We’ve been lately hearing more about the trend in malware-free attacks. At RSA 2015, it was a topic of conversation by security pros. Ed Skoudis told us about it as well in our interview. And Dell SecureWorks has been on the case with what they refer to as hackers’ “living off the land”.
We like that phrase as well!
In our own pen testing series, I also discovered firsthand that scrounging around and working with on-site IT tools and utilities makes for effective hacking.
This new style of attack typically starts with a phish mail containing a payload that automatically establishes contact with the remote hacker — e.g., a remote access trojan or RAT. So with little effort, the cyber thieves are behind the firewall and have the ability to launch native apps, as well as navigate and search the file system.
SecureWorks has pointed out that Windows Remote Desk Protocol (RDP) is often used to help outsiders who become insiders move laterally. And then vanilla FTP can provide the means to exfiltrate data.
I might add that other utilities such as ncat, psexec, ssh, and PowerShell play an important role in reducing malware baggage. There’s not too much you can do about putting a ban on the aforementioned: they’re essential for IT admins, developers, and many other users.
But when hackers exploit on-site software, it means that they won’t leave much of a forensic trail. The new breed of attackers are going around firewalls (or using public ports), avoiding detection by enterprise-grade intrusion systems and evading virus scanners.
The New Defense: Monitor Behaviors
Of course, implementing two-factor authentication, limited networking for average users, and enforcing password policies are just some of the low-hanging fruit for making it more difficult for hackers to live off the land.
SecureWorks also recommends focusing on attacker behaviors, and then alerting when the hacked users account’s activities differ from normal. For example, an RDP connection that occurs at an unusual time for that user, files copied or viewed that are not typical for that user, or some other outlier that’s discovered.
Of course, at Varonis this is music to our ears!
Our solutions have been powered by user behavior analytics or UBA long before this has become a trendy topic. With hackers now more focused on using less malware or no malware at all, UBA becomes perhaps the only way to discover you’ve been breached!
That’s something to keep in mind as you plan your security strategies for next year and beyond.
Learn why UBA is unique in being able to spot both external and internal threats. Download our white paper today!