other systems.

Or they might use a remote desktop too, normally used by help desk staff to help fix problems with employees' computers.

"It's native to the Windows operating system, and is often enabled by default," said Burdette. "Crooks use the same tool to the connect to the system, but instead of troubleshooting problems, they can access files and compress them for extraction."

In the case of the manufacturing company intrusion that Dell SecureWorks investigated, the attackers gained access to a server responsible for sending out security updates to all the endpoints in the company. This was the company's endpoint management platform, Altiris.

"But instead of patching the systems, they used the update software to execute arbitrary commands on the systems, to obtain additional credentials," he said.

It can be a challenge to distinguish criminal behavior from that of legitimate users, he added.

Hackers used a similar approach in another company, where they first captured the domain administrator's credentials, they used the company's centralized security management server -- normally used to deploy anti-virus software -- to steal payment card data from the company's point-of-sale terminals. The hackers did use malware in this particular case, but told the security management server to white-list it.

Burdette recommends that companies mandate two-factor authentication for all remote access systems for all employees and business partners and anyone else accessing the networks.

In addition, users should not have local administrator rights, and administrator accounts and other privilege accounts should be audited and monitored.

"Use an account management system to limit the lifetime and usefulness of user credentials," Burdette added.

Where powerful system management tools are concerned, he suggested that companies study the behavior of typical users and learn to differentiate between legitimate and suspicious behaviors.

"It's not feasible to just disable this functionality," he said.

Join the CSO newsletter!

Error: Please check your email address.

More about CitrixDellInc.SecureWorks

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Maria Korolov

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place