To avoid detection, some hackers are ditching malware and living "off the land" -- using whatever tools are already available in the compromised systems, according to a new report from Dell SecureWorks.
In fact, this has been the case for nearly all the intrusions analyzed by the Dell SecureWorks’ Incident Response Team last year.
The cyber criminals typically start out with compromised credentials, said Phil Burdette, senior security researcher at Atlanta-based Dell SecureWorks, Inc.
"For example, they might use phishing attacks," he said. "They'll send an email purporting to be from the IT staff, asking users to log in and test their credentials because the IT staff has just created a new email server. Once a user logs in, those same credentials would then be used to access the company's virtual private network solutions."
In one recent case, for example, attackers used a manufacturing company's Citrix solution, which allows remote employees to connect to company systems. The company had not yet set up two-factor authentication for the remote employees, so the login and password were all the bad guys needed.
Then, to get to the intellectual property, industrial secrets, financial data or the other information they're looking for, they use the same tools as those used by a company's own employees.
Often, these are tools commonly used by systems administrators and help desk staff.
If they do use malware, they use it sparingly and briefly, and try to leave as few traces behind as possible, so that traditional malware-based detection techniques won't spot them.
For example, they might use a company's own administration tools to create scheduled tasks, but the tasks are to steal credentials on other systems.
Or they might use a remote desktop too, normally used by help desk staff to help fix problems with employees' computers.
"It's native to the Windows operating system, and is often enabled by default," said Burdette. "Crooks use the same tool to the connect to the system, but instead of troubleshooting problems, they can access files and compress them for extraction."
In the case of the manufacturing company intrusion that Dell SecureWorks investigated, the attackers gained access to a server responsible for sending out security updates to all the endpoints in the company. This was the company's endpoint management platform, Altiris.
"But instead of patching the systems, they used the update software to execute arbitrary commands on the systems, to obtain additional credentials," he said.
It can be a challenge to distinguish criminal behavior from that of legitimate users, he added.
Hackers used a similar approach in another company, where they first captured the domain administrator's credentials, they used the company's centralized security management server -- normally used to deploy anti-virus software -- to steal payment card data from the company's point-of-sale terminals. The hackers did use malware in this particular case, but told the security management server to white-list it.
Burdette recommends that companies mandate two-factor authentication for all remote access systems for all employees and business partners and anyone else accessing the networks.
In addition, users should not have local administrator rights, and administrator accounts and other privilege accounts should be audited and monitored.
"Use an account management system to limit the lifetime and usefulness of user credentials," Burdette added.
Where powerful system management tools are concerned, he suggested that companies study the behavior of typical users and learn to differentiate between legitimate and suspicious behaviors.
"It's not feasible to just disable this functionality," he said.