Can enterprises do anything to mitigate the effects of remote administration toolkits (RATs) like Poison Ivy, which...
By submitting your personal information, you agree that TechTarget and its partners may contact you regarding relevant content, products and special offers.
allow unsophisticated attackers to craft their own malware attacks?
Ask the expert!
Have questions about enterprise information security threats for expert Nick Lewis? Send them via email today! (All questions are anonymous.)
Enterprises have some options for mitigating the effects of remote administration toolkits (RATs) impact on their networks. But first, let's examine why these RATs, not unlike the actual rodent, are such a nuisance.
Remote administration toolkits are essentially malware packages created by attackers to plant on target machines and take control of them remotely under the guise of a legitimate remote support tool. Unsophisticated attackers crafting their own RATs, such as Poison Ivy RAT malware, are a relatively recent development, although RATs for Windows have been around since 1998. Probably the best-known early RAT is Back Orifice (BO) from the hacker group Cult of the Dead Cow. Back Orifice is a more general RAT and could be used for legitimate remote support, but many of the modern RATs have been designed solely to evade firewalls and other perimeter network defenses, and to circumvent the security of the local system.
However, there are legitimate RATs or remote support tools that are used regularly to support remote workers. The distinction between legitimate and malicious RATs is that a malicious RAT is designed to hide itself from detection, but legitimate RATs typically have notifications sent to the local user indicating usage and to ensure the end user knows it is installed.
Enterprises may want to assume that endpoints are at risk of compromised by RATs and implement network controls to compensate for compromised endpoints. The least appealing option for blocking RATs is to not allow Internet access, but this would most likely not be reasonable in most environments. Enterprises could force all Internet traffic through a proxy server, but a RAT could work through a proxy server depending on the functionality of the RAT. The RAT may look like legitimate HTTP traffic and not be detected, but using an IDS, SEIM, and analysis of the logs, you might be able to detect the traffic. An antimalware device may be implemented that includes RAT monitoring and management in the functionality. An enterprise could also just ensure that it has minimal detections in place through an existing IDS and updated signatures.
Dig Deeper on Malware, virus, Trojan and spyware protection and removal
Related Q&A from Nick Lewis
Can Structured Threat Information eXpression improve threat intelligence sharing? Nick Lewis breaks down the evolution of the STIX security framework.continue reading
A new type of WordPress malware, WP-Base-SEO, disguises itself as an SEO plug-in that opens backdoors. Nick Lewis explains how it works and how to ...continue reading
A new exploit of CLDAP servers can be used for a DDoS reflection attack that gives attackers a 70x boost. Nick Lewis explains how to defend against ...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.