The latest from Carbon Black’s 2019 Global Threat Report shows cybercriminals are intent to move from endpoint to endpoint and avoid detection using built-in tools.
If you were a cybercriminal wanting to locate and exfiltrate valuable data from a victim organization, it’s not likely you’ll find much on the initial endpoint you compromise. So, you need to move around from endpoint to endpoint, gathering credentials along the way, building up an inventory of resource endpoints and user accounts at your disposal.
It’s not just one of many tactics used; according to Carbon Black, with nearly 60% of attacks involving lateral movement, it’s quickly becoming the leading tactic for cybercriminals.
Now, there are lots of great hacker utilities out there that can help, but those might sound the alarm from AV or endpoint protection solutions. So, what else is there? Plenty.
Cybercriminals are experts on how to leverage the built-in tools found within the operating system of the compromised endpoint. According to the Carbon Black report, the following tools were used most often:
- PowerShell was used in 90% of attacks
- Windows Management Instrumentation (WMI) in nearly 60%
- Secure Shell in nearly 30%
The use of these tools helps cybercriminals “lay low”, avoiding detection, facilitating lateral movement within the organization.
With tools like this at a cybercriminals fingertips, and with time on their side, they can remain undetected for extended periods of time – slowly moving throughout your network.
With endpoint solutions unable to always spot external attacks, it’s important to leverage the single most effective part of your security strategy: the user. Without them, the cybercriminal is powerless to compromise an endpoint – let alone, move laterally.
Through new-school Security Awareness Training, users are educated on how to identify suspicious emails, email content, links and more that can contain malicious code intent on taking control of your endpoints, your users, and – eventually – your data.