Can enterprises do anything to mitigate the effects of remote administration toolkits (RATs) like Poison Ivy, which...
allow unsophisticated attackers to craft their own malware attacks?
Ask the expert!
Have questions about enterprise information security threats for expert Nick Lewis? Send them via email today! (All questions are anonymous.)
Enterprises have some options for mitigating the effects of remote administration toolkits (RATs) impact on their networks. But first, let's examine why these RATs, not unlike the actual rodent, are such a nuisance.
Remote administration toolkits are essentially malware packages created by attackers to plant on target machines and take control of them remotely under the guise of a legitimate remote support tool. Unsophisticated attackers crafting their own RATs, such as Poison Ivy RAT malware, are a relatively recent development, although RATs for Windows have been around since 1998. Probably the best-known early RAT is Back Orifice (BO) from the hacker group Cult of the Dead Cow. Back Orifice is a more general RAT and could be used for legitimate remote support, but many of the modern RATs have been designed solely to evade firewalls and other perimeter network defenses, and to circumvent the security of the local system.
However, there are legitimate RATs or remote support tools that are used regularly to support remote workers. The distinction between legitimate and malicious RATs is that a malicious RAT is designed to hide itself from detection, but legitimate RATs typically have notifications sent to the local user indicating usage and to ensure the end user knows it is installed.
Enterprises may want to assume that endpoints are at risk of compromised by RATs and implement network controls to compensate for compromised endpoints. The least appealing option for blocking RATs is to not allow Internet access, but this would most likely not be reasonable in most environments. Enterprises could force all Internet traffic through a proxy server, but a RAT could work through a proxy server depending on the functionality of the RAT. The RAT may look like legitimate HTTP traffic and not be detected, but using an IDS, SEIM, and analysis of the logs, you might be able to detect the traffic. An antimalware device may be implemented that includes RAT monitoring and management in the functionality. An enterprise could also just ensure that it has minimal detections in place through an existing IDS and updated signatures.
Dig Deeper on Malware, virus, Trojan and spyware protection and removal
Related Q&A from Nick Lewis
A revamped Poison Ivy RAT campaign has been using new evasion and distribution techniques. Expert Nick Lewis explains the new attack methods that ...continue reading
Fileless malware hidden in server memory led to attacks on many companies worldwide. Expert Nick Lewis explains how these attacks fit in with the ...continue reading
Vulnerabilities in Java and Python have opened them up to possible FTP injections. Expert Nick Lewis explains how enterprises can mitigate these ...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.