Home / Blogs

Hiding in Plain Sight: Post-Breach

Gunter Ollmann

The majority of network breaches begin and end with the installation of malware upon a vulnerable device. For the rest, once that initial malware beachhead has been achieved, the story is only just beginning.

The breach disclosures that make the news are often confusing as they're frequently compiled from third-hand reports, opinions and technical assumptions. More often than not, they include a discussion about the malware — how advanced it was, etc. — and whether any 0-day vulnerabilities were likely used by the mysterious attacker. And then there's usually a description of the data the attacker may have been able to obtain, and how they could use it for various forms of evil in the future.

The bit that's missing — and it happens to be the really juicy bit — is how the attacker managed to navigate the victim's network, take command of the system that held the data, and extract their ill-gotten gains past all those protection systems. It's generally implied that the malware (which was so thoroughly analyzed in just two condensed paragraphs of the news article) was the secret source to the attack.

In response to such a breach disclosure (and subsequent media attention) anti-virus products will be updated and other vulnerable organizations will be encouraged to check for the malware. No malware, no breach. Pretty simple. Pretty naïve.

As skilled hackers navigate the internals of a breached network it's generally implied that, for each "hop" from one vulnerable system to the next, the hacker leaves behind a malware agent. After all, that malware agent is the thing that does all the work right? Without its ability to remotely connect to the hacker's command-and-control (C&C) server the attack would be unsuccessful.

Unfortunately that's almost never the case. If a hacker was to leave a piece of malware on any compromised host it's likely to be because of one of the following reasons:

  1. They don't care about the device. It's served its purpose and no longer holds any value. It wasn't even worth hiding the evidence.
  2. It's a red-herring. The hacker has intentionally left if behind to throw off the hounds, or to serve as a canary for when the hounds are close, or to track the pace and sophistication of the victims incident response team.
  3. Time ran out. They were unable to clean up the host and remove the evidence before they were discovered.

What many people fail to understand is that hackers don't need the malware. The malware merely serves as the beachhead into the victim's organization. Once that foothold is in place the hacker leap-frogs to other more interesting and useful systems. More often than not they won't even need to rely upon exploits or brute-forcing techniques to navigate the network. The user credential's hijacked (or passively observed) from the initial compromised device are likely enough to progress to the next system. For example, many corporations employ "gold images" that aid the rapid deployment and updating of their employee computer systems. Those cloned images will typically have the same local host administrative accounts and passwords.

The trick to the hacker's successful evasion of anti-virus detection technologies is to not install malware on any subsequently compromised device. Instead, the hacker simply has to reconfigure and turn-on the remote access tools that are already included within the operating systems of their corporate victims. For example, the operating systems available from both Microsoft and Apple all have remote administration and help applications installed by default — most of which allow for full interactive control of the computer from an Internet routable location.

The beauty of using the default OS remote access software includes:

  1. It's already present. The hacker doesn't need to download and install any alternative remote control agents.
  2. It's whitelisted. All of the anti-virus products and other protection technologies present upon the device will have whitelisted the application. No alerts will be raised.
  3. It's fully featured. The remote access applications present within modern operating systems are designed for remote administration and support. They can do everything the hacker requires.

What this effectively means is that hunting for malware post-breach may be an ineffective strategy if the objective is to shut down the existing entry points the hacker has into the network and prevent them from extracting further data.

Armed with a portfolio of malware and non-malware remote administrative agents, the hacker's Achilles heel is going to be the communication channel(s) they are reliant upon. The software agent will change, the protocol will change (it will probably be encrypted too) and, while the destination addresses may flux a little, the remote control infrastructure the hacker is reliant upon is much easier to track and identify — it even provides a level of attribution if you know what you're looking for.

Faced with an existing (or perceived) breach, corporate incident response teams should look to the network first if they're hoping to identify a comprehensive list of systems that have been compromised by the hacker. Host-based remediation strategies should be considered in the context of how sophisticated and deceitful the hacker may be — and whether those obviously malware-infected hosts are in-fact the end of the trail or just the beginning.

By Gunter Ollmann, CTO at NCC Group Domain Services. More blog posts from Gunter Ollmann can also be read here.

Related topics: Cyberattack, Cybercrime, Malware, Security

WEEKLY WRAP — Get CircleID's Weekly Summary Report by Email:


To post comments, please login or create an account.

Related Blogs

Related News


Industry Updates – Sponsored Posts

Afilias Supports the CrypTech Project - Ambitious Hardware Encryption Effort to Protect User Privacy

Public Sector Experiences Largest Increase in DDoS Attacks (Verisign's Q4 2014 DDoS Trends)

Help Ensure the Availability and Security of Your Enterprise DNS with Verisign Recursive DNS

Verisign iDefense 2015 Cyber-Threats and Trends

What's in Your Attack Surface?

Q3 2014 DDoS Trends: Attacks Exceeding 10 Gbps on the Rise

3 Questions to Ask Your DNS Host About DDoS

Afilias Partners With Internet Society to Sponsor Deploy360 ION Conference Series Through 2016

Neustar to Build Multiple Tbps DDoS Mitigation Platform

The Latest Internet Plague: Random Subdomain Attacks

Digging Deep Into DNS Data Discloses Damaging Domains

New gTLDs and Best Practices for Domain Management Policies (Video)

Nominum Announces Future Ready DNS

New from Verisign Labs - Measuring Privacy Disclosures in URL Query Strings

DotConnectAfrica Delegates Attend the Kenya Internet Governance Forum

3 Questions to Ask Your DNS Host about Lowering DDoS Risks

Continuing to Work in the Public Interest

Verisign Named to the OTA's 2014 Online Trust Honor Roll

Introducing the Verisign Quarterly DDoS Trends Report

4 Minutes Vs. 4 Hours: A Responder Explains Emergency DDoS Mitigation

Sponsored Topics



Sponsored by


Sponsored by
Minds + Machines

Top-Level Domains

Sponsored by
Minds + Machines

DNS Security

Sponsored by