Cybercriminals don't need fancy tools or tricks to carry out their attacks. Legitimate IT tools are just as effective.
Security company LightCyber found in a recent analysis of attack activity data gathered from customers that while attackers may use malware to gain a foothold on the network, they rely on stolen credentials and standard networking and IT administration tools, remote desktop applications, and penetration testing software to move laterally across the network. If anti-malware tools misses the initial infection, the attackers' subsequent activity is invisible to the organization.
Legitimate IT tools and features built into the operating system let attackers easily move around the network, gather necessary information, and transfer data out without triggering any alarms from security defenses focused on malware detection.
Tools included Angry IP Scanner, PingInfoView, Nmap, Ping, NCrack, Mimikatz, Perl, Windows Credential Editor, Telnet, Private Shell SSH, VMware vSphere Client, TeamViewer, and WinVNC, LightCyber found.
Attackers used these tools the most during the reconnaissance phase of the attack, when they are looking for specific details about the network, the systems where valuable information is stored, and clues on how to get at those assets. Attackers often use host and port scans to map out network resources to get an inventory of relevant targets, such as file and application servers, LightCyber said.
IP address and port scanner Angry IP Scanner and network discovery and security auditing tool nmap were widely used for these purposes. Angry IP Scanner was the most popular networking tool used.
After learning the network topology, attackers may rely on "dual-use" admin and hacking tools to discover application and system vulnerabilities, monitor network traffic to steal user credentials and identify administrative users, and identify Active Directory and DNS servers. NCrack, Mimikatz, and Windows Credential Editor could be used to steal critical user credentials.
Organizations can detect these reconnaissance activities by monitoring internal network traffic and profiling normal host-to-host communication. Defenders need to be able to distinguish who can execute administrator-level tasks, and to spot anomalies in user behavior, protocol and application access, and file-share usage.
"A single attacker can easily trigger multiple reconnaissance alarms while exploring the network and searching for valuable assets," LightCyber noted.
Moving laterally through the network helps attackers find new assets to compromise and makes it harder for defenders to find them, even if the initial breach was discovered.
Attackers gain control of administrator machines or move onto valuable systems, such as databases. Administration tools let attackers move laterally across the network, execute code, create new users, and open up a reverse shell with the targeted machine.
Defenders need to look for credential abuse and excessive failed logins. A single device logging into network resources from distinct accounts may indicate an attack, for example. SecureCRT, an integrated SSH and telnet client, was the most commonly used admin tool, with Putty a close second.
Sign up for CIO Asia eNewsletters.