![]() ![]() Those insights often aren’t detailed enough to easily distinguish legitimate and nefarious activity, Ullrich said. But they may find it challenging to determine how far back they need to look.Īccording to CrowdStrike “many sophisticated adversaries spend months and years in their victims’ networks without being detected.” Organizations thus must analyze past activities to identify if and when infiltrations may have occurred.ĮNDPOINT DETECTION AND LIMITING OPPORTUNITIESĮndpoint monitoring can help detect misbehavior after something has gone wrong, but trends like the shift to remote work have caused the number of endpoints to balloon, and organizations often rely on their cloud providers for help seeing what’s happening. Entities trying to establish what normal behavior looks like on their systems - and thus, what, in comparison, is abnormal - must find a time before the compromise occurred. Attackers can also learn to keep their data exfiltration below the thresholds that would trigger warnings.Īnother complication: hackers may linger on systems long after compromising them, all the while quietly collecting victims’ data. “But again, since pretty much anything is legitimately now using these cloud services, it can be very difficult to impossible to really distinguish the malicious use from the normal use of all these tools,” he said. Ullrich said organizations would particularly want to examine patterns in data volume and files being sent to cloud services. Cybersecurity firm CrowdStrike states that, “If everyone is using similar tools, it’s more difficult to distinguish one group from another,” making attacks difficult to attribute.ĭefenders can monitor for unusual patterns of behavior to detect living off the land attacks, and Darktrace recommends using AI-powered tools to identify “subtle deviations” in activities. The approach also may give attackers some camouflage if they are detected. They don’t have to worry about compatibility, dependencies, and so forth,” states LogRhythm. “Attackers that use already existing tooling avoid the need to build, test, and QA tools. And using software their targets expect to see spares bad actors from needing to design programs capable of avoiding detection. ![]() Hackers can skip building their own tools if they just use victims’. Perpetrators may also find living off the land attacks to be easier and more cost-effective, states LogRhythm. Victims also can’t simply block domains or infrastructure from cloud services they still need for conducting business, said Katie Nickels, cybersecurity firm Red Canary’s director of intelligence, during the RSA panel. “This is a new tactic for this actor and one that proves challenging to detect due to the ubiquitous nature of these services and the fact that they are trusted by millions of customers worldwide,” Palo Alto wrote. The hackers then send phishing emails with URLs, which will download malware from the cloud hosting and onto victims’ systems if clicked. Ullrich gave another example during an RSA Conference panel on new attack techniques: A malicious party might direct victims’ backup solutions to also make copies to a storage destination owned by the hacker.Īttackers also might use cloud services to host malware, and send phishing links from web domains that users trust.įor example, cybersecurity firm Palo Alto Networks announced this week that the criminal group behind the SolarWinds attack has been hosting malware on popular cloud storage services like Google Drive and Dropbox. Victims may find it easier to discover malicious code deployed on their networks than detect when a legitimate tool is used for harmful purposes. Hackers often used the method for espionage or to extort money by threatening to leak data. “To the defender, it looks just like a normal tool that’s valid, that’s good, being used to do things it’s supposed to do,” Ullrich told Government Technology.īoth criminally motivated and nation state perpetrators use living off the land techniques, Ullrich said, and it’s been deployed both for indiscriminate attacks and those targeting specific victims.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |