Story image

Are you prepared for 'living off the land' attacks?

09 Sep 2015

Organisations, particularly those that are housing valuable or sensitive information, need to be on alert for threats that use little to no malware in their attacks, according to Dell SecureWorks Counter Threat Unit (CTU).

In nearly all of the intrusions in the past year responded to by the Dell SecureWorks’ Incident Response Team, cyber criminals utilised the target’s own system credentials and software administration tools to move freely throughout the company’s networks, infecting and collecting valuable data, says the team.

The CTU describes this tactic as ‘living off the land’. 

Traditional security solutions, which focus solely on a threat group’s malware and infrastructure (such as Command and Control IP addresses and domain names), are of little use when the hackers don’t employ malware in their operation, or use it so sparingly and for such a short time that it leaves few traces behind, says the CTU.

The team says, to combat the increasing living off the land attacks organisations must implement endpoint security solutions which are designed to focus on threat actor behaviour and instrumented to determine if an activity in a network is suspicious or not.

Similar to how IPS/IDS, Firewall and anti-virus solutions have become ‘must have’ layers of security, endpoint security has become a ‘must have’ when it comes to defending against the ever-evolving cyber threat landscape.

Steps to combating cyber attacks using little or no malware

Dell SecureWorks advises any organisation housing valuable Intellectual Property, industrial secrets, financial data or sensitive government information, to take the following steps to help protect themselves from threat actors using little or no malware in their cyber attacks. 

Also, if threat actors have been successful in compromising your organisation, it is important that these defensive improvements be implemented to ensure the successful eviction of the threat actors, says the CTU.

The Incident Response Team has seen multiple cases where victim organisations did not shut off the threat group’s original entry point or other similar entry points, and the threat actors simply reentered the target’s environment and began wreaking havoc all over again. 

A target must ensure that they shut off all points of entry prior to kicking out the intruders, otherwise, resources put towards eviction are wasted, says the CTU.

  • Mandate the use of two-factor authentication for all remote access solutions and for all company employees, business partners (anyone accessing your corporate network)
  • Remove Local Administrator rights for users
  • Audit privilege domain account usage, including administrator and service accounts
  • Segment sensitive data on the network and closely monitor choke points

Dell SecureWorks also advises organisations with valuable data to not only implement IDS/IPS, Firewall, and Anti-Virus as key security layers, but also to implement an endpoint security solution across their environment which is focused on threat actor behavior and determining if an activity within one’s network is malicious or not.

The solution should be able to:

  • Assess the host for known and unknown threats
  • Monitor for threats attempting to maintain persistence
  • Monitor process creations and associated files
  • Examine thread injection events looking for adversaries moving between processes
  • Examine network connection data at the host level to identify suspicious communications being sent to and from the host
  • Monitor DNS activity at the host level
Cryptomining apps discovered on Microsoft’s app store
It is believed that the eight apps were likely developed by the same person or group.
A multi-cloud approach - what is in it for me?
OVH CEO Michel Paulin explains the benefits of a multi-cloud approach to an organisations digitalisation and what to consider before implementation.
IDC: Top 10 trends for Australia’s digital transformation
The CDO title is declining, 35% of us will be working with bots, the Net Promoter Score will be key to success, and more.
Why the IT service integration market is becoming highly automated
"The SIAM market is not large, but it is one of the fundamental pillars of every digital transformation strategy."
Intel and Rakuten partner to address 5G network gap
“We believe this full end-to-end virtualised network will help us to shift away from reliance on dedicated hardware and legacy infrastructure.”
Exclusive: How Australian businesses can foster customer loyalty with CX
From boardrooms to meeting rooms, there’s an overwhelming recognition of the importance of CX, particularly when it comes to building customer loyalty.
Spoofs, forgeries, and impersonations plague inboxes
It pays to double check any email that lands in your inbox, because phishing attacks are so advanced that they can now literally originate from a genuine sender’s account – but those emails are far from genuine.
HCL and IBM collaborate to encourage global hybrid cloud uptake
HCL announced a collaboration with IBM designed to help advance the hybrid cloud journeys of organisations worldwide.