Novel attack techniques are making waves in the security community, yet it's the common tools found in an IT shop that malicious actors frequently leverage for targeted attacks.

With malicious actors using everyday tools, IT administrators and security professionals are less likely to spot suspicious activity, according to Sophos' Active Adversary Playbook 2021 report. The research is based on data from Sophos telemetry and incident reports between 2002 and 2021 from the Sophos Managed Threat Response and Rapid Response teams. 

Security tools automatically block certain threats, but sometimes a defended threat is only a piece of a larger intrusion which detection teams and services need to weed out. 

For example, a company might have successfully blocked the Mimikatz credential stealer on a domain controller, Sophos researchers said. "But the very fact that it exists means that a threat actor has already compromised the server and may try other techniques that aren't detected."

With alert fatigue rampant, not every indication of a threat requires further investigation. But researchers found ways to piece together tools, techniques and procedures (TTPs) that security professionals could use to justify a deeper analysis of malicious activity. 

Before a company can know what blocked threats warrant a follow up, it needs to review what IT authorizes. Sophos blocks PsExec, but IT administrators can overrule and authorize its use, said Peter Mackenzie, incident response manager at Sophos. 

It's only after a ransomware attack, enabled by PsExec, "that many organizations realize just how dangerous this tool can be when authorized on every machine," he said. "Many threat actors have realized that it often doesn't matter what they do if the victim organization doesn't have the resources, tools and experience to investigate what they are seeing."

On the other end of the spectrum, companies may have slipped on enabling automatic blocking for network scanners, as opposed to granting authorization. "Most good security products have features to block legitimate applications that you don't want running on your machines," it's up to the customer to configure controls based on their needs, said Mackenzie. 

Experience matters

Ransomware was found in 81% of the attacks observed by Sophos, which is when security teams often become aware of unauthorized activity. Ransomware often goes unnoticed until a note is deployed because it has a shorter dwell time than "stealth" attacks -- it hits companies fast.  

A dwell time of eleven days means intruders have about 264 hours to roam and perform reconnaissance, data exfiltration or lateral movement, Sophos said.  

Deeper investigations by security are most often triggered by techniques using Command and Scripting Interpreter and signed binary proxy execution. Remote system discovery, system owner/user discovery, and private keys were among the techniques least likely to trigger an investigation. 

"I would think this comes down to resources and experience. It is a lot easier to find an executable file on a machine and get an idea of what it does," said Mackenzie. Techniques using remote system discovery likely have manual executions by the attacker. 

"These are harder to investigate due to most of them not being logged unless you have specific software in place," he said. Companies cannot investigate what is not recorded. 

Remote system discovery is less triggering because of the numerous ways to identify network resources, Stel Valavanis, founder and CEO of onShore Security, added. "This one requires network traffic that can trip other detections and network protections. It's also in itself not necessarily an attack so detection systems might add it to a correlation but not trigger an investigation just by the activity alone."

Companies hunting for anomalies might find clues in the combination of tools used in an attack. Sophos found in 58% of attacks leveraging PowerShell, Cobalt Strike was present. Cobalt Strike combined with PsExec was found in 27% of attacks. And a cocktail of Cobalt Strike, PowerShell and PsExec was found in 12% of attacks. 

Mapping the correlation between tools in attacks "can serve as an early warning of an impending attack or confirm the presence of an active attack," Sophos said. 

Services like remote desktop protocol (RDP) were involved in the beginning of 30% of attacks, according to the report. RDP was also found in 69% of attacks with internal lateral movement, but only 4% of cases used RDP for external access. "RDP needs to just be turned off already," Valavanis said. 

However, not all companies are able to uncover every move an attacker makes. Sophos identified 41% of attacks as having unknown earliest observed attack vectors. Whether the intruders erased their steps as they moved (as was seen in the SolarWinds compromise) or the security team already re-imaged infected machines, the vector remains unknown. 

While having the ability to identify lingering backdoors is important to mitigate and squash a threat, "finding the patient zero and the initial access method doesn't guarantee the same thing couldn't happen again," said Mackenzie. "For example, if it was a user enabling macros in a malicious email attachment, unless you educate all your staff and they are very vigilant, there is no reason to think it couldn’t happen again."