A recent report on a new type of malware dubbed “Hammertoss” highlights the importance of applying knowledge of attacker methodologies to behavior analytics.
As an industry, we get very fixated on the latest intruder tools. The risk here is that we can't see the forest for the trees. To effectively detect intruders, we must look at the entire attack chain and the methods attackers will always use to complete their mission. Hammertoss is an example of a backdoor that is reportedly deployed at a late stage of an attack, using a variety of tactical methods. You can only be effective in the game if you have broad detection for the methods that intruders will use regardless of tools, using approaches including traditional threat intelligence, intruder analytics, and endpoint detection.
While interesting on many levels, Hammertoss caught my eye because it tries to mimic regular user behavior to avoid detection, albeit in a fairly crude way:
- It can be configured to operate during normal working hours to blend into regular network traffic
- It gets commands from and exfiltrates to mainstream cloud services, such as Twitter and GitHub
Attackers changing their methods means behavior analytics is working
Attackers are making economic decisions: They don't change their methods unless their methods start becoming ineffective. The fact that Hammertoss built in ways to avoid anomaly behavior detection shows that these methods have caused attackers some pain. However, the evasion techniques are very basic steps to avoid the simplest User and Entity Behavior Analytics (UEBA) solutions because they rely only on baselining work hours and cloud usage without context.
Behavior analytics must take attacker methodologies into account
When Rapid7 started out researching behavior analytics solutions, we quickly realized that “pure math” could not solve the problem. Looking for outliers such as unusual times to log in quickly lead to an unsurpassable mountain of false positive alerts. The fact is: people do unpredictable things for legitimate reasons. I may have a report due that forces me to work late or on weekends.
One approach we continually find effective in detecting bad actors is to take behavior analytics and pair it with our knowledge of attacker methodologies. We're taking this knowledge from many sources: The Metasploit project, Rapid7 Labs' primary research, and our offensive security and incident response services teams.
Detection must occur throughout the attack chain
It's also interesting to note that the Hammertoss malware is reportedly used late in the attack chain. It is a backdoor that enables attackers who have gained access to a network to maintain persistence over the long term. The communication methods are low, slow, and obfuscated to avoid detection.
Rapid7 recommends detecting attacks throughout the kill chain by detecting phishing, use of compromised credentials, lateral movement and other attacker activity, which is where Rapid7 UserInsight focuses its detection.
That said, UserInsight can detect and investigate incidents related to Hammertoss in the following ways:
- Detecting malicious Hammertoss processes running on the network through agentless endpoint monitoring
- Honey pot alerts as Hammertoss runs reconnaissance operations on network
- Spotting lateral movement on the network, which Hammertoss issues through PowerShell commands
- Investigation of data exfiltration as Hammertoss uploads data to cloud services
If you're interested in learning more about how Rapid7 can help you detect intruders on your network and give them the boot, talk to us about the UserInsight intruder analytics solution and Rapid7's incident response services.