When InsightIDR was purpose-built to detect compromised credentials in the first months of 2014, we did so because we identified a significant gap in detection solutions currently available to security teams. The 2014 Verizon DBIR just happened to subsequently quantify the size of this gap (and it has repeated in 2015 and 2016). User behavior analytics, as an industry, emerged to cover this gap in SIEM and other solutions. This does not mean that malware is not heavily used in attacks today, but there is a great deal of prevention and detection already in place for malware and you need to detect more malicious activity.
Perfect malware detection can detect less than one-third of attacker actions
Antivirus vendors first started to release consumer software around 1990. In the twenty-four years since that time, a great deal of innovation has occurred in the realm of both (a) malware development and (b) malware detection. Attackers have created full supply chains for malware, the most famous of which was around the Zeus Trojan (which is still around!), and malware detection now ranges from the modern evolution of that original antivirus software to the more innovative solutions of the past few years that leverage sandboxing and kernel-layer software agents. None of these solutions, on its own, can completely stop malware from reaching your organization or claim to detect its operation 100% of the time. However, by layering a few of these solutions and some perimeter defenses, your organization can detect a sizable contingent of malware in the wild.
What any red team can tell you is that today's attackers can breach your organization using the "attack tools" that often double as administrator tools, like Windows Credential Editor (WCE) and PsExec. Just as more usable software has made if possible to receive Facebook updates from our grandparents, improved software has enabled criminals with serviceable technical skills to manually attempt to run exploits and use stolen credentials to compromise your organization. This rise in malicious acts that can be, and are, carried out against networks without any automated malicious software (malware) is what concerned us. Verizon places these acts into the "hacking" bucket, whereas the theft or guessing of your credentials is in the "social" bucket. As you can see from their data, these two categories of actions have comprised more than half of all malicious activities since 2008 and represented over two-thirds of all "threat actions" in 2013. It makes sense, when you consider the return on investment that I discussed in my previous post.
Two well-publicized attacks show just how little malware is used in some attacks
It is likely that you remember hearing the news that RSA was attacked in 2011. I have no doubt that you know a great deal about the Target breach in 2013. Even the hack of The Hacking Team in 2015 is a perfect example. If you look at these breaches, of which more details have been made public than almost any in history, you can see just how little malware is sometimes used by attackers. For good reason, a lot of detail is never released to the public, but what we do know is that malware played two very different roles in these breaches:
- Once as the initial entry point into RSA's network via email attachment before a great deal of lateral moves with scraped credentials and hashes
- Once as a means to scrape credit card details from memory on point-of-sale systems after initially entering the Target network and moving laterally to those systems with credentials stolen from Target's HVAC vendor
In both cases, there were a lot more malicious actions involving stolen credentials than malware and neither was what led to detection in either attack. Malware was not the only option to enter RSA and it was not the only way to get credit card data out of Target; in both cases, it was just what worked. From the information available on the non-POS portion of the Target breach, the personal information of millions of Americans (including mine) was not stolen with malware, either.
Think like an attacker: they use malware when it suits them
At Rapid7, our research team, services organization, and product teams are constantly challenged to "think like an attacker," whether that means helping you to defend your organization, simulate attacks with exploits, credentials, and social engineering, or to detect attacks as early as possible. If I ask some of our experts how to get in and get data out, their response is always "it depends on what works." As long as attackers are able to stay undetected while they experiment, there is a great deal of iteration in their process:
- Entry: Try using some mass market malware because you might get lucky. That didn't work? Okay, try phishing a user for their credentials. That didn't work? Okay, use your expensive 0-day.
- Data theft: Install some malware on a processing system. Cannot find anything valuable? Okay, try reading data straight out of a database.
Any one attacker may be partial to initially trying malware or impersonating users at any stage of an attack, but they are willing to use either to find success. If all of your defenses are focused on preventing and detecting malware, they are going to lean on their other tools to compromise your network and move from system to system. If you want to successfully detect the attackers, you need to have solutions for detecting malware and compromised credentials to maximize your chances.
If you want to learn more about how InsightIDR can increase your chances of detecting malicious activity, please contact us to schedule an InsightIDR demo. We think you will appreciate our approach.
Not ready for a demo? See how Rapid7 products and services help you detect attacks leveraging compromised credentials here.