11 Aug Fortify Your Cyber Defenses with Network Assessment
The VARGuy and The Cyber Weapons Report Confirm: Hackers Have Gone Beyond Malware to Infiltrate Networks. Assessment Tools Can Alert MSPs to Those Activities.
By Mark Winter, Vice President of Sales, RapidFire Tools
Our friends at The VARGuy recently posted an article with findings from the Cyber Weapons Report. The document analyzed what kinds of tools were most frequently at fault for network security breaches. The results were interesting, since malware was not the highest threat on the list.
The article confirmed that once hackers find a way to infiltrate a network, they use common tools and techniques to move from system to system within that network, compromising data. Sometimes these breaches persist over long periods, during which time the hacker progressively steals information undetected.
This is the kind of malicious activity that remote monitoring and virus protection won’t necessarily catch. Network assessment tools, however, identify these activities as they occur, allowing the MSP an opportunity to avert the breach. Here are some excerpts from The VARGuy’s analysis—followed by examples of how network assessment tools address these points.
“An IP address and port scanner called ‘Angry IP Scanner’ was the top networking and hacking tool used by attackers to achieve malicious goals once inside a network, accounting for 27 percent of incidents.”
Both RapidFire Tools’ Inspector and Detector appliances can identify “open and vulnerable” IP ports on systems throughout the network. This would allow the MSP to “close off” the ports that an application like Angry IP Scanner might identify for a hacker during a scan, protecting the other systems inside the network. Note that Angry IP Scanner is a free, readily available download to which any curious hacker can easily gain access.
“With IT administrative tools, the report showed that malicious activity typically triggered lateral movement anomalies like new admin behavior, remote code execution and reverse connection. SecureCRT, an integrated SSH and Telnet client, took the top spot in that category, representing 28.5 percent of incidents from the top ten most used admin tools.”
In an instance such as this, a network assessment tool like the Detector would identify “new admin behavior” on the network and deliver alerts to the MSP. Ongoing reports would help that MSP establish whether any questionable patterns have developed. Anti-virus and remote monitoring doesn’t allow for this same level of ongoing reporting.
“These types of attacks are usually ‘low and slow,’ where bad actors work under the radar for several months inside a system, conducting activities like reconnaissance to map a network’s resources and vulnerabilities, lateral movement and, eventually, command and control communication.”
A hacker would likely conduct himself during off-hours to avoid discovery. The Detector tool, however, provides alerts on this type of anomalous user behavior, apprising the MSP before “bad actors” have a chance to fully map a network’s resources and vulnerabilities.
Executive VP Jason Matlof of LightCyber, the security company that compiled the report, summed it up below. The industry’s commonplace approach to network security is heavily focused on malware and anti-virus. Yet this strategy just is not sufficient in the complicated environment that companies currently navigate, where malicious agents have access to tools that easily and stealthily evade conventional security over time.
“The new Cyber Weapons Report uniquely reveals that malware is not the mechanism that network attackers use once they circumvent preventative security and compromise a network,” said Matlof. “Despite these increasingly well understood realities, our industry still has an unshakable obsession with malware. With the increasing incidence of successful data breaches and theft of company secrets, it’s clear that the conventional malware-focused security infrastructure is insufficient, and we must develop new techniques to find active attackers using their operational activities.”
For editor Kris Blackmon’s full article, read it here at The VARGuy.