Home / Blogs

Hiding in Plain Sight: Post-Breach

Don't miss a thing – sign up for CircleID Weekly Wrap newsletter delivered to your inbox once a week.
Gunter Ollmann

The majority of network breaches begin and end with the installation of malware upon a vulnerable device. For the rest, once that initial malware beachhead has been achieved, the story is only just beginning.

The breach disclosures that make the news are often confusing as they're frequently compiled from third-hand reports, opinions and technical assumptions. More often than not, they include a discussion about the malware — how advanced it was, etc. — and whether any 0-day vulnerabilities were likely used by the mysterious attacker. And then there's usually a description of the data the attacker may have been able to obtain, and how they could use it for various forms of evil in the future.

The bit that's missing — and it happens to be the really juicy bit — is how the attacker managed to navigate the victim's network, take command of the system that held the data, and extract their ill-gotten gains past all those protection systems. It's generally implied that the malware (which was so thoroughly analyzed in just two condensed paragraphs of the news article) was the secret source to the attack.

In response to such a breach disclosure (and subsequent media attention) anti-virus products will be updated and other vulnerable organizations will be encouraged to check for the malware. No malware, no breach. Pretty simple. Pretty naïve.

As skilled hackers navigate the internals of a breached network it's generally implied that, for each "hop" from one vulnerable system to the next, the hacker leaves behind a malware agent. After all, that malware agent is the thing that does all the work right? Without its ability to remotely connect to the hacker's command-and-control (C&C) server the attack would be unsuccessful.

Unfortunately that's almost never the case. If a hacker was to leave a piece of malware on any compromised host it's likely to be because of one of the following reasons:

  1. They don't care about the device. It's served its purpose and no longer holds any value. It wasn't even worth hiding the evidence.
  2. It's a red-herring. The hacker has intentionally left if behind to throw off the hounds, or to serve as a canary for when the hounds are close, or to track the pace and sophistication of the victims incident response team.
  3. Time ran out. They were unable to clean up the host and remove the evidence before they were discovered.

What many people fail to understand is that hackers don't need the malware. The malware merely serves as the beachhead into the victim's organization. Once that foothold is in place the hacker leap-frogs to other more interesting and useful systems. More often than not they won't even need to rely upon exploits or brute-forcing techniques to navigate the network. The user credential's hijacked (or passively observed) from the initial compromised device are likely enough to progress to the next system. For example, many corporations employ "gold images" that aid the rapid deployment and updating of their employee computer systems. Those cloned images will typically have the same local host administrative accounts and passwords.

The trick to the hacker's successful evasion of anti-virus detection technologies is to not install malware on any subsequently compromised device. Instead, the hacker simply has to reconfigure and turn-on the remote access tools that are already included within the operating systems of their corporate victims. For example, the operating systems available from both Microsoft and Apple all have remote administration and help applications installed by default — most of which allow for full interactive control of the computer from an Internet routable location.

The beauty of using the default OS remote access software includes:

  1. It's already present. The hacker doesn't need to download and install any alternative remote control agents.
  2. It's whitelisted. All of the anti-virus products and other protection technologies present upon the device will have whitelisted the application. No alerts will be raised.
  3. It's fully featured. The remote access applications present within modern operating systems are designed for remote administration and support. They can do everything the hacker requires.

What this effectively means is that hunting for malware post-breach may be an ineffective strategy if the objective is to shut down the existing entry points the hacker has into the network and prevent them from extracting further data.

Armed with a portfolio of malware and non-malware remote administrative agents, the hacker's Achilles heel is going to be the communication channel(s) they are reliant upon. The software agent will change, the protocol will change (it will probably be encrypted too) and, while the destination addresses may flux a little, the remote control infrastructure the hacker is reliant upon is much easier to track and identify — it even provides a level of attribution if you know what you're looking for.

Faced with an existing (or perceived) breach, corporate incident response teams should look to the network first if they're hoping to identify a comprehensive list of systems that have been compromised by the hacker. Host-based remediation strategies should be considered in the context of how sophisticated and deceitful the hacker may be — and whether those obviously malware-infected hosts are in-fact the end of the trail or just the beginning.

By Gunter Ollmann, Chief Security Officer at Vectra

Related topics: Cyberattack, Cybercrime, Malware, Security



To post comments, please login or create an account.

Related Blogs

Related News

Explore Topics

Sponsored Topics

Promoted Posts

Now Is the Time for .eco

.eco launches globally at 16:00 UTC on April 25, 2017, when domains will be available on a first-come, first-serve basis. .eco is for businesses, non-profits and people committed to positive change for the planet. See list of registrars offering .eco more»

Boston Ivy Gets Competitive With Its TLDs, Offers Registrars New Wholesale Pricing

With a mission to make its top-level domains available to the broadest market possible, Boston Ivy has permanently reduced its registration, renewal and transfer prices for .Broker, .Forex, .Markets and .Trading. more»

Industry Updates – Sponsored Posts

Leading Internet Associations Strengthen Cooperation

Verisign Releases Q4 2016 DDoS Trends Report: 167% Increase in Average Peak Attack from 2015 to 2016

Verisign Q3 2016 DDoS Trends Report: User Datagram Protocol (UDP) Flood Attacks Continue to Dominate

2016 U.S. Election: An Internet Forecast

Government Guidance for Email Authentication Has Arrived in USA and UK

ValiMail Raises $12M for Its Email Authentication Service

Don't Gamble With Your DNS

Defending Against Layer 7 DDoS Attacks

Understanding the Risks of the Dark Web

New TLD? Make Sure It's Secure

Verisign Releases Q2 2016 DDoS Trends Report - Layer 7 DDoS Attacks a Growing Trend

How Savvy DDoS Attackers Are Using DNSSEC Against Us

Facilitating a Trusted Web Space for Financial Service Professionals

MarkMonitor Partners with CYREN to Deepen Visibility into Global Phishing Attacks

Verisign Named to the Online Trust Alliance's 2016 Honor Roll

Verisign Q1 2016 DDoS Trends: Attack Activity Increases 111 Percent Year Over Year

Is Your TLD Threat Mitigation Strategy up to Scratch?

i2Coalition to Host First Ever Smarter Internet Forum

Encrypting Inbound and Outbound Email Connections with PowerMTA

Resilient Cybersecurity: Dealing with On-Premise, Cloud-Based and Hybrid Security Complexities