Forget about the malware, go after attackers’ tactics, techniques and procedures

The cybercriminal’s options for monetizing attacks has never been broader, less complex, or less risky, and attempts to detect intrusions by detecting the malware they use has never been more pointless, a study commissioned by Arbor Networks has revealed.

attacker tactics techniques procedures

“Nearly everything used by the attacker is now disposable, making most threat data and traditional anti-virus techniques almost useless. Industry sources have found that the vast majority of malware (over 95%) is automatically generated to produce unique binaries that are only used once and then discarded. Attack infrastructure, such as domains, IP addresses and servers are also largely disposable to attackers,” the polled white-hats noted.

What should defenders look for, then? And which defense techniques should they employ? The answer to the first question is: attacker’s tactics, techniques and procedures (TTPs).

Those change depending on the target, but most attackers will continue using the techniques that work. But, according to the study, there are a comparatively small number of TTPs that resurface again and again in attacks, and many of them can be addressed through simple configuration changes and other no-cost or low-cost approaches.

The professional criminal hacker

The great majority of criminal hackers will always try to get the largest possible payoff through the lowest possible effort.

They won’t write attack tools if they can get their hands on serviceable ones created by others (malware, or legitimate pentesting and other tools), and they will usually go first for the lowest-hanging fruit and follow the path of least resistance.

But, as the white-hats noted, defenders must keep in mind that an effective defense usually doesn’t deter attackers, it simply just forces them down a different path, and they need to predict the attackers’ next move before it happens.

Attackers love simplicity and, in general, prefer to keep the risk to themselves as minimal as possible.

If we take all these things into consideration, it is no wonder that we’ve seen the majority of them move from stealing payment and identity data to ransom(ware) attacks, DDoS attacks, and scams that rely on effective spear-phishing.

“The anonymity of Tor and Bitcoin simplify the attacker’s payroll and getaway while reducing risk of exposure considerably,” the study noted.

Most common TTPs, and defenses against them

Each attack stage comes with specific TTPs.

attacker tactics techniques procedures

In the reconnaissance stage, the attackers are most likely to use spear-phishing, go after less diligently defended assets (employees’ personal email accounts and devices instead of corporate ones, or systems that are not supposed to be in production), and search for accidentally leaked information (e.g. AWS and SSH keys in GitHub repositories).

Defenders should, therefore, concentrate on defending the individual instead of just corporate assets and accounts, and get a good idea what information attackers may glean about their network and company from the outside (through search engines, social media, pastebin sites, Shodan, etc.).

Getting a foothold in the target organization is the next step. To that end, attackers will try to target users outside the relative safety of the corporate perimeter if they can (with malware that comes in several stages, automated attack platforms that can auto-generate malware guaranteed to bypass anti-malware products, etc.).

Once inside, the attackers are usually not very stealthy, but defenders don’t spot them because they are overwhelmed with false positives and less important alerts from security tools. The attackers will go after the low-hanging fruit: the employees. Spam them with malicious attachments and links, take advantage of unpatched software.

“More than just the operating system and its components need to be patched and/or protected,” the white-hats advise. “Determine if all third-party software is actively needed and used.” If not, turn it off. Also, keep on top of used vulnerabilities and exploits.

Once inside, the attackers will also use common IT tools that are likely not to be noticed right away. To spot this use, defenders must know what’s the usual state of things, and them look for anomalies. Exfiltration of information can be spotted by being on the lookout for unusual destination IPs, protocols that aren’t usually used, large stata transfers.

Finally, defenders should keep an eye on lists of leaked credentials and see if any of them can be used in their networks, make sure that attackers can’t leverage SQL injection against them, and make sure that their data in the cloud is adequately protected.