Credit: ID 130872209 © Djvstock | Dreamstime.com
As well-known targeted attack groups continue to gain notoriety with daring attacks against critical infrastructure, others are rethinking their tools and tactics in the name of stealth. Stealthier techniques have become a staple of the threat landscape, presenting organisations with an increasingly difficult challenge to defend themselves. In malware alone, Symantec blocked over 148 million attacks against businesses in 2018.
In the face of any challenge, the key to meeting it is to first understand what you’re dealing with. In the case of cyber crime, there are two attack methods being favoured by today’s attackers: living off the land attacks and supply chain attacks.
Hiding in plain sight
“Living off the land” attacks allow bad actors to conceal their activity in an ocean of legitimate processes, and while this tactic has always been used, it is now being implemented more frequently. The idea behind a living off the land attack is that an attacker can use existing applications or management tools to run a simple script or shellcode directly into a computer’s memory, turning legitimate files and processes into a vehicle for malicious activity.
By using fewer files on a targeted computer, or going completely fileless, attackers are able to lower the chances of an attack being deleted and blocked, taking advantage of traditional systems that are not geared to detect these latest methods of attack. One recently identified attack group, Gallmaker, relies exclusively on living off the land. The group has successfully used widely used tools, such as PowerShell, to carry out attacks on high-value, high-security and highly sensitive organisations, including government, military and defence.
To put the security challenge into perspective, the use of malicious PowerShell scripts increased by 1,000 percent last year. Hiding in plain sight, living off the land has fast become the first tool that an attacker will reach for.
Weakest link in the supply chain
Like living off the land, supply chain attacks have always been used but have gained prestige with attackers in recent years. In fact, supply chain attacks ballooned by 78 per cent last year. Traditionally favoured by militaries and nation-state actors, supply chain attacks are now easier than ever for attack groups to conduct against complex software supply chains. In a supply chain attack, the attacker exploits third-party services and software to compromise a final target. For online retailers that rely on a complex network of suppliers to source, stock and sell product, the supply chain can often prove to be the weak link. Two of the most common entry points are add-on services such as chatbots or customer review widgets.
In 2018, an attack group named Magecart compromised leading ticket sales company Ticketmaster via a chatbot supplied by technology company, Inbenta. The compromised chatbot was used by Magecart to insert malicious JavaScript code in Ticketmaster, siphoning payment details of customers for close to a year.
Both living off the land and supply chain attacks have been the preferred mechanisms high-skilled well-resourced attackers but today have become more mainstream used by cyber-criminals the world over. Whether it be through hiding among legitimate processes or exploiting the trust between a business and its supplier, attackers are now thinking creatively to outsmart defences.
Exploiting trust in software or channels that are widely used and depended on further complicates matters for defenders, who now have the unenviable task of hunting for and protecting against malicious activity without disrupting everyday business functions and new agile processes.
Fighting fire with fire
But organisations aren’t defenceless in the fight against cyber criminals. As attackers get smarter, so must our defences. Here, artificial intelligence (AI), machine learning and deep analytics play a unique role in filtering through trusted software and files and scanning for threats.
AI learns directly from security analysts who train the AI machine to identify the malicious activity they’re trying to detect. From there, the AI machine applies this knowledge across all processes, providing scale to a business’ security operations without disrupting normal business functions. Deep analytics that pinpointed suspicious PowerShell commands is how Gallmaker was detected.
Trusted, widely-used software and supply chains present cyber criminals with almost irresistible attack avenues. As attack groups continue to evolve their tactics, defensive tactics must also evolve to rise and meet this challenge. Understanding these attack avenues and how advanced technology can combat these attack avenues is the key to staying one step ahead of the attackers.