In the aftermath of a data breach, security teams typically go hunting for the malicious file the perpetrators used to break in and carry out their plans. But according to several recent studies, an increasing proportion of attackers are bypassing malware entirely and using social engineering and legitimate administration tools to craft their campaigns.
Everyone is focused on malware, but in fact, malware is used in less than half of all attacks, said George Kurtz, CEO of Crowdstrike. Malware-less intrusions are much more common, where attackers with credentials using common tools such as PowerShell move through the network. Security defenders are typically not good at detecting what they can’t see, he said.
Dell SecureWorks said that nearly all the incidents investigated by the Incident Response Team over the past year did not bother with malware for the initial intrusion. The Dell SecureWorks Counter Threat Unit called this method “living off the land.”
More attackers are using legitimate Windows system administration tools such as PowerShell and Remote Desktop Protocol to achieve their objective. Because they are using them with legitimate login credentials, their activities are not flagged by breach detection systems.
In one incident investigated by Dell SecureWorks, attackers phished an employee at a manufacturing company to obtain the login credentials for the company’s Citrix platform. The attackers were able to use the credentials to connect to internal corporate resources, then move laterally through the network and harvest intellectual property using the company’s Altris platform, which remotely distributes new software and patches to all the endpoints.
In another incident investigated by Dell SecureWorks, the threat group targeted a pharmaceutical manufacturer using a combination of spear phishing and system administration tools. Employees received phishing emails purporting to be from IT testing a new webmail application. Within hours of an employee falling for the scam and entering the username and password, the attackers were able to connect to the network over a VPN connection. Once in the network, they captured system admin credentials and moved laterally through the network via RDP. They used FTP to transfer sensitive intellectual property out of the network.
“In this case, the threat group did not use one stitch of malware in their entire operation, no backdoors, no custom tools, nothing,” Dell Secureworks said.
The social engineering part of the malware-free technique is fairly well-understood. Attackers employ tricks such as sending a message pretending to be from IT informing employees to visit a website to update their login credentials. But not a lot of people understand how easily attackers can use the company’s own applications and tools against them.
The fact that attackers are using legitimate tools -- FTP, RDP, PowerShell -- means they are not leaving much in the way of tracks behind them. With no easily found malware artifacts, it's harder for security teams to determine the initial penetration point. If the company has deployed breach-detection technologies that focus solely on malware and its artifacts, such as command-and-control IP addresses and domain names, then the defenders don’t get the alerts when the attackers are live in the network.
To combat “living off the land” attacks, Dell Secureworks recommends focusing on threat actor behavior and assessing each activity to determine whether it is suspicious. Knowing what is considered normal behavior for a user or a system admin will expose the outliers, such as when an admin logs into a server at an unusual time or uses RDP from a different system.
Organizations also need to enforce dual-factor authentication for remote network and server access. In the case of the two incidents highlighted above, having dual-factor authentication on the Citrix platform or VPN would have hindered the attackers from getting in.
A lot of security defense relies heavily on network visibility at the expense of endpoint and application visibility, Kurtz said. “You need to see what’s happening on the endpoint. If the endpoint is compromised, than you know the application is, too,” Kurtz said.