Researcher: Hacker Sophistication Outpacing Forensics - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


Researcher: Hacker Sophistication Outpacing Forensics

One emerging tactic Kevin Mandia said he's seeing more frequently is hackers using rogue Active Server Pages as a way into a Web server. A user who accesses a bogus ASP page would essentially be giving attackers an open door into his or her PC, enabling them to remotely view, copy, or delete files.

In the never-ending cat-and-mouse game between hackers and those charged with stopping them, it's pretty clear who's winning--and it's not the cat.

Speaking at the Black Hat conference in Las Vegas last week, Kevin Mandia, president of Mandiant, an Alexandria, Va.-based security consultancy, said attackers are using increasingly sophisticated methods to evade detection and make life difficult for security incident response teams.

The sophistication of hackers' tools is outpacing that of investigators' forensic tools, and one of the consequences is that incident response teams charged with investigating attacks on networks are taking between 5 and 8 days to find malicious code, Mandia said.

"Malware analysis can be time consuming, and most firms don't want to spend the money to fully analyze the malicious code, which could cause further damage [to the network]," said Mandia.

And because it can take days to find malicious code, Mandia said rumors of a kernel level rootkits always arise within the company that's being analyzed. Rootkits are software tools designed to hide running processes, files or system data and enable attackers to maintain control over a system without the user's knowledge. A kernel level rootkit takes this cloak of invisibility a step further by adding or modifying part of the kernel code.

Although Windows security breaches make up the majority of security incidents, the kernel level rootkits Mandia has come across thus far have been Linux-based. "We're not seeing any kernel level rootkits [for Windows], but the user space stuff is working well enough that it doesn't matter," he said.

Mandia said the main reason hackers aren't running kernel level rootkits is because they can make systems unstable, which could blow their cover. "The number one way people detect network compromise is when their system crashes," said Mandia.

Other common indicators that a PC's security has been breached include the inability to execute a 'save as' command; continual termination of antivirus software; and Windows Task Manager closing immediately when a user executes a 'ctrl-alt-delete' command, according to Mandia.

One of the worst things users can do if they think their systems have been compromised by a hacker is to shut off their PCs, because doing so prevents an investigator from analyzing the contents of the machine's RAM, which often contains useful forensic evidence, Mandia said.

In one attack on a corporate network, Mandia reviewed the RAM on a compromised machine and found an attack in progress on 11 other machines in the network, he said. Another advantage from analyzing RAM is being able to see a full list of commands a hacker has run, even if the hacker used an encrypted channel to carry out the attack, Mandia added.

One emerging tactic Mandia said he is seeing more frequently is hackers using Rogue Active Server Pages (ASP) as the front page for a compromised Web server. A user who accessed a bogus ASP page would essentially be giving attackers an open door into their PC, enabling them to remote view, copy, or delete files, Mandia said. "These pages are very sophisticated -- it's like having an executable on a machine," he said.

Profit-motivated attackers usually operate by hacking a victim's PC and installing a keystroke logger or by getting their victims to fall for phishing scams. Mandia says these attacks are tough to stop because the attackers tend to work quickly and leave little evidence behind.

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
State of the Cloud
State of the Cloud
Cloud has drastically changed how IT organizations consume and deploy services in the digital age. This research report will delve into public, private and hybrid cloud adoption trends, with a special focus on infrastructure as a service and its role in the enterprise. Find out the challenges organizations are experiencing, and the technologies and strategies they are using to manage and mitigate those challenges today.
Enterprise Guide to Edge Computing
Cathleen Gagne, Managing Editor, InformationWeek,  10/15/2019
Rethinking IT: Tech Investments that Drive Business Growth
Jessica Davis, Senior Editor, Enterprise Apps,  10/3/2019
IT Careers: 12 Job Skills in Demand for 2020
Cynthia Harvey, Freelance Journalist, InformationWeek,  10/1/2019
Register for InformationWeek Newsletters
Current Issue
Getting Started With Emerging Technologies
Looking to help your enterprise IT team ease the stress of putting new/emerging technologies such as AI, machine learning and IoT to work for their organizations? There are a few ways to get off on the right foot. In this report we share some expert advice on how to approach some of these seemingly daunting tech challenges.
White Papers
Twitter Feed
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Sponsored Video
Flash Poll