The Highly Effective Habits Of The Modern Hacker

CrowdStrike’s VP of Falcon OverWatch, Param Singh, explores…

Threat actors are continually evolving and adapting to evade cybersecurity measures. Now, in a final death blow to old signature-based cybersecurity solutions, malware-free, interactive intrusions outnumbered malware-based attacks by around 3:2 in 2021. Organisations must improve their understanding of the current threat landscape to allow them to reinforce their defences against ransomware threats appropriately.

Understanding where the attacks are coming from and how adversary groups are spreading across systems using tools built into the operating system is the first step to combating these adversaries.

What is the current threat landscape?

Cyber adversaries have more than certainly kept up the pace in 2021, with many adapting to a changing target landscape. Although some bad actors and ransomware operators ceased operations in 2021, the overall total of operating ransomware groups has skyrocketed.

Research shows an 82% increase in ransomware-related data leaks in 2021, with 2,686 attacks as of Dec. 31, 2021, compared to 1,474 in 2020. These figures, coupled with other data leaks, highlight how valuable victim data still is to adversaries.

The key observed theme throughout the whole of 2021 was that adversaries have the ability
and will continue to evolve and change their practices to new approaches or malware at any possible moment.

The new tricks of the criminal trade

Cyber criminals are constantly adapting. The idea of ‘bad files’ downloaded by an unaware user is a thing of old. Today’s sophisticated attacks involve human cyber criminals, using a blend of specialist tools, network utilities already installed and everyday apps.

New tactics, techniques and procedures used in data theft attacks in 2021 have greatly aided adversaries in extorting their victims. For example, threat actors such as BITWISE SPIDER have avoided using publicly available exfiltration tools by creating their own.

Another significant development was increased data theft and extortion without the use of ransomware, leading to the establishment of new marketplaces dedicated to advertising and selling victim data.

Attackers are increasingly attempting to accomplish their objectives without using malware. Instead, they have been observed using stolen yet legitimate organisation credentials, software and operating system vulnerabilities, and built-in tools. This latter part of the approach is known as “living off the land” and allows them to evade detection by outdated legacy antivirus products. As mentioned above, in the fourth quarter of 2021, 62% of attacks were completely malware-free.

After threat actors have entered an organisation through stolen legitimate credentials, their aim is then to move laterally through the system. For example, the threat actor WIZARD SPIDER was observed to move laterally to a third domain controller through a Windows administrative share and set AnchorDNS to run as a service using native tooling. The cyber criminals’ aim here is to increase their permissions, become an administrator and have total control over the company’s operating system.

Once the threat actors have located an enterprise’s valuable data, they need to find a way to collect this information without arousing suspicion or detection. One common tactic is using the native screen capture tool. This allows adversaries to capture sensitive company data from a victim’s operating system by taking a single screenshot at one point or scheduling them at regular intervals to avoid arousing suspicion.

Screen capture can be done using existing, native and legitimate system features, making them difficult to detect by legacy antivirus. To view files and record settings, criminals have been known to use the humble Notepad application or Microsoft Paint.

Organisations need to fight fire with fire

Understanding the threat landscape is crucial to knowing who and what you’re up against. But, this is only step one. Enterprises need to be adopting new-age protective measures and cyber security practices.

In the past, organisations would use legacy antivirus. These outdated cyber protection techniques use strings of characters called signatures associated with specific types of malware to detect and prevent further attacks of similar types. This approach is becoming obsolete because, as mentioned above, over half of intrusions (and rising) are malware-free. Legacy antivirus leaves organisations locked into a reactive mode, only able to defend against known malware and viruses catalogued in the antivirus provider’s database.

But luckily, there is a solution that meets today’s standards. Next-generation antivirus (NGAV), accompanied by other tools, eliminates legacy antivirus’ shortcomings as it integrates more sophisticated prevention methods such as machine learning, behavioural detection, and big data. This removes the sole reliance on signatures to detect malicious activity.

NGAV protects against known and unknown threats, which is increasingly important as the use of fileless attacks rises among attackers. NGAV enables both types of threats to be exposed in near real-time and is much more effective at helping organisations block these threats at a far greater speed than in the past.

The most sophisticated and effective NGAV solutions will also possess a human element. Threat actor data is passed over to specialised threat hunting teams that can detect hidden attacks and new techniques that may have been missed during the automated process. This allows any hidden indicators of attack to be spotted and stopped.

Last call

Cyber criminals are constantly updating the way they carry out ransomware attacks. Organisations need to adopt this exact same evolutionary mentality. Companies that remain at a standstill and refuse to evolve with the times to keep up with the criminals will continue to fall victim to these ever-adapting ransomware attacks.

Enterprises need to improve their cyber security hygiene and upgrade to the most effective NGAV on the market that allows them to truly safeguard against these new ransomware methods of attack.