‘Most network infiltrations done through stolen creds, not hacking’
Dell’s SecureWorks notes ‘living off the land’ strikes are increasingly common
Threat actors are increasingly infiltrating corporate networks through stolen credentials, rather than by more sophisticated means, Dell's cyber-security research unit SecureWorks has warned.
In a blog post, SecureWorks' Counter Threat Unit Special Operations (CTU-SO) team reported that in over half of the incidents it had monitored over the past year, cyber criminals used compromised logon details and the target company's own remote-access services, such as a virtual private network (VPN), to infiltrate systems.
"Detecting threat actors who are ‘living off the land', using credentials, systems, and tools they collect along the way instead of backdoors, can be challenging for organisations that focus their instrumentation and controls primarily on the detection of malware and indicators such as command-and-control IP addresses, domains, and protocols," the CTU-SO team said in the blog post. "With their gaps in visibility, these organisations can have a very difficult time distinguishing adversary activity from that of legitimate users, pushing detection times out to weeks, months, or even years."
In one incident cited by the response team, SecureWorks described how a cyber-gang logged into an Internet-facing Citrix server and used the target organisation's endpoint management system Altiris to "move laterally through the network".
"Threat groups often follow a path of least resistance to achieve their objective," SecureWorks said. "They will leverage legitimate remote access solutions for entry and valid system administrator tools for lateral movement, if possible. To help disrupt this tactic, it is important that organisations implement two-factor authentication for all remote access solutions and consider doing the same for internal, high-value assets like their internal system management consoles."