As the sophistication of malware attacks advances each year, organisations must be especially vigilant and prepared for any suspicious activity. Cyber criminals’ tactics are continuing to evolve and nearly every aspect of a digital environment can be exploited. Akin to a digital parasite, threat actors are often armed with the ability to live “off the land” of their targets, which allows them to stay hidden while inside a target’s digital environment and to steal critical data and assets.
Once an attacker infiltrates the victim’s system, they can then deploy different forms of malware to collect as many assets as possible to later blackmail their target and demand a ransom. System hardening processes are one of the best and most effective measures an organisation can take to decrease a chance of success of such attacks. Aligned with the National Institute of Standards and Technology (NIST) guidelines, system hardening allows organisations to take their cybersecurity into their own hands.
Common malware and living-off-the-land techniques
Like most common attack vectors, malware attacks and living-off-the-land (LOL) techniques follow the same basic principles when attempting to compromise a target’s digital assets. To simply put it, when deploying any form of malware extortion attackers generally follow five steps to achieve their objectives: get there, get into, get ready, get more, and get money.
To ‘get there’ cybercriminals have figured out numerous ways to gain access into a target’s digital systems such as, for example, distributing targeted phishing using malicious websites and ads. In another level of sophistication cyber crooks buy the access from so-called ‘Initial Access Brokers’. Once attackers ‘get into’ the environment – via exploiting local vulnerabilities or using weak login credentials – they can then ‘get ready’ to reinforce their LOL techniques to stay invisible and escalate their privileges while inside.
In order to ‘get more’ assets, attackers will laterally move through the target’s digital infrastructure to extract, collect, and own the valuable information either needed for a later extortion attempt or to use for a bigger target connected with the victim. Ultimately, should the end goal for the attack be to ‘get money’, the attackers will encrypt the critical data and demand a ransom for a decryption key from the targeted enterprise.
How attack surface grows and how to control it
To launch a malware attack, cybercriminals will manoeuvre throughout the organisation’s existing security layers to locate any vulnerabilities or weak points for later exploitation. Security gaps within a target’s data, identity credentials, and digital infrastructure are the three key aspects needed for a successful launch of a malware attack. Any existing weak points become even more vulnerable during any significant changes or events, such as modifying internal password policies or in preparation for a major software update. Due to this, it is important for organisations to maintain full visibility of their software and files when undergoing such events.
To mitigate any subsequent risks, IT security teams should strongly consider reinforcing their digital infrastructures in line with system hardening guidelines. System hardening is the process of reducing the vulnerabilities and security risks within a system, application, or infrastructure with the overall goal to reduce the attack surfaces and withstand emerging attack vectors. When executed correctly, these measures offer ways for organisations to get ahead of, and how to best defend against, these potentially devastating malware threats.
System hardening guidelines aligned with the National Institute of Standards and Technology
In the myriad of system hardening guidelines available online, guidelines provided by the NIST come as the most recommended and most trusted source – as well as free of cost. Ultimately, as recommended by the NIST, prevention and detection are the best first steps to undertake in order to successfully disrupt the path of malware.
Protection is the first step to achieving the most effective state of system hardening. To do so, IT security teams must change their traditional approaches and take on a ‘think like an attacker’ mentality. A change of perspective in this way can make it easier to identify normally overlooked security gaps and categorise the levels of risk, ways to improve the overall security strategy, and establish which assets are of most value to the organisation. As a result, this will reduce the attack surface and make it especially difficult for an attacker to apply their LOL techniques.
Second to this is the detection of malicious activity before it can escalate any further. It is vital to correctly determine between what is suspicious behaviour versus what is normal within an IT environment that is already constantly changing. This can be done by checking for any indicators of compromise (IOC’s) via monitoring unplanned or abnormal file changes and noticing any configuration drifts which may occur within a digital environment.
As digital environments are particularly vulnerable during major software changes and infrequent maintenance, organisations and their IT teams must regularly test for weak points and suspicious activity – even after system hardening is complete. Security frameworks like one provided by NIST, could be a great guide in this complicated ‘hardening’ journey. In following with their recommendations and guidelines, organisations can keep their assets secured while able to experience a lasting return on investment.
