Network compromises and security breaches continue to be a thorn in everyone’s sides. The recent Bash, Shellshock, and USPS data breaches are just to name a few. Not only are these breaches inconvenient, but they also require a lot of man-hours and money to mitigate and resolve.
In a recent InfoWorld article, security experts reveal that hackers are using a new methodology to launch their exploits. They actually use the same tools as network administrators so that they can tap into networks unnoticed. The article identifies the following hacker tactics to help security administrators spot malicious activity earlier and keep networks safe:
- Attackers are spending more time using legitimate tools that will not alert anti-malware software. If hackers can work with a built-in tool, script, or programming language to do their misdeeds, they will.
- Hackers are using built-in Windows Management Instrumentation (WMI) commands. WMI is a lot more powerful than many admins realize. It can be used to query almost everything about a computer, modify operations, and yes, carry out lots of mischief. Some companies are turning off whatever legitimate WMI processes they have and are detecting any WMI use as an early-warning system.
- Attackers have long been using the shell commands built into Windows and the DOS command prompt (e.g., Shellshock and Bash).
- Scripts that copy malicious code past firewall defenses as ASCII text files, compile the code in the files into an executable, and patch it into memory to be run by another installed, legitimate program are being used.
- Hacking software programs and customized executable programs are still being used, although not that often.
In order to mitigate the tactics outlined above, the following defensive changes are suggested:
- Retain decommissioned workstations and turn them into “honeypots as an early-warning system”.
- Implement detection methods that will record every keystroke of an attacker’s movement.
- Make sure your tools can detect memory-only malware.
For more information regarding hacker tactics, see the full InfoWorld article.