Are you prepared for 'living off the land' attacks?
Organisations, particularly those that are housing valuable or sensitive information, need to be on alert for threats that use little to no malware in their attacks, according to Dell SecureWorks Counter Threat Unit (CTU).
In nearly all of the intrusions in the past year responded to by the Dell SecureWorks' Incident Response Team, cyber criminals utilised the target's own system credentials and software administration tools to move freely throughout the company's networks, infecting and collecting valuable data, says the team.
The CTU describes this tactic as 'living off the land'.
Traditional security solutions, which focus solely on a threat group's malware and infrastructure (such as Command and Control IP addresses and domain names), are of little use when the hackers don't employ malware in their operation, or use it so sparingly and for such a short time that it leaves few traces behind, says the CTU.
The team says, to combat the increasing living off the land attacks organisations must implement endpoint security solutions which are designed to focus on threat actor behaviour and instrumented to determine if an activity in a network is suspicious or not.
Similar to how IPS/IDS, Firewall and anti-virus solutions have become 'must have' layers of security, endpoint security has become a 'must have' when it comes to defending against the ever-evolving cyber threat landscape.
Steps to combating cyber attacks using little or no malware
Dell SecureWorks advises any organisation housing valuable Intellectual Property, industrial secrets, financial data or sensitive government information, to take the following steps to help protect themselves from threat actors using little or no malware in their cyber attacks.
Also, if threat actors have been successful in compromising your organisation, it is important that these defensive improvements be implemented to ensure the successful eviction of the threat actors, says the CTU.
The Incident Response Team has seen multiple cases where victim organisations did not shut off the threat group's original entry point or other similar entry points, and the threat actors simply reentered the target's environment and began wreaking havoc all over again.
A target must ensure that they shut off all points of entry prior to kicking out the intruders, otherwise, resources put towards eviction are wasted, says the CTU.
- Mandate the use of two-factor authentication for all remote access solutions and for all company employees, business partners (anyone accessing your corporate network)
- Remove Local Administrator rights for users
- Audit privilege domain account usage, including administrator and service accounts
- Segment sensitive data on the network and closely monitor choke points
Dell SecureWorks also advises organisations with valuable data to not only implement IDS/IPS, Firewall, and Anti-Virus as key security layers, but also to implement an endpoint security solution across their environment which is focused on threat actor behavior and determining if an activity within one's network is malicious or not.
The solution should be able to:
- Assess the host for known and unknown threats
- Monitor for threats attempting to maintain persistence
- Monitor process creations and associated files
- Examine thread injection events looking for adversaries moving between processes
- Examine network connection data at the host level to identify suspicious communications being sent to and from the host
- Monitor DNS activity at the host level