Stop sneaky new hack attacks with smarter detection

When I see the mainstream press cover the latest bank hack or retailer data breach, I want to laugh. The headlines scream: “10 banks breached!!” They should really say: “Every bank and retailer in the world has been breached — here are 10 we’ll tell you about today!”

Yup, nearly every company is either actively compromised or could easily be compromised. That’s a fact and it’s been true for a while.

What’s changing is that the bad guys are becoming harder to detect, thanks to a new attack paradigm. It’s important to understand this new paradigm and take it into account as you develop your security defense plans.

Sneaky is as sneaky does

In a nutshell, attackers are spending even more of their efforts using legitimate tools that will not alert antimalware software. This attack method isn’t new, but in a contemporary twist, many malicious hackers are using these tools for most — if not all — of their nefarious activities.

Until recently, attackers who dealt in advanced persistent threat (APT) or other complex attack methods gained their first foothold in a company almost exclusively by tricking users into downloading and executing malicious software inside the corporate network. After they get access, they download more attack tools to the first compromised victim’s computer, capture logon credentials, and go to town, moving on to other workstations and servers. Within a short period of time, they usually have privileged access to a domain controller, use a password hash-dumping tool, retrieve all the hashes, then move on to other badness.

But currently, attackers are using far less malicious software. If they can work with a built-in tool, script, or programming language to do their misdeeds, they will. I’ve seen a lot of new malicious scripts, including PowerShell, Perl, and PHP, used to copy files, download logon credentials, and even inject malicious code into already running processes (the last one is very difficult to detect).

I’ve seen a rash of hackers using built-in Windows Management Instrumentation (WMI) commands. WMI is a lot more powerful than many admins realize. It can be used to query almost everything about a computer, modify operations, and yes, carry out lots of mischief. Some companies that have run into these WMI-toting criminals are turning off whatever legitimate WMI processes they have and detecting any WMI use as an early-warning system.

We of course can’t forget Bash and Shellshock. That’s a great example of a legitimate, built-in tool used for malicious purposes, which initially can be hard to detect. In the Windows world, attackers have long been using the shell commands built into Windows and the DOS command-prompt. The only difference is I’m starting to see even more of it.

I’m also seeing (and hearing about) scripts that copy malicious code past firewall defenses as ASCII text files, compile the code in the files into an executable, and patch it into memory to be run by another installed, legitimate program. ASCII sneak-by attacks were fairly popular in the 1990s, and it looks like they’re making a comeback.

Less often, I see common hacking software programs and customized executables. Don’t get me wrong — I still find plenty of them, and my customers are dealing with them. The big difference is a lot of my customers thought they were safe and clean because they hadn’t detected malicious executables in a while. Sometimes absence shouldn’t be celebrated.

Defensive changes

What can you do?

If your main security plan relies on detecting malicious files, you need to supplement it fast. How? I’ve always been a big believer in honeypots as an early-warning system. Take a few computers you’re getting ready to throw away or decommission and turn them into honeypots. It’s the best bang for the buck when you’re detecting the nearly undetectable.

Next, on high-value assets, consider enabling detecting methods that will record every keystroke of an attacker’s movement. It’s no longer good enough to detect previously unknown software or use software that detects “newness” by executable file name alone. For example, if the attacker is running JavaScript or PHP, detecting the use of jscript.exe/jscript.dll or php.exe isn’t enough. You want to catch the entire script and the scripting commands executed.

Finally, make sure your tools can detect memory-only malware. I blew off memory-only malware as a big threat last year, but now it’s making a huge comeback. Many point-of-sale infections have been memory-only malware, and hackers have been watching their success and creating even more. Can your antimalware software catch memory-only malware or malicious scripts that inject or patch legitimate processes with enough badness to do what they need to do? If not, upgrade.

A friend recently said: “Attackers have always been attempting to manage computers the same as administrators. It’s always been a fight over who does it better.” True words, all around.