Hackers are growing much more sophisticated; a new report shows that when incident response teams thwart an attack, they are finding another attack waiting in the wings.
According to a report in DarkReading.com citing a new Carbon Black study of 37 big incident response teams that use its security tool, the majority found a second command and control infrastructure waiting in the wings.
“Sixty-four percent found a secondary C2 on sleep cycle,” says Tom Kellermann, chief security officer at Carbon Black, in the report. “This highlights how the adversary has gone from burglary to home invasion: they intend on staying and will take counter attempts... and could get destructive.”
According to the report, Russia and China are behind the lion’s share of attacks, with 81 percent of incident response professionals pointing to Russia and 76 percent citing China. Close to 80 percent of survey respondents said the financial sector was the biggest target for attacks, followed by healthcare and then government agencies. The research also found that nearly 60 percent of the attacks involve the attack moving from the initial machine of the victims to others within the organization. All of those surveyed said hackers have used the Windows Management Interface as their way to attack, among other tools.
“The uptick of WMI is concerning,” said Kellermann in the report. “It speaks to the level of sophistication [being used] to colonize that infrastructure.” The main purpose of the hackers: getting access to the supply chain of a company. The executive said a good way to defend from these types of attacks that have a secondary attack is to investigate and hunt the hackers quietly so they don’t have time to rework the attack. “The number one thing we need to evolve in as defenders is to become more quiet and clandestine in how we hunt,” he said. “Deciding when to reveal oneself is critical, as counter-incident response measures as destructive attacks are becoming the norm.”