Incident & Breach Response , Managed Detection & Response (MDR) , Security Operations
How Hackers Are Bypassing Intrusion Detection
Dell SecureWorks: More Attackers Exploit Legitimate Tools, Shun MalwareBreach investigators at Dell SecureWorks are warning organizations that far more hackers are breaching networks without using malware, leaving few, if any, tracks.
Because so many attackers are exploiting remote-access and network vulnerabilities, rather than installing malware, many conventional breach-detection tools aren't catching the intrusions, says Phil Burdette, senior security researcher at Dell SecureWorks' Counter Threat Unit Special Operations Team, which investigates breach incidents.
That's why it's more important than ever for organizations to enforce the use of dual-factor authentication for remote network and server access, implement privileged account management systems and provide separate network segments for network administrators, Burdette says in an interview with Information Security Media Group.
More attackers are "using native tools, or at least legitimate Windows system administration tools, to achieve their objective," Burdette says. And because these attackers are taking advantage of those tools, which they access after compromising a network administrator's username and password, their activities are not flagged by conventional breach-detection technologies, he says.
Burdette recommends organizations consider the use of privileged account management systems, which will limit the lifetime of a username and password. "What that does is it affects the usefulness of the credentials," he says. "So if an adversary obtains the username and password, and the lifetime of that account is very short-lived, because that account password changes, it disrupts the adversary's ability to use that credential or that set of credentials to achieve their objective."
Organizations also should make sure that those with administrative privileges operate from a segregated network or network segment so that any activity that appears to be coming from an administrator outside that network or segment is flagged, Burdette adds.
During this interview (see audio link above), Burdette also discusses:
- Three real-world examples of attacks that were waged with little or no use of malware;
- Why determining the actual point of entry an attacker uses is challenging; and
- Steps organizations can take to shore up remote-access security vulnerabilities.
Burdette leads targeted threat response engagements and performs intrusion analysis to augment threat group research at Dell SecureWorks. He is a former member of the malicious code team at the Community Emergency Response Team run by Federal Emergency Management Agency, supporting the Department of Defense and U.S. Gypsum Corp.