As technology advances, so too do cybersecurity threats, and a new point of vulnerability for companies could be remote access tools.
Nader Zaveri (pictured), senior manager of Mandiant incident response and remediation at Google Cloud, estimates that 10% of the company’s investigations involved remote management tool abuse last year and anticipates further growth.
Mandiant’s Nader Zaveri talks about the dangers of remote access tools.
“We are starting to see threat actors utilize what we call remote access tools, RATs, or the industry properly terms them remote monitoring and management tools,” Zaveri said. “Threat actors are basically utilizing those tools to maintain persistence in organizations during their attacks and are able to laterally move throughout the environment. So, they’re just piggybacking off of already existing tool sets in the environment or just going inside and downloading their own thing. So, we want to call that out and highlight it because we’re starting to see it all over.”
Zaveri spoke with theCUBE Research’s John Furrier and Savannah Peterson at mWISE 2024, during an exclusive broadcast on theCUBE, SiliconANGLE Media’s livestreaming studio. They discussed the complexities of remote access tools and how companies can protect themselves. (* Disclosure below.)
Ratting out remote access tools with AI
Mandiant combats what Zaveri calls “weaponized convenience,” a term for when threat actors use existing tools to infiltrate a company’s network. Cybercriminals may also use tools that are not approved but are not actually blocked by the company’s detection and response system. However, there are still ways to identify an attack.
“The way we identify a lot of threat actors, we try to cluster them based off of the different ways, what we call TTPs, different tools, techniques and procedures, how they maneuver, what different tooling they use as part of their mission,” Zaveri said. “After 10 years of seeing a constant pattern of the way, when they’re in an environment, they have these specific tools that they want to utilize. Maybe the tooling may change, but the overarching mission stays the same.”
Companies can protect themselves by blocking remote access tools that are not necessary for day-to-day operations. Mandiant is also using “red AI,” an artificial intelligence simulation of a cyberattack, to pinpoint weaknesses.
“What you can do is protect what you can control,” Zaveri said. “So, things like hardening the environment, ensuring you’re blocking the remote access capabilities of those tools … we actually put together a hunting script that can use in your environment, that you can scour your entire environment, and it’ll go through 50 or 60 different remote tools that we’ve seen threat actors utilize. With those tools, you can then start to block those that are not in your normal day-to-day administration.”
Here’s the complete video interview, part of SiliconANGLE’s and theCUBE Research’s coverage of mWISE 2024:
(* Disclosure: Google Cloud Security sponsored this segment of theCUBE. Neither Google nor other sponsors have editorial control over content on theCUBE or SiliconANGLE.)