Recently, the Federal Bureau of Investigations (FBI) and Department of Homeland Security (DHS) issued a Joint Analysis Report (JAR) on a number of recent, deliberate hacks against U.S. organizations by Russian civilian and military-intelligence services.
The report outlines the technical merits of the tools and infrastructure used in these attacks, describing the flow of individual threats and how they built upon each other. Though the report attributes malicious behavior to a specific set of actors (this is not a common practice), we at Carbon Black have taken special note of the techniques themselves (because they, too, are anything but common).
It Takes All Types of Attacks
For those who can appreciate what it takes to orchestrate an advanced operation like the ones described in this particular JAR, the first thing you’re likely to notice is the array of techniques used throughout the attacks. The first stage of these attacks leverage social engineering to get a foot in the door. This is a common vector to hit first, but what comes next is anything but typical.
While APT28 was found to install malware onto the targeted machines, APT29 invoked malicious PowerShell scripts and used Windows Management Instrumentation (WMI) to schedule tasks on the target systems to exfiltrate sensitive and valuable data out for analysis. This is right in line with what our own research is showing – a rapid rise in non-malware attacks that are designed to bypass traditional endpoint defenses.
Deploying the Proper Mitigations
The JAR presents the top seven mitigation strategies to help thwart the majority of attack techniques in use today. Among the measures are regular patching, (which will reduce the success of exploitation attempts), restricting privileges, and whitelisting applications (to reduce the overall attack surface and make infiltration attempts more difficult.)
Unfortunately, many organizations do not have the in-house expertise to properly vet their security controls regularly and implement new practices beyond the basics. And every organization, regardless of skill level, is challenged by time. Sometimes, there just isn’t enough time in the day to implement and review practices as thoroughly as you’d like. What we need are automated controls with the intelligence to identify and stop attacks no matter what techniques are used.
Going Beyond the Basics
This is exactly where Cb Defense comes into play. Cb Defense is specifically engineered to combat the worst attackers can throw your way, no matter what techniques they use. This simple control goes a long way in rooting out the initial stages of an attack and keeps attackers from getting to your most valuable assets.
We’ll be examining this growing trend of non-malware attacks a lot this year, and we hope you’ll be an active participant in this discussion. Join us next week where we’ll be talking with a senior analyst from Forrester to better understand non-malware attacks and how endpoint security can keep up.