Network intruders are staying longer and going after wider swathes of machines with their attacks.
This is according to the latest quarterly report (PDF) from security company Carbon Black, which analysed various incident reports from about 40 of its enterprise customers. It found that attackers are doing more to cover their tracks in hopes of staying on the victim's network for longer periods of time.
In the last three months alone, Carbon Black said it logged a 5 per cent jump (10 per cent in the last six months) in reports of hackers using measures to hit back at security tools and administrators – from 46 per cent in Q3 2018 to 56 per cent in Q1 2019. This includes deleting logs, disabling antivirus, hijacking legitimate processes, and turning off firewalls.
So, hackers hack, and do hacker things. What's so noteworthy about that?
For starters, this additional attention being paid to making sure they're undetected is part of a larger strategy by attackers to stay in the networks they infiltrate for longer. With that extra time, the hackers are looking to get more out of the systems they compromise.
"They've moved away from smash-and-grab to home invasion," Carbon Black chief cybersecurity officer Tom Kellermann told The Register. "Hackers truly want to own that system; they want to own that infrastructure."
Part of the cause is a skyrocketing rate of attackers targeting intellectual property. As companies (and governments) in China and Russia increasingly look to lift tech and documents from their competitors, IP theft was cited as the motivation for 22 per cent of attacks the security outfit observed, up from 5 per cent the previous quarter.
The second major trend was toward "island hopping" – a favourite term Carbon Black uses to describe attackers working their way from one compromised network to that of another company further up the supply chain.
The report noted that a full 50 per cent of the attacks examined in the quarter were carried out as part of an "island hopping" operation that originated at a supply chain member or other partner company.
While the technique itself is not new, the frequency of such attacks and the reason behind them is unprecedented. Kellermann said hackers will now not simply look to compromise a large business, but also to steal its identity to an extent. A bad guy might, for example, take over a network and then commandeer an email server to perform a "reverse" email compromise and spear-phishing attacks. "Once the adversaries have hopped into the island, they use the brand of the victim," he explained.
"The true crown jewel is the brand of that organization."
I can't believe WMI and Powershell is still being misused in such a dramatic fashion...
This, again, gives the bad guy motivation to cover their tracks, hoping to use a single breached system or network as a foothold to pull more valuable intellectual property and get at additional companies.
While the trends themselves are indicative of larger issues (such as politics and foreign policy) that won't be easy to solve, there are some simple technical specs and behaviors that Kellermann recommends.
First off, the Carbon Black exec noted, admins and security professionals should take a more nuanced approach when looking at an incident. For example, he said, don't assume the attacker has gone, but rather try as quietly as possible to collect evidence and be wary an intruder might try countermeasures.
Vendors also have a role, in particular Microsoft. Kellermann said Redmond needs to step up its game and lock down its remote administration tools in order to better protect its enterprise customers.
"I can't believe WMI and Powershell is still being misused in such a dramatic fashion," he said. "It is time Microsoft got their act together." ®