Attackers who break into networks only need to take a few basic measures in order to avoid detection.
Security vendor Secureworks said in its annual State of the Threat report that it observed several data breaches between June 2021 and June 2022 and found that, by and large, once network intruders gained a foothold on the targets' environment, they had to do relatively little to stay concealed.
"One thing that is notable about them is that none of these techniques are particularly sophisticated," the vendor said.
"That is because threat actors do not need them to be; the adversary will only innovate enough to achieve their objectives. So there is a direct relationship between the maturity of the controls in a target environment and the techniques they employ to bypass those controls."
Among the more basic measures taken by the attackers was coding their tools in newer languages such as Go or Rust. This tweak created enough of a difference in the software to evade signature-checking tools, according to Secureworks' report.
In other cases, the network intruders hid their activity by packing their malware within a trusted Windows installer or by sneaking it into the Authenticode signature of a trusted DLL. In another case, a malware infection was seen moving data out of the victim's network via TOR nodes.
While effective, Secureworks said the techniques are hardly innovative. Rather, they indicate that threat actors find themselves only needing to do the bare minimum to conceal themselves from detection.
However, Mike McLellan, director of intelligence for the Secureworks Counter Threat Unit, told TechTarget Editorial that stopping these techniques may not always be a simple process.
"This depends on the nature of the defensive evasion, but typically it involves identifying elements of the defensive evasion technique that can themselves be used for detection. Sometimes the harder an adversary tries to hide, the more it stands out," McLellan explained.
"For example, obfuscating text in malicious scripts or commands is a common method of disguising malicious commands. But countermeasures can be developed to look for the obfuscation technique rather than the text that it is disguising."
Likewise, McLellan said that while steps can be taken to counter these techniques, new tricks will soon pop up.
"Detecting defensive evasion is a cat-and-mouse game. Adversaries will attempt to innovate as network defenders develop the capability to detect them," he said.
"In turn, network defenders and security vendors are constantly looking to evaluate new defensive evasion techniques, and figuring out how use of those techniques can itself be used to develop new countermeasures."
Attacks on remote services ramp up
Also noted in the report was a shift in the way attackers are accessing networks. Secureworks found that remote services were, for the first time, a more popular attack vector than compromised accounts. For example, 52% of the ransomware attacks the vendor tracked during the 12-month period had exploitation of remote services as the initial access vector.
The reason, said Secureworks, is a move from account thefts like credential stuffing and toward bug exploits, thanks to the wealth of known vulnerabilities and automated exploit code now available to attackers. The vendor said the development of offensive security tools (OSTs) often outpaces enterprises' ability to promptly patch or mitigate new vulnerabilities.
"Debates about responsible disclosure often miss the fact that even where a patch exists, the process of patching a vulnerability in an enterprise environment is far more complex and slower than the process for threat actors or OST developers of weaponizing publicly available exploit code," the report said.