Informing Your Security Posture: How Cybercriminals Blend into the Background

Maintaining protection over an enterprise’s critical data, systems and assets is a continual uphill battle. Not only are chances good that the business’s digital footprint is growing through new applications, but hackers are also constantly bolstering their capabilities to silently breach platforms and maintain a presence under the radar of the IT team.

In the past, hackers have utilized all types of tactics to cover their tracks and enable them to remain within legitimate systems and steal data for more extended periods of time. And, according to a new report from Trend Micro researchers, these tactics are only growing more sophisticated, advanced and dangerous.

One of the best ways to improve the company’s security posture is to inform proactive protection by learning about the enemy. Today, we’re taking a look at the different techniques cybercriminals use to blend in and prevent detection. With this knowledge, IT teams can keep a more watchful eye out for the types of activity that can point to a malicious breach.

How do hackers cover their tracks?

Just as hunters work hard to remain hidden from their prey, so too do hackers do everything in their power to avoid detection by human users and network- and application-level security solutions.

As Trend Micro researchers explained in the recent report, “Mapping the Future: Dealing with Pervasive and Persistent Threats,” the practice of blending into legitimate traffic within enterprise systems will only become more prevalent and threatening.

“In response to security vendor technologies, specifically the renewed interest in machine learning for cybersecurity, cybercriminals will use more malicious tactics to ‘blend in,” researchers noted in the report. “New ways of using normal computing objects for purposes other than their intended use or design – a practice known as ‘living off the land’ – will continue to be discovered, documented and shared.”

So far, researchers have observed the rising use of a few key strategies in the current threat landscape, including:

  • Masking activity with unconventional file extensions. Much of today’s malicious code is no longer being delivered through the traditional executable file, as users have been trained to be suspicious of these types of programs. Now, hackers are packaging their malicious code in less recognizable formats, using extensions like .URL, .IQY, .PUB and .WIZ. This makes it easier for hackers to trick users into opening malicious files and launching a successful infection.
  • Minimal modification. Hackers quickly catch on to the types of activity that users and security programs classify as suspicious, including the modification of legitimate files to spur a breach an infection. In response, cybercriminals are scaling back on their modifications and only changing the bare minimum in order to leverage a legitimate file or system as a launch pad for their attack.
  • New activation methods. In addition, cyberattakers are also switching up their malware activation strategies, using techniques like Mshta, Rundll32, Regasm, Regsvr32 and more.
  • Digitally signed malware. As Trend Micro researchers noted in the report, digitally signed malware is already a pervasive approach used by hackers, and will only continue to pose a significant threat. This technique is highly effective. It enables hackers to make their well-hidden malware even more legitimate-appearing thanks to a digitally signed certificate that enables the bypass of security platforms.

“Hackers use compromised code signing certificates associated with trusted software vendors in order to sign their malicious code, reducing the possibility of their malware being detected on targeted enterprise networks and consumer devices,” The Hacker News contributor Swati Khandelwal explained.

Fileless malware

In addition to the above-described tricky strategies, hackers are also increasing their use of fileless malware, which can improve hackers’ chances of flying under the radar of traditional file scanning solutions. As noted in this Trend Micro Simply Security blog, fileless malware seeks to take advantage of software or system vulnerabilities while preventing attackers from catching the attention of users or raising security notifications.

One example of this type of advanced threat exploits the PowerShell utility, or other Microsoft Word macros to execute a hidden command against the victim system. These commands can change depending on the hacker’s goal or the length of time they’re attempting to remain within the breached system.

“Current security solutions detect an intrusion [using] a signature based on the malware file’s characteristics,” Trend Micro researchers explained. “However, because fileless malware doesn’t have a payload file to infect a system, security applications don’t know what to look for.”

This makes fileless malware samples particularly dangerous and especially difficult – but not impossible – to detect.

Hidden tunnels

In a report for The Wall Street Journal, contributor Adam Janofsky described the rising use of so-called “hidden tunnels,” which allow hackers to ride the coattails of legitimate business application traffic and protocols to make off with stolen data. Currently, this threat presents the most risk for financial organizations, where hackers can utilize tunnels to sneak past access control protections and intrusion detection solutions. However, the use of hidden tunnels can pose a threat to businesses in any industry.

“These tunnels work by blending in with legitimate applications that connect a company’s network to outside systems, such as third-party analytics tools, cloud-based financial applications and stock ticker feeds,” Janofsky wrote.

Once hackers enter a system, they can then steal considerable amounts of sensitive data and intellectual property, using additional tactics to cover their tracks. As opposed to stealing large files, hackers will break information down into smaller chunks that are less likely to set off alarms within an enterprise’s security solutions.

According to a report from Ventra Networks Inc., there are more hidden tunnels than one might expect. Researchers found that within the financial sector alone, approximately 23 tunnels, disguised through encryption, exist for every 10,000 devices. In other industries, there are only about 11 tunnels for every 10,000 devices.

Avoiding detection to ramp up data theft and damage

One of the biggest motivations for avoiding detection using these types of cybercriminal tactics is to support a longer and more drawn-out data breach. As Janofsky explained, such was the case with the Equifax Inc. breach – hackers purposely avoided using specific tools and tactics which would draw the attention of internal security stakeholders and protection programs. This enabled attackers to remain within the company’s systems for over four months.

Hackers’ ability to cover their tracks poses a significant threat to organizations in every industry. The ideal response to this level of threat environment is to work proactively, become aware and educated about the strategies hackers leverage, and look to guard against these activities specifically.

To find out more about informing your security posture with the latest security strategies, connect with the experts at Trend Micro today.

Read More HERE