According to the recent report from the cybersecurity authorities of the “Five Eyes”, the availability of hacking tools and techniques are not limited to dark web criminals or nation-state hackers.
Christian Elisan, Lead Analyst at Flashpoint, provides his insights below on how organisations can defend against these tools and attacks.
Christian Elisan, Lead Analyst at Flashpoint:
“Aside from the recommendations mentioned by NCSC (National Cyber Security Centre), organisations can take a step further by studying and familiarising themselves with the freely available tools used in the attacks. See how the tools behave in a target system and what changes, if any, are done in the target system to support the tools’ functionalities. These artefacts can serve as indicators of compromise that can be used to detect the presence of the tool. Threat actors can always encrypt and/or pack these tools to make it undetected by traditional security solutions but no matter what type of encryption is used, these tools, like any other software, will be decrypted in memory during runtime. Knowing how the tool looks like in memory will enable detection of its presence during runtime or as it is being loaded in the target system’s memory. This solves the detection of tools such as Powershell Empire that operates mostly in memory.
How can we prevent the development and distribution of these tools?
These types of tools will continue to be developed. The same way malware is being developed. The only difference is that these tools will always have the claim “for research purposes only, use at your own risk, developer is not liable…” I don’t think there is anything we can do to stop it. As for distribution, unless the platforms that are being utilised to host these tools have the capability to audit source code and the files being made available through their service, it will be a challenge to stop or even hinder the distribution of these tools.”
The opinions expressed in this post belongs to the individual contributors and do not necessarily reflect the views of Information Security Buzz.