Malware’s use in prolonged and persistent cyber-attacks has been wildly overstated, according to a recent report.
LightCyber’s Cyber Weapons Report 2016 found that while malware is the go-to tool for the initial compromise of a network, almost all (99%) of post-intrusion cyberattack activities use standard networking, IT administration and other tools to get the job of exfiltration, snooping and sabotage done.
Attackers use common networking tools in order to conduct “low and slow” attack activities while avoiding detection; these could be used by attackers on a directed or improvisational basis. Sophisticated attackers using these tools—rather than known or unknown malware—can typically work undetected for an average of five months.
“The new Cyber Weapons Report uniquely reveals that malware is not the mechanism that network attackers use once they circumvent preventative security and compromise a network,” said Jason Matlof, executive vice president, LightCyber. “Despite these increasingly well understood realities, our industry still has an unshakable obsession with malware.”
The highest frequency attacker activity found in the study was reconnaissance. To carry that out, once inside a network, an attacker must learn about the network that they’ve compromised and map its resources and vulnerabilities. So it’s no wonder that Angry IP Scanner, an IP address and port scanner, accounted for 27.1% of incidents from the top 10 networking and hacking tools observed in the study, making it the most common tool associated with attack behavior. That’s followed closely by Nmap, a network discovery and security auditing tool that can also be used for recon.
The next most-common attack behavior is lateral movement across the network, which triggers anomalies such as new admin behavior, remote code execution and reverse connection (reverse shell), among others. In this bucket, the report found that hackers really like SecureCRT, an integrated SSH and Telnet client. This topped the list of admin tools employed in attacks, representing 28.5% of incidents from the 10 most prevalent admin tools.
Command-and-control communication is the third most common activity. To this end, TeamViewer, a remote desktop and web conferencing solution, accounted for 37.2% of security events from the top 10 remote desktop tools. TeamViewer was associated with CnC tunneling behavior, while other remote desktop tools, such as WinVNC, primarily triggered lateral movement violations.
In addition to the tools highlighted here, the report shows that attackers may leverage ordinary end-user programs such as web browsers, file transfer clients and native system tools for CnC and data exfiltration activity. It just goes to show that the most mundane applications, in the wrong hands, can be used for malicious purposes.
“With the increasing incidence of successful data breaches and theft of company secrets, it’s clear that the conventional malware-focused security infrastructure is insufficient, and we must develop new techniques to find active attackers using their operational activities,” Matlof said.
Interestingly, more than 70% of active malware used for the initial intrusion was detected only on one site, indicating that it was polymorphic or customized, targeted malware.
Photo © Profit–Image