Recently Dmitri Alperovitch, McAfee’s VP of Threat Research, published a blog about Operation Shady RAT. In the blog and corresponding whitepaper he details an investigation of targeted intrusions into over 70 global companies, governments, and non-profit organizations over the last five years that appear to be sourced from a single actor or group. The targeted attacks used a combination of known attack components such as remote access tools or RATS and spearphishing.
Since the release of this information, there have been questions regarding mitigation techniques for these types of attacks; we’ll look at some now.
It’s important to note that there is no single product that can be plugged in that will stop spearphishing, protect sensitive data, thwart malware, put an end to malicious insiders, etc. Instead there are several solutions across endpoint, network, data security as well as security management that can and should be used in a connected framework to enrich each other and thus mitigate risk, increase ROI, and create greater efficiencies regarding incident detection, prevention, and response. Let’s take a look at some of these controls.
Endpoint controls are likely the most intuitive solutions for addressing malware, and while they are well known in general, they warrant readdressing here. Endpoint security suites can use a combination of techniques such as blacklisting and dynamic whitelisting to prevent known and unknown malware and even prohibit its installation.
Whitelisting is particularly useful against unknown threats because it can prohibit the installation of any unauthorized software. Simply put, what isn’t explicitly allowed will be denied. It can also help detect and prevent inadvertent downloads of malicious programs. Many endpoint controls are able to look at the network activity traversing the TCP/IP stack as well as the system internals, and correlate that information in order to determine if there is nefarious system activity and or network activity emblematic of command and control.
Why is this important when addressing Shady RAT? The endpoint is ground zero. Regardless of the attack vector, the victim, or the data that was to be stolen, the first goal of Shady RAT was the compromise of an endpoint. Once one endpoint was compromised it could be used to compromise other endpoints across the network. By applying controls at the endpoint not only is the exploitation of vulnerabilities and installation of malware at the endpoint stopped, but also the level of penetration in terms of number of systems compromised can be reduced.
There are several algorithms specific to targeted attacks, sometimes called APTs that can be leveraged in both firewall and IPS solutions. These algorithms are designed to detect signs of attacks based on inbound and outbound activity. Additionally, to address common breaches that occur through email and web, specialized anti-malware engines utilizing proactive scanning can block obfuscated code that is common in most sophisticated malware as it passes through email and web conduits.
Network controls can also be utilized to not only detect malicious behavior such as RAT activity, but also de-obfuscate evasive traffic that is seen in command and control channels for analysis. When these solutions are enriched with threat intelligence information, discussed later in this blog, they can even become aware of threats before they touch their network and therefore employ filtering, redirection, etc. to not only mitigate the security risks, but even have a positive impact on network and system performance because these assets are busy processing malicious bits.
Why is this important when addressing Shady RAT? How does Shady RAT get to the endpoint; it works over the Internet and internal networks. By having a layered network defense strategy, especially one that takes advantage of threat intelligence information, it’s possible to mitigate the attack before ever reaching the endpoints. Because Shady RAT favored social engineering as an attack vector, in addition to IPS and firewalls, it is necessary to utilize controls for email and web that can detect and filter malicious code.
While there are several motivations behind attacks, information theft generally ranks on the top of the list regardless of the aggressor or the victim. This is also true for Shady RAT. Network controls and endpoint controls while necessary and useful need to be augmented by specific solutions designed to get close to the target: data. As such, one of the best ways to prevent the ex-filtration of sensitive data, and to provide forensic information is through DLP. DLP needs to be assisted by encryption solutions, and specialized solutions for protecting structured data found in databases such as database activity monitoring or DAM. These DAM solutions are particularly useful in addressing database-centric attacks that often go unnoticed by some network controls. These solutions, together with host DLP and network DLP can work synergistically to protect data at rest, in motion, and in use.
Why is this important when addressing Shady RAT? Data is what Shady RAT was after. Even if an endpoint is compromised and Shady RAT was able to get through the various network controls, the data controls could step in to make it unusable – because it’s encrypted, or to deny the sensitive data from leaving the network or even leaving the host it resides on via DLP.
While endpoint, network and data controls provide strong risk mitigation, by themselves, a silo approach is just what the bad guys are counting on. The answer is Security Connected. This is McAfee’s framework for integrating multiple products, services, and partnerships to provide centralized, efficient, and effective risk mitigation. Based on more than two decades of experience, we developed this framework to help organizations of all sizes, segments, and across all geographies increase their security posture, optimize security for greater cost effectiveness, and align security strategically with business initiatives.
One essential capability for an effective Security Connected framework includes reputational information so known malicious IPs, URLs, emails, files, etc. can be identified and thwarted before entering your environment. Other core capabilities include: discovery of assets – systems, data, etc., knowing your vulnerabilities, understanding what countermeasures are in place, and having a centralized location to manage, analyze, respond, and report across all security controls.
Because the endpoint, network and data solutions enrich each other through this centralized framework, should an incident occur, it can be more quickly and easily identified and remediated. Finally, having centralized management allows for more comprehensive postmortem analytics and reporting to help identify weaknesses that can then be addressed to thwart future attacks.
Why is this important when addressing Shady RAT? While no single solution can address attacks like Shady RAT, there are frameworks that can.
Through a centralized discovery framework the assets that can be successfully compromised by Shady RAT, because they lack the appropriate patches and or countermeasures, can be identified. The preventative controls across endpoints, network and data can be more easily and precisely managed for layered security from a single console. The solutions are enriched with threat intelligence i.e. reputational information and malware data, so controls are more effective at disallowing Shady RAT activity at the perimeter and defeats propagation internally. Threat intelligence is essential because it harnesses the power of millions of global sensors and hundreds of dedicated researchers to supply real-time situational awareness regarding the changing threat landscape. Regardless of the threat being known phishing scams, malicious domains, malware-infected files and so on, this threat intelligence information provides actionable details that can be leveraged by the various security controls for proactive protection against Shady RAT and attacks like it.
For information on specific McAfee solutions that can be leveraged against attacks like those from Shady RAT please see: