Advanced nation state hackers are increasingly shifting their tactics to evade traditional defense tools, use firms' own technologies against them and utilizing virtualization to stay hidden, according to a leading security expert.
Lee Lawson, who works in the Counter Threat Unit at Dell SecureWorks, spends his time monitoring the movements of nation state actors and helping defend customers from their raids.
He warned that organizations today are faced with a “moving battlefield” where hackers largely operate with impunity.
“Your experience can be your own worst enemy because ‘you’ve always done it this way’,” he warned. “You need to evolve with your adversary.”
Nation state hackers are “mission oriented,” meaning if they are “kicked out” once, they’ll adapt their techniques to get back into your network in a more covert way to carry out their goals, Lawson explained.
He pointed to three new trends in the APT/targeted attack space for IT security bosses to consider.
The first is “defensive evasion” – where the hacker will typically go looking for the security tools being used by their target in order to find out how they detect threats.
Lawson explained how in one case a hacker monitored a Kaspersky Lab product to ascertain what virus alerts were being triggered. In another case an attacker was monitoring successful log-ins in a target organization to work out what passed as “normal” behavior, in a bid to stay hidden from anomaly detection filters.
“They know what tools you are using. They come to events like this,” warned Lawson. “And they us that information to evade [those tools].”
The second technique increasingly being used by the state-sponsored black hats he termed “living off the land” – that is, ditching malware once inside an organization and instead trying to stay hidden by leveraging a target’s own technologies.
In this way, the commonly used Windows Management Instrumentation (WMI) service could be subverted to create an event and execute a script enabling guest and admin accounts, to check in with C&C server, and more.
Finally, the most advanced black hats are in some cases looking to take advantage of the power of virtualization to remain undetected once an organization has been breached.
In one attack spotted by Dell SecureWorks an attacker was able to download an Oracle virtual box and virtual image, and initiate various clean-up actions to completely hide it from any network administrators.
By setting up a covert VM the attackers could operate with impunity – in this instance downloading TeamViewer to gain remote access.
To mitigate these risks, organizations must look to tools which can respond to such developments in a fast and flexible manner – producing new rules which can react to discoveries like these within minutes, Lawson argued.