Security Teams Must Always Keep the Entire Attack Lifecycle in Perspective
Over the years, the topic of advanced persistent threats (APTs) has become virtually synonymous with malware. However, while malware is obviously a critically important tool in the attacker’s arsenal, it is just one of many that make sophisticated attacks successful.
To bring this into focus, Mandiant, the incident response arm of FireEye, found that 46% of all compromised devices were not infected with malware. Focusing exclusively on the malware ensures that you only see half the problem.
It’s an eye-opening statistic for an industry that has over-rotated to focus almost exclusively on malware when thinking of advanced threats. It may be symptomatic of the adage, “If all you have is a hammer, everything looks like a nail.”
APTs have been defined largely by companies that sold malware sandboxes, which of course focus on malware. This isn’t meant to diminish the importance of these products. They address very real problems of custom and polymorphic malware that ran amok over traditional antivirus controls.
However, it’s a mistake to equate the lifecycle of an advanced attack with malware. Remember, advanced threats are often under the control of intelligent, creative humans. Malware is one of many tools at their disposal. If we lose sight of the big picture, we’ll develop blind spots and unintentionally play into attackers’ hands.
Go beyond the malware
Instead of spreading malware, it’s more practical and inconspicuous for an attacker to steal passwords or credentials from a compromised machine, and then use those credentials to spread inside the network. To avoid suspicion, attackers can tweak allowed applications to suit their needs.
Furthermore, the trend of not using malware is likely to grow as more organizations deploy malware sandboxes. Attackers are already adept at sandbox evasion, and avoiding the use of malware when possible is a natural way to stay out of the crosshairs of the sandbox.
Steal the keys to the kingdom
Instead of breaking windows and kicking in doors, it’s easier to just steal a key when you have the chance. This is especially true of network intrusions, where attackers will go to great lengths to steal credentials before and during attacks.
Post-exploitation tools like Mimikatz let attackers steal passwords, hashes and keys from a compromised host. They’re key enablers of pass-the-hash techniques, which remains a tried and true ploy to move laterally inside a network. They don’t require malware but they can be observed using behavioral models.
Dig into the operating system
Modern operating systems are capable, complex, and designed to be easily managed by enterprise administrators. Unfortunately, more attackers are taking advantage of management features and using them to maintain persistence, spread laterally, and even automate local applications.
For example, Windows PowerShell provides enormous flexibility by providing access to both the Windows Component Object Model (COM) and well Windows Management Instrumentation (WMI).
Mandiant has observed attackers using PowerShell and WMI for lateral movement and ongoing management of the attack. By using PowerShell to access COM, attackers can control local applications and fully automate a browser for things like command-and-control.
This approach allows attackers to replicate the functionality of malware by orchestrating the local operating system and applications. Once again, the behavior remains consistent but there is no malware to find.
Hitch a ride on allowed applications
It’s also easy for attackers to hide in plain sight by using applications that are commonly allowed in the network environment. Remote access tools (RATs) are vital in sophisticated attacks, but attackers can replicate the same functionality using approved remote desktop protocol (RDP) applications.
Similarly, attackers can observe a compromised network to learn what file-sharing tools are used. This requires more than simple allow/deny rules for an application. It requires the ability to understand what transfer patterns are normal for a particular user and how transfers relate to key assets.
For instance a user may be allowed to use Dropbox, but it is another thing entirely if that user is attempting to use Dropbox after pulling a large amount of data from a critical database.
These are just a few examples. The important thing to remember is that attackers are always evolving. No single technique or approach will be a silver bullet, and this includes focusing on malware.
To keep up, we have to always keep the entire lifecycle of an attack in perspective and understand how to recognize the underlying phases of attacks, regardless of whether they use malware or not.