Story image

Are you prepared for 'living off the land' attacks?

09 Sep 15

Organisations, particularly those that are housing valuable or sensitive information, need to be on alert for threats that use little to no malware in their attacks, according to Dell SecureWorks Counter Threat Unit (CTU).

In nearly all of the intrusions in the past year responded to by the Dell SecureWorks’ Incident Response Team, cyber criminals utilised the target’s own system credentials and software administration tools to move freely throughout the company’s networks, infecting and collecting valuable data, says the team.

The CTU describes this tactic as ‘living off the land’. 

Traditional security solutions, which focus solely on a threat group’s malware and infrastructure (such as Command and Control IP addresses and domain names), are of little use when the hackers don’t employ malware in their operation, or use it so sparingly and for such a short time that it leaves few traces behind, says the CTU.

The team says, to combat the increasing living off the land attacks organisations must implement endpoint security solutions which are designed to focus on threat actor behaviour and instrumented to determine if an activity in a network is suspicious or not.

Similar to how IPS/IDS, Firewall and anti-virus solutions have become ‘must have’ layers of security, endpoint security has become a ‘must have’ when it comes to defending against the ever-evolving cyber threat landscape.

Steps to combating cyber attacks using little or no malware

Dell SecureWorks advises any organisation housing valuable Intellectual Property, industrial secrets, financial data or sensitive government information, to take the following steps to help protect themselves from threat actors using little or no malware in their cyber attacks. 

Also, if threat actors have been successful in compromising your organisation, it is important that these defensive improvements be implemented to ensure the successful eviction of the threat actors, says the CTU.

The Incident Response Team has seen multiple cases where victim organisations did not shut off the threat group’s original entry point or other similar entry points, and the threat actors simply reentered the target’s environment and began wreaking havoc all over again. 

A target must ensure that they shut off all points of entry prior to kicking out the intruders, otherwise, resources put towards eviction are wasted, says the CTU.

  • Mandate the use of two-factor authentication for all remote access solutions and for all company employees, business partners (anyone accessing your corporate network)
  • Remove Local Administrator rights for users
  • Audit privilege domain account usage, including administrator and service accounts
  • Segment sensitive data on the network and closely monitor choke points

Dell SecureWorks also advises organisations with valuable data to not only implement IDS/IPS, Firewall, and Anti-Virus as key security layers, but also to implement an endpoint security solution across their environment which is focused on threat actor behavior and determining if an activity within one’s network is malicious or not.

The solution should be able to:

  • Assess the host for known and unknown threats
  • Monitor for threats attempting to maintain persistence
  • Monitor process creations and associated files
  • Examine thread injection events looking for adversaries moving between processes
  • Examine network connection data at the host level to identify suspicious communications being sent to and from the host
  • Monitor DNS activity at the host level
WatchGuard’s eight (terrifying) 2019 security predictions
The next evolution of ransomware, escalating nation-state attacks, biometric hacking, Wi-Fi protocol security, and Die Hard fiction becomes reality.
Why the adoption of SAP is growing among SMEs
Small and medium scale enterprises are emerging as lucrative end users for SAP.
Exclusive: How the separation of Amazon and AWS could affect the cloud market
"Amazon Web Services is one of the rare companies that can be a market leader but remain ruthlessly innovative and agile."
HPE extends cloud-based AI tool InfoSight to servers
HPE asserts it is a big deal as the system can drive down operating costs, plug disruptive performance gaps, and free up time to allow IT staff to innovate.
Digital Realty opens new AU data centre – and announces another one
On the day that Digital Realty cut the ribbon for its new Sydney data centre, it revealed that it will soon begin developing another one.
A roadmap to AI project success
Five keys preparation tasks, and eight implementation elements to keep in mind when developing and implementing an AI service.
The future of privacy: What comes after VPNs?
"75% of VPN users said they are seeking a better solution for cloud networks."
'Public cloud is not a panacea' - 91% of IT leaders want hybrid
Nutanix research suggests cloud interoperability and app mobility outrank cost and security for primary hybrid cloud benefits.