التكنولوجيا وأخبارها بوابة الإمارات لتكنولوجيا المعلومات والإتصالات
Attackers misuse legitimate tools in 30% of successful cyber-incidents
Almost a third (30%) of cyberattacks investigated by the
Kaspersky Global Emergency Response team in 2019
involved legitimate remote management and
administration tools. As a result, attackers can remain
undetected for a longer period of time. For instance,
continuous cyber-espionage attacks and theft of
confidential data had a median duration of 122 days. These
findings are from Kaspersky’s new Incident Response
Analytics Report.
Monitoring and management software helps IT and
network administrators perform their everyday tasks, such
as troubleshooting and providing employees with technical
support. However, cybercriminals can also leverage these
legitimate tools during cyberattacks on a company’s
infrastructure. This software allows them to run processes
on endpoints, access and extract sensitive information,
bypassing various security controls aimed to detect malware.
In total, the analysis of anonymized data from incident
response (IR) cases showed that 18 various legitimate
tools were abused by attackers for malicious purposes. The
most widely used one was PowerShell (25% of cases). This
powerful administration tool can be used for many
purposes, from gathering information to running malware.
PsExec was leveraged in 22% of the attacks. This console
application is intended for launching processes on remote
endpoints. This was followed by SoftPerfect Network
Scanner (14%), which is intended to retrieve information
about network environments.
It is more difficult for security solutions to detect attacks
conducted with legitimate tools because these actions can
be both part of a planned cybercrime activity or a regular
system administrator task. For instance, in the segment of
attacks that lasted more than a month, the cyber-incidents
had a median duration of 122 days. As they were
undetected, cybercriminals could collect victims’ sensitive data.
However, Kaspersky experts note that sometimes malicious
actions with legitimate software reveal themselves rather
quickly. For example, they are often used in a ransomware
attack, and the damage is seen clearly. The median attack
duration for short attacks was a day.
“To avoid detection and stay invisible in a compromised
network for as long as possible, attackers widely use
software which is developed for normal user activity,
administrator tasks and system diagnostics. With these
tools, attackers can gather information about corporate
networks and then conduct lateral movement, change
software and hardware settings or even carry out some
form of malicious action. For example, they could use
legitimate software to encrypt customer data. Legitimate
software can also help attackers stay under the radar of
security analysts, as they often detect the attack only after
the damage has been done. It is not possible to exclude
these tools for many reasons, however, properly deployed
logging and monitoring systems will help to detect
suspicious activity in the network and complex attacks at
earlier stages,” comments Konstantin Sapronov, Head of
Global Emergency Response Team at Kaspersky.
To detect and react to such attacks in a timely manner,
among other measures, organizations should consider
implementing an Endpoint Detection and Response solution
with an MDR service. MITRE ATT&CK® Round 2 Evaluation
— where various solutions, including Kaspersky EDR and
Kaspersky Managed Protection service were evaluated —
can help customers choose EDR products that match their
specific organization’s needs. The results of the ATT&CK
Evaluation prove the importance of a comprehensive
solution that combines a fully automated multi-layered
security product and a manual threat hunting service.
To minimize the chances of remote management software
being used to penetrate an infrastructure, Kaspersky also
recommends the following measures:
Restrict access to remote management tools from external
IP addresses. Ensure that remote control interfaces can
only be accessed from a limited number of endpoints
Enforce a strict password policy for all IT systems and
deploy multi-factor authentication
Follow the principle of offering staff limited privileges and
grant high-privileged accounts only to those who need this
to fulfil their job
To learn more about Kaspersky EDR visit the official
website. The full Incident Response Analytics Report is
available by the link.
