When attackers scan for potential victim organizations, they hope to find systems running with poor configurations or unpatched endpoints, servers, and environments failing to run adequate monitoring tools. They hope to find passwords being reused from those the threat actors found in previously released data dumps.
"Most attackers are just going after the low-hanging fruit right now. There's just so much of it," says Chris Blow, director of offensive security at Liberty Mutual.
This is one of the reasons why, when some attackers find organizations whose systems are well secured, they simply move on to less secure systems. However, one class of attackers, the active adversary, sees cybersecurity defenses as a challenge. They dig in and do what they can to infiltrate their target. They are willing to work for it.
Active adversaries will use whatever tools and techniques they can to succeed. A recently published analysis of 232 investigations conducted by Sophos's X-Ops Incident Response Team found the vast majority of breaches involve either stolen access credentials or an exploitable software vulnerability.
Active adversaries have many tools and techniques that they will use at varying attack stages. Here are several tactics examples:
Social engineering
Without weak or stolen credentials in hand, known software vulnerabilities or other straightforward ways, attackers will most often resort to the easiest exploit: human vulnerabilities. This would include phishing attempts against staff and contractors, highly-targeted phishing attacks known as spear-phishing, and other types of social engineering-driven manipulation that trick people into stepping around security measures or revealing sensitive information.
Custom malware
So that attackers can get past anti-malware software, threat actors will craft their malware or modify existing malware tools enough to get by security checks.
New vulnerabilities
If an attacker can't find existing vulnerabilities within the software used by a targeted organization, they will sometimes seek to find new vulnerabilities, or zero-day vulnerabilities, within the software being used. By combining zero-days to exploit with customized malware, attackers can get into organizations, move laterally throughout, and build persistence.
Attackers will also often encrypt their activities, making it more difficult for protective security controls to spot and stop the malicious activity. To distract security teams from their primary objectives, attackers will also perform decoy attacks designed to distract the security team and tempt them to spend time and effort investigating these disturbance attacks and miss the primary attack, the adversary's actual objective.
In summary, cyber attackers continuously adapt their tactics in response to the cybersecurity defenses they encounter. This ongoing cat-and-mouse game underscores the importance of proactive and adaptive cybersecurity strategies that anticipate and mitigate current and future threats.
Unfortunately, because so many organizations don't adequately protect themselves — the "low hanging fruit" — cyber attackers don't have to go through all that much effort to succeed.
As the Sophos Ops-X Incident Response team uncovered in their analysis, even active adversaries don't need to work hard to get in. Most attacks involve targeting weak authentication and known vulnerabilities. This means that if organizations simply didn't reuse passwords, implemented hard-to-guess passwords, kept their systems patched and up to date, and heightened monitoring around Active Directories and signs of data exfiltration — they would make themselves much more tricky targets.
Active adversary tools
Active adversaries also use well-known tools, such as Netscan, Cobalt Strike, and Remote Desktop Protocol, among others, as part of their attacks.
Regardless of whatever steps a defender makes, attackers — especially active adversaries — will change their focus areas within the business-technology environment that are less protected. So, as credentials get hardened with multi-factor authentication, attackers may try to use zero-day vulnerabilities.
