Latest News

FBI: More Cyber Attacks Now Blend in with Normal Network Behavior

By Jeffrey Hill | November 8, 2017

Recent trends in malicious cybersecurity activity show that hackers are becoming much more adept at breaching networks using acquired “legitimate” credentials (such as outdated test login accounts to Virtual Private Networks, VPNs) and “blending in” with normal network behavior, according to FBI Cyber Division Senior Intelligence Analyst Kristen Lane.

Speaking at Via Satellite’s Cybersat Summit in Tyson’s Corner, Virginia, Lane told attendees that the agency has identified satellite and aerospace networks as part of a “critical assets” category that is increasingly being targeted by cyberattacks. The agency has also noticed a shift in how malicious actors behave on infiltrated critical asset networks. “Legitimate credentials, most of which are acquired from a previous hack, are being used to access the network, providing more time for the actor to remain on the network and cover to blend in as normal traffic,” she said. “Instead of quickly moving in and stealing data, these actors will take their time and learn how the network works, steal data and/or create chaos. They will then sometimes hang on to those legitimate access tools, or, more likely, create and acquire new access credentials that they can use to access the networks at a later time – all before IT network defenses even realize what’s going on.”

The hacks that produce legitimate credentials are often conducted by hostile nation states, which have gotten into the business of collecting and selling legitimate credentials to criminal actors so that they can use them to steal or sabotage data. The “blending in” behavior is even more prominent on hacked cloud servers with unprotected public access points. “These new tools that are being developed and sold allow hackers to scan the IP space of a network and identify public vulnerabilities,” said Lane. “This doesn’t mean that trusted VPN providers aren’t just as vulnerable. In fact, the ‘blending in’ behavior applies to VPNs in that the malicious actors are reaching out and accessing end-user data from the VPN hub without the end-user even noticing the behavior.”

Malware is still very much a threat, but it, too, is getting more adept at blending in with other software that exists on a network. Some newer malware programs lay dormant until a system triggers an “automatic back-up” process for photo and document files, which are stolen as they are copied. “Hacking tools are becoming a lot less unique and more normalized,” said Lane. “In fact, the more identifiable malicious programs like ransomware are more commonly being used as distractions. They are often dropped into a network to pull the attention of an IT manager away from the real, underlying threat.”

Due to recent geopolitical tensions and news events, cyberattacks receive more media attention now than ever. This means that more information on attacks – and even vulnerabilities – is being made available to the public. Hackers are naturally using this to their advantage, said Lane. “We had one instance where a security leak for a major vendor was made public a week and half before the company was able to patch that leak — it was just out in the open. In that time, several malicious actors were able to exploit the leak and weaponize the cyberattack to steal and destroy massive amounts of data.”

To combat these vulnerabilities, Lane and her colleagues at the FBI have engaged in an outreach effort to promote near-constant communication between businesses and the cybersecurity specialists at their local FBI field office. Lane emphasizes that Chief Information Officers (CIOs) and Chief Information Security Officers (CISOs) should develop strong working relationships with FBI officials, who have already developed protocols for securing and handling all types of data — from confidential government information to international business transactions. “The FBI has presence in 72 different countries to handle international incidents and we fully leverage our ‘Five Eyes’ intelligence alliance with Australia, Canada, New Zealand and the United Kingdom,” said Lane.

The FBI also has a long list of recommendations for satellite and aerospace companies looking to sure up their cyberdefenses internally. “We’ve seen many breaches that could have been easily prevented by a variety of actions including strategic network segmentation to blocking unnecessary social media activity on the network,” she said. “Vulnerabilities are most commonly created when a company or agency fails to deploy consistent network defenses and protocols. When IT managers allow exceptions to the rule, they create inconsistencies in a defense that will almost certainly be exploited. Proper cybersecurity measures are built on discipline, collaboration and communication.”