To trap a RAT

Hunting for cyber threats decreases dwell time and damage

To trap a RAT

Cyber analysts at Raytheon Foreground Security proactively hunt threats so they can snare RATs (Remote Access Tools).

The cyber hunters smelled a RAT.

While coursing through the security logs on a customer’s computer system, an analyst for Raytheon Foreground Security spotted a newly installed program running in the background of one of the machines. The program’s name, comprising a random string of characters, called up a command line, which ran code that allowed the hacker to control the computer. The analyst had sniffed out a RAT — a Remote Access Tool.

The end user couldn’t detect the tool, which was installed as a background service. A root-cause analysis discovered a “bad actor” had compromised an administrator account to install this program.

An analysis of the code revealed the IP address of the attacker's controlling server. Springboarding off this information and the attacker’s tactics, the analyst identified eight compromised hosts that were communicating with the attacker's server. Within 48 hours after the attacker deployed these malicious services, the Raytheon Virtual-Security Operations Center, or V-SOC for short, detected them and shut them down.

After the discovery, Raytheon Foreground Security created “custom alert content” to search for the attacker’s techniques, which has resulted in snaring other attacks against customers.

This attack wouldn’t have been detected by typical anti-virus software nor stopped by most firewalls, which is why proactive threat hunting is critically important in today’s threat environment.

The traditional, reactive model of cybersecurity no longer is sufficient to combat the constant, onslaught of attacks. You can’t sit back waiting for an alert or alarm.  Even with the most expensive tools and best endpoint protection, companies still get hacked.

The number and sophistication of cyber attacks has increased dramatically. Attackers, whether they are nation states, criminal organizations, terrorists or hacktivists, are using employee-based models with development teams, programmers and administrative staffs. Given enough time, motivation and resources, a determined foe can penetrate just about any system accessible from the Internet.

They can take an exploit that’s worked before, tweak it so it’s not detectable by anti-virus signatures, test it out in a sandbox that mimics the environment they’re attacking, and then it will cruise right through safeguards without virtually a trace and compromise a system.

To combat this, we can’t just sit back and wait. We have to think like the attackers. Our proactive threat hunters ask themselves, “If I was hacker, what would I do? How can I circumvent existing security controls? What exploits can I leverage and modify? What information is the most valuable and most likely be targeted?”

The old model of cybersecurity is sort of like a home security system with a bunch of alarms on your doors and windows. You live your daily routine in your house just hoping that you don’t hear the alarm go off in the middle of the night.  Now, think of the new model of cybersecurity, proactive threat hunting, as a security guard who goes around your home looking for intruders that might already be there and places a bad guy might sneak in, testing the locks, pulling on door handles, shining their flashlight inside and outside of the house, staking out the jewelry box and checking with local police department on trends in the neighborhood. And even with a security guard, you may get a break-in, but that bad guy is going to be caught or scared away in seconds.

On average, it takes about 200 days to detect an intrusion with traditional cybersecurity methods. With the V-SOC conducting proactive threat hunting, that dwell time can be drastically reduced and the damage minimized significantly.

The intelligence gathered from new attacks and behavioral patterns then can be added to custom content alerts. Instead of manually looking for these behaviors, automation allows for quicker reaction times and shorter dwell times.

Attackers with savvy staffs, abundant resources and state-of-the-art tools are going to get in. The question really becomes, “How long will they be there and how much damage will they cause?”

Proactive threat hunting minimizes both.

By Carl Manion, senior managing principal for threat detection and response at Raytheon Foreground Security.

This document does not contain Technical Data or Technology controlled under either the U.S. International Traffic in Arms Regulations or the U.S. Export Administration Regulations. E17-FZNS.

Published On: 02/20/2017
Last Updated: 01/11/2018