I was somewhat unnerved when I saw the evidence for our #3M-Trend this year: the use of publicly available malware in targeted attacks is increasing. After all, when I first started learning about the Advanced Persistent Threat (APT) several years ago, it seemed to be all about custom backdoors and proprietary tools. I remember briefing executives at my organization on how stealthy the attackers were, using never-before-seen methods to evade antivirus and infiltrate the organization. Yet the recent evidence was clear: every intrusion we had investigated in the last year leveraged some sort of publicly available malware.
Even after years of dealing with this threat, it is still easy to think of advanced attackers as something we would see in a movie, and I often have to remind myself of the reality. These guys are not generally cranking out their work in unsustainable all night Red Bull-fueled hackathons. They actually take holidays off. They work pretty normal shifts. They share best practices. They make mistakes just like we do. They have lives outside of the office. So it is only natural that when faced with a challenge like, "how do I most efficiently dump all of the passwords on this domain controller?" or "what is the best way to ensure persistence with backdoors in this environment?" they will make the best use of their time. In most cases, this is accomplished by using freely available tools to get part of the job done.
Of course, a lot of organizations facilitate these practices by not blocking the use of certain tools that could at least alert to the presence of advanced attackers (PsExec and PwDump come to mind). Or if they are being blocked, then these alerts often are not monitored closely. Take a look at the malware listed on page 11 of this year's M-Trends report and see how many of these your current AV tool is set to block...and ask yourself if anyone would notice if they were being used in your environment.
Although antivirus and "next-gen" solutions will not stop a determined attacker, they do act as a first layer of detection. One of our clients last year (one of the 6% that actually detected an APT attack internally, vs. being notified by a 3rd party) noticed APT-type activity when they saw PsExec blocked on dozens of workstations during a 24-hour period. This anomalous behavior, detected by AV, was noticed and investigated. This led to a relatively early detection of the attack, and damage was limited by the organization's quick response. I'd recommend that others take advantage of this M-Trend and look closely for use of these public tools in your environment.