Cybercriminals are adapting their attack techniques, moving away from attacks waged with malware to using compromised credentials linked to privileged accounts to invade networks and systems, according to researchers at Dell SecureWorks.
More attackers are using native system tools and resources, most often going after privileged accounts, such as service accounts or domain administrator accounts, and using "the native capabilities of an environment to further their objective," says Phil Burdette, senior security researcher at Dell SecureWorks' counter threat unit during an interview with Information Security Media Group at RSA Conference 2016.
"This enables them to connect to other systems in the enterprise, by moving laterally to file servers and domain controllers or point-of-sale systems. Ultimately, there's a lot of focus in the security community around detecting malware and the infrastructure used by the malware, but it's important to also consider the possibility that an adversary may not need malware to achieve their objective, because they are going to follow the path of least resistance."
Attackers are using compromised credentials to access critical systems, say Burdette and Joe Stewart, director of malware research for the counter threat unit.
So how are credentials compromised? "We repeatedly see phishing emails purporting to be from the IT security staff, saying, 'We recently updated our new system, please log in to test your credentials,'" Burdette says. "And once the unknowing victim enters their credentials, those same credentials are used to remotely access the victim network masquerading as a legitimate user, usually through their VPN [virtual private network] solution or their Citrix solution, or even potentially accessing their email through Outlook Web access."
During this interview (see audio link below photos), Burdette and Stewart also discuss:
- How nation-state tactics are being adopted and adapted by cybercriminals;
- How a new open source solution can be used to help identify hacker intrusions;
- Why anti-phishing training is such a necessity; and
- Why limiting access to privileged accounts reduces risk.
At Dell SecureWorks, Burdette leads targeted threat response engagements and performs intrusion analysis to augment threat research.
Stewart is an expert on malware and Internet threats and is a frequent commentator on security issues. He has presented his security research at leading conferences, including RSA.