Malware and software vulnerabilities often get the biggest headlines, but according to a new report, attackers...
are using stolen or hacked credentials and any subsequent access management misconfigurations in order to find and exfiltrate important data.
A media alert from Dell SecureWorks Inc.'s Counter Threat Unit (CTU) said that adversaries are increasingly choosing not to use malware in favor of "living off the land," as the CTU calls it, to gain the upper hand.
According to Phil Burdette, senior security researcher for Dell SecureWorks' CTU, based in Atlanta, these tactics allow attackers to avoid breach detection both while performing the malicious actions and in investigations afterwards.
"Without the necessary endpoint instrumentation and an understanding of the threat actors behaviors, organizations are challenged to distinguish malicious activity from that of normal IT business operations," Burdette said. "The legitimate tools used by system administrators to troubleshoot issues and patch systems are also being used by adversaries to move laterally and exfiltrate data."
In investigations noted in the report, the CTU found attackers use endpoint management platforms, as well as a centralized, security-management server to move between systems, and steal intellectual property and credit card data.
"Threat actors were clever enough to take advantage of this trust relationship, in order to execute arbitrary commands on the target systems," Burdette said. "The key for security teams is to recognize that the same systems we use to protect our enterprise can be repurposed to support an adversary's mission. And thus, special attention needs to be paid to monitoring these high value solutions for malicious activity."
Phil Burdettesenior security researcher at Dell SecureWorks' CTU
Ultimately, though, CTU said many of the issues could have been mitigated with better access management protections, including two-factor authentication, restricting user rights and auditing privileged domain account usage.
"We recommend that organizations apply the principle of least privilege to all accounts to ensure that only users who have a business need to access systems and data are granted permission," Burdette said. "A technology recommendation is for companies to leverage a privilege account management system to rotate high value credentials, thereby limiting their usefulness."
According to Burdette, too much focus in information security is placed on the specialized tools used by adversaries, such as malware, and more attention needs to be paid to how adversaries get in the position to perform the attack.
"Traditional security controls focus mostly on detecting backdoors and network traffic associated with backdoors," Burdette said. "However, backdoors are only a tool used to achieve an objective. A threat actor doesn't win once they've compromised a system, but when they've successfully exfiltrated data or completed their attack. Organizations need to focus on disrupting the adversaries' behaviors and not just the tools they use to complete their mission."
Learn more about using the principle of least privilege to protect privileged users.