“Loud” attacks like ransomware still exist, but sneaky attacker evasion techniques can pay off big for cyber criminals.
Remember those portrayals of hacking in the ’80s and ’90s, when victims knew immediately that they had been pwned? A blue screen of death, a scary message, a back-and-forth text exchange with a hacker — victims had little doubt in these portrayals that they had been attacked. Hackers have since learned that it pays to be quiet when infiltrating an environment, which makes it important for organizations to be able to recognize and understand attacker evasion techniques.
Sure, “loud” attacks like ransomware still exist. However, threat actors have learned that if they keep themselves hidden, they can usually do some serious damage. For hackers, a little stealth can go a long way.
And, some attack tactics are inherently quiet. This makes them arguably more dangerous as they can be harder to detect. Here are four of these sneaky attacker evasion techniques you should know about.
1. Trusted Application Abuse
Attackers know that many people have applications that they inherently trust — making those trusted applications the perfect launchpad for cyberattacks.
Threat actors also know that defenders and the tools they use are often on the hunt for new malware presenting itself in environments. What isn’t so easy to detect is when the malware masquerades under legitimate applications.
Fileless malware is a great example of trusted application abuse. No new malware is installed on the system in the case of fileless malware (hence, its name). Instead, the malware works to mess with applications you know and trust, ultimately taking control over them and using them to perform malicious activity. And that’s what makes trusted application abuse one of the sneakier attack evasion techniques.
2. Trusted Infrastructure Abuse
Much like trusted application abuse, trusted infrastructure abuse is the act of using legitimate, publicly hosted services and toolsets as part of the attack infrastructure.
Threat actors know that people tend to trust public platforms such as Dropbox and Google Drive. These tools thus become a prime means for threat actors to carry out malicious activity. Threat actors often find trusted infrastructure abuse easy because these services aren’t usually blocked at an enterprise’s gateway. In turn, outbound communications can hide in plain sight.
Unfortunately, this makes it that much easier for bad actors to establish persistence in an environment, which we’ll talk about shortly.
Although cybersecurity has more than its fair share of tedious acronyms, the good news is that many terms can be broken down by their generic dictionary definitions.
According to Dictionary.com, the word obfuscate means “to make something unclear, obscure or difficult to understand.” And that’s exactly what it means in cybersecurity: finding ways to conceal malicious behavior. In turn, this makes it more difficult for analysts and the tools they use to flag suspicious or malicious activity.
For example, one attack strategy we often see in the field is burying malicious code inside an unsuspecting file. For example, you think you are opening up a PDF (.pdf), but you’re actually opening up an executable (.exe) that runs malicious code in the background. This is one form of obfuscation because you’re being tricked into opening an executable under the guise of a harmless PDF.
Imagine writing up documentation using your computer — something you may well do in your role. You’ve spent a ton of time conducting the required research, finding the right sources and compiling all your information into a document. Now, imagine not hitting save on that document and losing it as soon as you reboot your computer.
Sound like a nightmare — or perhaps a real, anxiety-inducing experience you’ve been through before?
Threat actors agree, and that’s why they establish persistence as part of their attack evasion techniques. They don’t want the hard work of getting into your systems to be in vain just because you restart your computer. They establish persistence to make sure they can still hang around even after you reboot.
Although we’ve expanded our offerings here at Huntress, persistence was our bread and butter when we were first established. That’s because so many tools focused on preventive measures but not quite on what happens once threat actors do make their way through. And, let’s be real: It’s only a matter of time before they outsmart today’s best tools.
Want to learn more about defense evasion? Check out our blog series, where we open up the Huntress vault to explore some defense evasion techniques we’ve seen in the wild.
This guest blog is part of a Channel Futures sponsorship.