Does your organization have best practices for how to use technology which include installing patches, computer based training and pushing out anti-virus updates? Does your firm have a threat detection strategy? Perhaps your firm utilizes a layered security approach and because you have never experienced a breach you are at peace with the security of your critical applications and data?
Attackers are forever adapting their tactics to evade traditional antivirus. One area in an environment that is often overlooked are Endpoints. Should your organization feel that securing Endpoints (including servers, desktops, and laptops) are unnecessary, the door may be left wide open for attackers to gain entry into your environment, your data, your credentials, and your entire business!
Imagine being able to bypass traditional antivirus software by hiding within authorized applications along with the Operating System itself? According to one recent study 77% of reported Endpoint compromises were made up of these “fileless attacks!” Read along to find out more about how these common attacks work and how you can enhance the current evolution of your firm’s threat detection strategy.
Cryptomining Malware
Cryptomining convert computing power into revenue! The CPU required to mine for cryptocurrencies happens to be very costly. The way it works is as follows; attackers create malware to siphon computing resources from victims for Cryptomining. Methods include “cryptojacking” browser based attacks that work while you are on a legitimate, yet compromised website. They also utilize “cryptomining malware” which is often delivered through phishing campaigns and consumes CPU through your endpoints. Without so much as a single virus alert, attackers turn compromised endpoints into armies of cryptocurrency miners. If your organization does not have an Advanced Threat Detection Tool or System in place (such as Barracuda ADT) which span your endpoints and public clouds you may never even notice that you have been compromised. Unless you run into a network performance hit or a skyrocketing AWS invoice, you are none the wiser.
Reverse Powershell Attacks
Have you heard of the saying fake it until you make it or act like you belong? These clichés follow the ideology that you are least likely to be noticed or detected if you blend in with the masses. In an effort to evade the traditional antivirus software, attackers follow the act like you belong approach by using PowerShell and other sanctioned services. Evading detection by gaining access to admin credentials and executing authorized admin actions, reduces attacker’s reliance on malware and exploit kits therefore making it easier to avoid detection. This is a way to employ a stealthy data theft operation!
RDP Session Jacking
Have you ever had your Service Desk utilize a Remote Desktop Protocol (aka RDP) to remotely connect to a Windows system so that they can remediate your issue and resolve your service ticket? Most of us have utilized this tool at some point in time. This session requires that you provide a password before you can gain session access. A known exploit to bypass this is to run tscon.exe (the RDP client process) as SYSTEM user, which does not prompt you for a password. Again, NO ANTIVIRUS ALARMS GO OFF! RED FLAG ALERT – Publicly available RDP services on your endpoints serve as an open invitation to attackers! (I have personally taken calls into our Headquarters where an attacker gained entry by this exact means, encrypting all 300 workstations.) Make sure your gateway firewall policy blocks these connections by default or will only allow connections from authorized IP addresses!
APTS/Bootkits
Blended threats, involve a series of steps. Advanced Persistent Threats (APTS) are designed to easily evade all of our known traditional methods of detection. Often these threats start with a phishing email so that they can capture credentials followed by the installation of malware such as rootkits. Rootkits embed themselves deep into the endpoint’s Operating System. Once access is gained at a kernel level, all bets are off!
Ransomware
Let me start off with an innovative ransomware example that easily evades antivirus (you know the traditional route) which is known as the ShurL0ckr ransomware. ShurL0ckr is what is commonly known as Ransomware-as-a-service. that is correct, hackers enable attackers to pay the author a percentage of ransom once the payload is generated and distributed. So, we have a Ponzi or pyramid scheme being played against our technology environments by the crafty creators of these voluminous attacks! ShurL0ckr targets cloud-based enterprise sharing platforms where they stand to gain the bigger dollars. Do not be fooled, in 2018 the small to midsize companies are the main focus and target of attackers because these companies are easier to breach due to a lack of education on what is needed for their protection in technology!
Critical Steps to Avoiding Detection
Delivery
The problem with modern attacks is that they operate without downloading malicious files on the hard drive. Modern attacks leverage phishing, exploitation of the operating system, and hide malicious looking code within normal looking files to avoid detection. Traditional antivirus was built to look for unusual looking files, PowerShell and other native processes run easily under the radar!
Evasion
What a genius way to evade detection; I will use what is already on an endpoint (e.g. tscon.exe, PowerShell, etc.) using the native components of a system against itself! This is getting too easy.
Lateral Movement
As mentioned, endpoints provide attackers with a necessary foothold into a victim’s infrastructure and network. Once compromised (any endpoint will do) they move laterally through the network to find desired assets and targets. The ultimate goal is to gain access to domain admin credentials. Once they have admin credentials they can move anywhere stealing whatever data they deem necessary without antivirus detection.
Cover Tracks
Most of histories best known thieves and malicious crime committers all have a knack for covering their tracks making it harder on law enforcement to get a leg up on them and finally catch them! If I were a cyber-attacker and I gained the ultimate admin credentials, I would definitely delete log files on each endpoint within a domain to avoid leaving any forensic evidence. With one PowerShell script, all digital traces of the theft are gone, they disappear and not one single antivirus tool is built to notice this.
EDR (Endpoint Detection and Response)
Three key strategies of effective, scalable and responsive endpoint defense
Prevention is necessary, but not sufficient
Layer Endpoint Detection and Response (EDR) with your antivirus. Detection requires looking at activities more holistically, as a series of steps or a chain of events rather than one off findings. For example, you may employ the “cover your tracks” scenario. As long as your firm is collecting and archiving endpoint event logs you will be able to capture key forensic data required for data breach investigations.
You must monitor everywhere – not just the endpoint
A comprehensive security monitoring system is most valuable when it is all encompassing! Monitoring must be of endpoints, the cloud applications they are connecting to, the authentication systems that gave them access, the firewalls that allowed the connections and the local domain controllers in your office (to name a few).
Make it scalable and manageable
Unification of your network, host, and cloud security monitoring capabilities will allow you to respond faster to incidents. Simplify your toolsets and automate wherever applicable and possible. This methodology will help you to have the full picture and with security automation and orchestration capabilities you will be able to stop attacks as they are detected.
If your firm is interested in a Free Network Assessment simply click here.