According to the LightCyber study, “it turns out that once attackers gain access to a network, the vast majority of activity makes use of benign processes and tools, not malware.”
The study claims that 99% of post-intrusion cyberattack activities didn’t employ malware, but rather leveraged standard networking, IT admin and other tools on an improvisational basis. While malware may commonly be used to compromise a host initially, once inside a network, the bad guys typically didn’t use malware.
LightCyber says that attackers can “leverage ordinary end-user programs such as web browsers, file transfer clients and native system tools for command and control and data exfiltration activity.” By using these tools, attackers can remain undetected and regain access even if the malware used to initially enter the network is identified and removed.
One section of the report examines “The Sequence of a Targeted Attack.”
- Initial Intrusion (Exploit and Malware): During this phase, the attacker gains a foothold into the organization. External attackers often use exploits to gain access to private computer systems, and malware to perform opportunistic attacks, disrupt computer operations, or gather sensitive information. This report focuses on malware for this stage, regardless of how the infection happened.
- Command and Control: The communication between a compromised internal host and an attacker.
- Reconnaissance: Exploration from a compromised internal host to the organizational network looking for attack vectors and relevant resources for lateral movement.
- Lateral Movement: Lateral action from a compromised internal host to strengthen the attacker foothold inside the organizational network, to control additional machines, and eventually control strategic assets.
- Data Exfiltration: Transfer of sensitive information from a compromised internal host to the attacker.
LightCyber says that during the initial stage, the attacker tries to penetrate the target organization’s network by compromising a host. One of the first signs of an intrusion may be an infected client “phoning home” by trying to contact a command and control server. To detect this activity, organizations can profile normal user and device activity, in order to be able to detect when a device repeatedly attempts to access a rare destination. However, LightCyber observes that “command and control activity can be easily disguised since the attacker owns both points of the communications. For example, an attacker can use popular services such as web-based email or social media sites like Twitter or Reddit for command and control.”
As LightCyber concludes, “The most mundane applications, in the wrong hands, can be used for malicious purposes.”