Home / Blogs

Hiding in Plain Sight: Post-Breach

The majority of network breaches begin and end with the installation of malware upon a vulnerable device. For the rest, once that initial malware beachhead has been achieved, the story is only just beginning.

The breach disclosures that make the news are often confusing as they’re frequently compiled from third-hand reports, opinions and technical assumptions. More often than not, they include a discussion about the malware—how advanced it was, etc.—and whether any 0-day vulnerabilities were likely used by the mysterious attacker. And then there’s usually a description of the data the attacker may have been able to obtain, and how they could use it for various forms of evil in the future.

The bit that’s missing—and it happens to be the really juicy bit—is how the attacker managed to navigate the victim’s network, take command of the system that held the data, and extract their ill-gotten gains past all those protection systems. It’s generally implied that the malware (which was so thoroughly analyzed in just two condensed paragraphs of the news article) was the secret source to the attack.

In response to such a breach disclosure (and subsequent media attention) anti-virus products will be updated and other vulnerable organizations will be encouraged to check for the malware. No malware, no breach. Pretty simple. Pretty naïve.

As skilled hackers navigate the internals of a breached network it’s generally implied that, for each “hop” from one vulnerable system to the next, the hacker leaves behind a malware agent. After all, that malware agent is the thing that does all the work right? Without its ability to remotely connect to the hacker’s command-and-control (C&C) server the attack would be unsuccessful.

Unfortunately that’s almost never the case. If a hacker was to leave a piece of malware on any compromised host it’s likely to be because of one of the following reasons:

  1. They don’t care about the device. It’s served its purpose and no longer holds any value. It wasn’t even worth hiding the evidence.
  2. It’s a red-herring. The hacker has intentionally left if behind to throw off the hounds, or to serve as a canary for when the hounds are close, or to track the pace and sophistication of the victims incident response team.
  3. Time ran out. They were unable to clean up the host and remove the evidence before they were discovered.

What many people fail to understand is that hackers don’t need the malware. The malware merely serves as the beachhead into the victim’s organization. Once that foothold is in place the hacker leap-frogs to other more interesting and useful systems. More often than not they won’t even need to rely upon exploits or brute-forcing techniques to navigate the network. The user credential’s hijacked (or passively observed) from the initial compromised device are likely enough to progress to the next system. For example, many corporations employ “gold images” that aid the rapid deployment and updating of their employee computer systems. Those cloned images will typically have the same local host administrative accounts and passwords.

The trick to the hacker’s successful evasion of anti-virus detection technologies is to not install malware on any subsequently compromised device. Instead, the hacker simply has to reconfigure and turn-on the remote access tools that are already included within the operating systems of their corporate victims. For example, the operating systems available from both Microsoft and Apple all have remote administration and help applications installed by default—most of which allow for full interactive control of the computer from an Internet routable location.

The beauty of using the default OS remote access software includes:

  1. It’s already present. The hacker doesn’t need to download and install any alternative remote control agents.
  2. It’s whitelisted. All of the anti-virus products and other protection technologies present upon the device will have whitelisted the application. No alerts will be raised.
  3. It’s fully featured. The remote access applications present within modern operating systems are designed for remote administration and support. They can do everything the hacker requires.

What this effectively means is that hunting for malware post-breach may be an ineffective strategy if the objective is to shut down the existing entry points the hacker has into the network and prevent them from extracting further data.

Armed with a portfolio of malware and non-malware remote administrative agents, the hacker’s Achilles heel is going to be the communication channel(s) they are reliant upon. The software agent will change, the protocol will change (it will probably be encrypted too) and, while the destination addresses may flux a little, the remote control infrastructure the hacker is reliant upon is much easier to track and identify—it even provides a level of attribution if you know what you’re looking for.

Faced with an existing (or perceived) breach, corporate incident response teams should look to the network first if they’re hoping to identify a comprehensive list of systems that have been compromised by the hacker. Host-based remediation strategies should be considered in the context of how sophisticated and deceitful the hacker may be—and whether those obviously malware-infected hosts are in-fact the end of the trail or just the beginning.

By Gunter Ollmann, CTO, Security (Cloud and Enterprise) at Microsoft

Filed Under


Comment Title:

  Notify me of follow-up comments

We encourage you to post comments and engage in discussions that advance this post through relevant opinion, anecdotes, links and data. If you see a comment that you believe is irrelevant or inappropriate, you can report it using the link at the end of each comment. Views expressed in the comments do not represent those of CircleID. For more information on our comment policy, see Codes of Conduct.

CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

I make a point of reading CircleID. There is no getting around the utility of knowing what thoughtful people are thinking and saying about our industry.

Co-designer of the TCP/IP Protocols & the Architecture of the Internet




Sponsored byVerisign

Threat Intelligence

Sponsored byWhoisXML API

Domain Names

Sponsored byVerisign

IPv4 Markets

Sponsored byIPv4.Global


Sponsored byDNIB.com

Brand Protection

Sponsored byCSC

New TLDs

Sponsored byRadix