Cybercriminals don't need fancy tools or tricks to carry out their attacks. Legitimate IT tools are just as effective.
Security company LightCyber found in a recent analysis of attack activity data gathered from customers that while attackers may use malware to gain a foothold on the network, they rely on stolen credentials and standard networking and IT administration tools, remote desktop applications, and penetration testing software to move laterally across the network. If anti-malware tools misses the initial infection, the attackers' subsequent activity is invisible to the organization.
Legitimate IT tools and features built into the operating system let attackers easily move around the network, gather necessary information, and transfer data out without triggering any alarms from security defenses focused on malware detection. Tools included Angry IP Scanner, PingInfoView, Nmap, Ping, NCrack, Mimikatz, Perl, Windows Credential Editor, Telnet, Private Shell SSH, VMware vSphere Client, TeamViewer, and WinVNC, LightCyber found.
Attackers used these tools the most during the reconnaissance phase of the attack, when they are looking for specific details about the network, the systems where valuable information is stored, and clues on how to get at those assets. Attackers often use host and port scans to map out network resources to get an inventory of relevant targets, such as file and application servers, LightCyber said.
IP address and port scanner Angry IP Scanner and network discovery and security auditing tool nmap were widely used for these purposes. Angry IP Scanner was the most popular networking tool used.
After learning the network topology, attackers may rely on "dual-use" admin and hacking tools to discover application and system vulnerabilities, monitor network traffic to steal user credentials and identify administrative users, and identify Active Directory and DNS servers. NCrack, Mimikatz, and Windows Credential Editor could be used to steal critical user credentials.
Organizations can detect these reconnaissance activities by monitoring internal network traffic and profiling normal host-to-host communication. Defenders need to be able to distinguish who can execute administrator-level tasks, and to spot anomalies in user behavior, protocol and application access, and file-share usage.
"A single attacker can easily trigger multiple reconnaissance alarms while exploring the network and searching for valuable assets," LightCyber noted.
Moving laterally through the network helps attackers find new assets to compromise and makes it harder for defenders to find them, even if the initial breach was discovered. Attackers gain control of administrator machines or move onto valuable systems, such as databases. Administration tools let attackers move laterally across the network, execute code, create new users, and open up a reverse shell with the targeted machine.
Defenders need to look for credential abuse and excessive failed logins. A single device logging into network resources from distinct accounts may indicate an attack, for example. SecureCRT, an integrated SSH and telnet client, was the most commonly used admin tool, with Putty a close second. LightCyber found that attackers were also using VMware vSphere Client, the management utility for VMware vSphere Server virtualization, and PowerShell, built-in and enabled on many Windows platforms.
Remote desktop software let attackers access new hosts and remotely control compromised devices, much the same way IT administrators rely on them to perform maintenance and support tasks like installing and upgrading software. Once attackers guess the user credentials, they can burrow deeper into the network while posing as legitimate users. This is what likely happened recently with TeamViewer, with users claiming attackers accessed their system via the remote desktop tool and drained PayPal accounts. TeamViewer was also implicated in attacks against TalkTalk customers where fraudulent tech support representatives tried to get access to their machines.
TeamViewer, Ammy Addminn, and LogMeIn, are typically used to control computers from outside the network, while VNC and Remote Desktop Connection are used from within the network. Defenders need to monitor all remote desktop connections and enforce strong authentication to prevent credential theft. TeamViewer, for example, supports two-factor authentication.
And it's not just third-party tools. Attackers can also use mundane applications like web browsers, file transfer clients and native system tools for their malicious purposes. Malicious plugins and toolbars let command-and-control servers communicate with the infected system.
"Web browsers and other 'good' apps, in the hands of malicious insiders and external attackers, can become weapons to carry out costly attacks," LightCyber said.
LightCyber's findings highlight that organizations can't just focus on malware activity to detect breaches. A few days typically pass between the time when attackers get into the network and when data exfiltration occurs, but if the defenders don't monitor the network for suspicious usage patterns from their normal IT tools, they can't stop the attackers in time. This explains why it takes organizations so long to detect breaches -- FireEye's Mandiant noted in its latest M-Trends report the average dwell time is 146 days.
While organizations must stay on top of vulnerabilities and block malware infections, that is just the beginning. They also need to understand how different software and applications are used within their network to identify potential red flags. When threat actors use networking tools, administration utilities, and remote desktop applications in the network for reconnaissance and lateral movement, then defenders can uncover them only by looking for anomalous behaviors.
"Despite these increasingly well understood realities, our industry still has an unshakable obsession with malware," said Jason Matlof, executive vice-president of LightCyber.