The armor didn't save you: how attackers bypass security systems

[Father]

In a new article, we talk about methods that help cybercriminals slip past information security systems, and approaches to countering such attempts.

Experts divide anti-detection methods into two groups: covert malware delivery and hidden presence. In the first case, the main goal of attackers is to go through all sorts of filters and checks so that the malware gets into the target system. To do this, hide the dangerous code or disguise it as legitimate.

How to bypass SPI​

And the main method for this task is obfuscation of incoming data and software in general. Hiding and obfuscating traffic and code makes signature analysis, which many antivirus tools rely on, difficult.

Sergey Belov
Head of the Banking Systems Security Research Group, Positive Technologies

The use of polymorphic and metamorphic code allows you to obtain a highly variable code base with the immutability of the executed payload. In addition, attackers often use the technique of dividing malicious code into parts that are uploaded to the system in stages, which also makes it difficult to analyze and determine the software functions.

Ekaterina Starostina
Director of Business Development, Webmonitorex

Personally, I have come across various original methods of blocking information security systems. For example, using hidden data channels, steganography techniques, or even social engineering to bypass security systems. This highlights the need for continuous improvement of methods of protecting and combating cyber threats.

Sergey Polunin
Head of the Infrastructure IT Protection Group at Gazinformservis

Malicious code can be packaged with a special program so that it is not detected by systems that use hash and checksum databases. Malware can constantly randomly change its own parameters. There are also fundamentally different approaches, for example, first download malware that does nothing specific, but can investigate the attacked system and independently download other executable parts of the malware.

Alexey Morozkov
Team Leader of the ICL Services Cybersecurity Management Center

The most common methods are identity forgery( spoofing), encryption of malicious code to bypass systems that use heuristic analysis, for example, using various methods of obfuscation and modification of malicious code.

[As the goals of cybercriminals] , I would single out concealing the presence, disabling the service, disrupting the correct operation of the service due to external influences, disrupting the service's communication with the central server, and in combination with disabling the service, communicating independently with the central server to simulate the service's health.

In turn, Ivan Myskiv, Head of the Information Security Center "Digital Design", offers the following classification of the main methods of countering security systems:

1. Obfuscation of malicious software. Obfuscation is used to deceive antivirus tools, EDR and other security systems that rely heavily on digital signatures to interpret code.
2. Using fake code signatures. Hackers use certificates to pass off their software as legitimate. Certificates can get to them both as a result of supply chain attacks, and after being purchased on the darknet.
3. Encryption. Attackers can directly configure attacks to bypass detection methods used in EDR, for example by faking their attacks or periodically changing their methods.
4. Non-standard attacks. Hackers can learn new communication channels or penetrations that are not yet known to EDR systems: new communication protocols or methods for injecting malicious code. They can exploit vulnerabilities in legitimate applications or the living-off-the-land technique, in which an attacker "extracts" tools to achieve his goal in the attacked system, using operating system components and legitimate tools installed by the administrators themselves.

Roman Aksenov
Security Analysis Specialist at Simplicity

Malware injections directly into RAM are most difficult to detect by security tools. Registers in the computer are constantly moving, and it is problematic to implement statistical analysis at the software level. Attackers load their own software into RAM and force the computer to execute it.

Ivan Myskiv
Head of the Digital Design Information Security Center Department

We should mention the hacking of the centralized management system EDR, AV, VM, which can lead to compromise of the entire information security system. It is important not only to rely on security systems, but also to check whether they can protect themselves. At the same time, the internal security of a security tool depends not only on the mechanisms built into it, but also on the operating environment. Do not neglect its adequate configuration.

When the file hits the target system, the attackers have a different task: to maintain their presence and quietly spread their influence on the infrastructure.

At this stage, they collect information about the infrastructure and identify target systems. Based on this data, hackers develop attack vectors that will give them access to target systems, select and deploy additional malware, and push data transmission channels beyond the perimeter. In addition, pinning points are created — if malicious activity is detected on one compromised machine, attackers can retain access to the infrastructure. This can last for months, especially in the case of attacks aimed at spying or controlling one of the components of the enterprise complex.

Dmitry Zubarev
Senior Security Analysis Specialist at the Ural Center for Security Systems

Disabling security features attracts attention, and attackers can only afford to be detected in the event of a lightning attack. These are usually either elaborate campaigns aimed at gaining access to specific resources, such as a database, or attacks aimed at encrypting infrastructure components and then demanding ransom.

Sergey Polunin
Head of the Infrastructure IT Protection Group at Gazinformservis

Disabling security systems is not easy, if not impossible. If you do not take into account DDoS attacks, attackers have especially no options. In theory, you can conduct intelligence, find out, for example, which antivirus is used by a potential victim of an attack, and prepare the malware for a specific situation. However, such an attack will be extremely expensive and most likely ineffective, and security systems are usually also continuously developed and updated.

To circumvent restrictions related to network access and role models, attackers have to break into the security perimeter not only from the outside in, but also in the opposite direction. Otherwise, there is no need to talk about two-way data exchange.

To do this, they define acceptable communication channels, protocols, addresses of subnets with which interaction is allowed, and access rights granted to system users. Traffic proxying and tunneling helps hide network activity. Hackers regularly change the addresses of proxy servers and command centers and make sure that these addresses are not detected as malicious.

Andrey Golubev
Product owner at PRO32

A slow step-by-step attack allows you to study the company's infrastructure and security features. Then the attack is simulated in a test environment, and if the security systems fail, the method is applied in the combat infrastructure. Here, of course, malware should be hidden from detection.

Sergey Sablin
Business Development Manager at Axoft

Building a botnet network can take several months, and the potential victim will not be aware of an attack that is already underway. A targeted attack with pre-determined network or infrastructure vulnerabilities can quickly disable all the victim's systems.

Attacks on specific infrastructures, especially banks, should also be considered separately. Such organizations are traditionally targeted by a wide variety of intruders: some are trying to get to customers ' money, others are hunting for personal data, others are trying to hack ATMs, and so on.

Financial organizations often use specific software, communication channels with the " big " Internet are carefully controlled — in other words, even the simplest methods that work against ordinary companies will not be able to deliver and apply malware.

In such cases, attackers often use attacks on the supply chain, injecting malicious code into legitimate software at some stage of its development or distribution. This allows them to bypass the initial stages of verification and gain access to a secure internal perimeter.

Andrey Golubev
PRO32 Product Owner

Among attacks on banks, complex attacks aimed at disrupting communication between the bank's information security systems and customers are more common. The goal of hacking is to "legitimize" fraudulent transactions in one way or another.

Complex techniques include, for example, distracting the bank's information security department with a DDoS attack, while at the same time subtly hacking the billing system, or overloading bank monitoring systems in attempts to put them in emergency (offline) modes. And, of course, attacks with the help of"insiders". Usually they are the cause of high-profile leaks.

However, it is not necessary to develop a technically complex operation if you can find a weak link in the form of an employee. It is social engineering that remains the main method for deceiving users and IT personnel, which forces them to disable security mechanisms or install malicious programs on their own. As a result, hackers can gain initial access to the system and gain a foothold in it.

Sergey Polunin
Head of the Infrastructure IT Protection Group at Gazinformservis

In my practice, all methods of blocking information security systems were based on social engineering, and not on some clever malicious software. I came across the fact that the user himself wanted to get to a certain file so much that he did it without much effort on the part of hackers.

Hidden activity detection tools are constantly being developed — in this race, developers still manage to overtake intruders. New-generation sandboxes are created using well-known crawling techniques and prevent detection of malware running in the sandbox. The speed of analysis based on signatures and other attributes is growing: it often takes just a few minutes from the first launch of malware to registration in antivirus databases.

Dmitry Zubarev
Senior Security Analysis Specialist at the Ural Center for Security Systems

If earlier protection could be limited to endpoints, for example, specific workstations or servers, now an integrated approach is becoming more popular: data coming from multiple infrastructure components is analyzed, these data are compared, and threats are identified at a higher level.

Alexey Morozkov
Team Leader of the ICL Services Cybersecurity Management Center

This is a cyclical process: developers bring information security products to the market, attackers study them, find flaws and gaps in security tools, information security incidents occur, information security teams collect lessons and artifacts, investigate problems, work together with developers of such systems, who in turn come up with new ways to detect HPE and methods of protection against it, etc.

The real result is layered defense, which includes many security tools-monitoring systems, firewalls, and EDR systems. At the same time, modern solutions control almost all possible critical entry points for both the attacker and the user. And if the user doesn't have any problems logging in to mail, then the attacker will have to choose carefully so that they don't get blocked or find out about the threat of an incident.

Kai Mikhailov
Head of Information Security at iTPROTECT

It is worth noting that ideas and approaches from one area of protection can be applied in completely different ones.

For example, to make password selection commercially unprofitable, it is often used to slow down the verification of the login-password pair after several incorrect attempts. Now users have begun to massively use voice assistants, which in their behavior almost do not differ from the owner of the phone. And the approach described above was unexpectedly applied against phishing and fraud. We expect that in the near future, the cost of spam and phishing attacks on the phone for intruders will increase dramatically.

Conclusion​

Obviously, the sword and shield battle will never end. Therefore, experts recommend adhering to the principle of "everything that is not allowed is forbidden". This means leaving users with only the necessary ports, prohibiting reverse sessions, blocking the installation of third-party software and connecting external media.

To detect malicious activity, you need to log all events and regularly conduct an inventory of assets. This is the only way for a company to know where and what is happening in the infrastructure, control all its systems and hosts, and know about their vulnerabilities. Finally, to test security systems and infrastructure, it is recommended to organize a continuous analysis of asset security and involve independent researchers through Bug Bounty platforms.