The Petya/NotPetya attacks shook the whole world in 2017. This was not just because of their severity and scope. It was also down to the consequences that the companies, institutions and organizations that fell victim to the attack had to deal with.
There is one factor that, perhaps unwittingly, was decisive in these cyberattacks: they weren’t carried out by installing malware; rather, they used supposedly secure programs. In this case, no one could have guessed that in Ukraine, one of the worst-hit countries, the problem would make its way in via one of the most widely-used pieces of accountancy software in that country. Once the infection was on the system, it was spread using PsExec or WMIC, which are normally used to execute applications remotely. The use of these legitimate administrator tools allowed them to spread the attack.
There are similar cases. Carbanak, one of the world’s most notorious cybercriminal groups, made its name carrying out numerous cyberattacks in which it managed to steal over $1 billion from several online banks. One of the tactics it used was to access the internal code of these entities without necessarily using malware.
The key: Living-off-the-Land attacks_
The cases of Petya/NotPetya and Carbanak have one thing in common: they were all carried out using Living-off-the-Land (LotL) techniques, a method that is becoming increasingly frequent. LotL attacks, broadly speaking, make use of what already exists in the environment. In other words, there is no need to develop malicious files from scratch. Rather, they exploit points of entry that already exist in IT systems.
LotL attacks thus get onto organizations’ systems via trusted programs that aren’t going to arouse any suspicions, then inject them with malicious code. Several things can be achieved with this tactic: to begin with, they are able to get around traditional protection systems, which will not be triggered by unusual use of apparently secure software.
It also allows cybercriminals to get onto IT systems securely, and even spend several months inside without setting off any kind of alarm. Given the circumstances, it is also much harder to identify where the attack comes from compared to when certain files are used. The reason for this is that the vast majority of cybersecurity solutions are unable to detect dangerous behavior when it is carried out using tools classified as legitimate.
Living-off-the-Land cyberattacks are therefore ideal for many cybercriminals. They get in through secure points of entry, they arouse no suspicions, they are hard to identify, and no malicious files need to be created.
How to avoid LotL attacks_
Living-off-the-Land cyberattacks can have serious consequences for the institutions they affect. Organizations must therefore do all they can to stop them from happening. For this reason, it is essential that they design an integral protocol, and leave absolutely no room to maneuver.
For starters, they must weigh up to what extent they need to use scripting languages such as PowerShell, which have proven to be rather vulnerable. Where possible, they should be avoided. If they can’t do without these languages, alerts must be reinforced, since, as we have mentioned, LotL attacks can slip past many cybersecurity solutions.
To do so, the IT system must be monitored constantly, keeping track of absolutely every process being run there. This way, suspicious actions can be discovered, anomalous behaviors can be detected, and all of this can be resolved before it can endanger the company.
But this doesn’t mean that everything has to be done automatically. Companies must have Threat Hunting teams that, freed up from smaller processes that can be dealt with automatically, can focus on larger threats in order to complete cybervigilance tasks. In this context, technology can thus take care of lower level or routine alerts, while the professionals take care of more delicate situations.
In any case, there is a concept that no company can forget: cyber-resilience Bearing in mind the fact that cybercriminal attack strategies are getting more and more sophisticated and complex, it is vital that any organization that wants to protect its corporate cybersecurity be vigilant and continually adapt to these new methods. This will allow them to mitigate or eliminate the risk that an attack can pose, even before it can happen.
And along such lines, the combination of Cytomic’s advanced cyber-security solutions and managed services is able to monitor all system processes in search of abnormal behavior or potential threats in order to render them harmless before they have even emerged. From that point, a behavior profile is generated to establish behavioral patterns. This is all done through the combination of advanced technologies for intelligent automation of processes and responses, and the human element of expert analysts investigating and drawing parallels between seemingly unrelated events in order to repel advanced attacks, such as those that use LotL techniques, before they pose a threat to the organization.
For a cyber-attack to be successful, there is no longer the need for a malicious file to enter; your own system may provide the perfect open door. That’s why it is essential that companies don’t just protect their perimeter against external threats, but also closely monitor what is happening inside, even the processes that are running on endpoint