back to article Hackers don't just want to pwn networks, they literally want to OWN your network – and no one knows they're there

Network intruders are staying longer and going after wider swathes of machines with their attacks. This is according to the latest quarterly report (PDF) from security company Carbon Black, which analysed various incident reports from about 40 of its enterprise customers. It found that attackers are doing more to cover their …

  1. knarf

    Well at least you have experts doing proper network management

    They will patch that horrible hole they just used

    Ensure its secure for them

    Manage load balancing

    Steal your data... ok not so good

  2. This post has been deleted by its author

  3. Chris G

    The usual suspects

    I see the mention of China and Russia gleaned from about 40 of Carbon Black's customers, I would love to know the numbers of IP hackers worldwide and their countries of origin both freelance and state sponsored.

    1. Anonymous Coward
      Anonymous Coward

      Re: The usual suspects

    2. elip

      Re: The usual suspects

      Attribution on the internet is mostly impossible. Carbon Black, Crowd Strike, and others are full of shit (which these enterprises gladly pay for and hoover up).

      1. stiine Silver badge
        Thumb Down

        Re: The usual suspects

        Actually, its all down to their (hackers) code, especially if it contains comments, error messages, or other text. Also, you can find clues in the included and called libraries, compilation time, and other artifacts.

        The fact that they haven't attributed any malware to you probably isn't by accident.

  4. This post has been deleted by its author

    1. doublelayer Silver badge

      Re: Unlikely to change anytime soon

      That's well and good, and usually it's fine, but how do you prove for a certainty that your network device that faces the public internet because it has to is definitely clean? You can prove that you've followed security best practices. You can confirm that you audit its configuration to ensure you see if it suddenly changes and check that against your known changes. You can confirm that you do penetration tests on it and that it passes. You couldn't confirm as easily that it does not contain flaws that could be/are actively being used by an adversary. Consider what happens if there is a flaw allowing an attacker to inject network traffic. If the flaw is unknown, you can't detect that the flaw is there and hasn't been patched. If the traffic is injected but doesn't update the configuration, you can't get info about that from a status audit. If the traffic is convincing in that it successfully pretends to be from a known device and fit the patterns from that device, you wouldn't expect it to be flagged by a firewall. I admit that this scenario isn't very likely, but there is some argument that if something of this complexity happens, it's not entirely fair to blame the administrators for it.

      1. VikiAi

        Re: Unlikely to change anytime soon

        Much like medical malpractice, I don't think we need to punish for the genuinely unforeseeable. Just punishing for the un-patched well-known exploits and failure to follow well-established security procedures would be fine, I'm sure.

        1. Mike Moyle

          Re: Unlikely to change anytime soon

          As I think I posted when the subject came up after another article on security; I think the secret is to bar corporations from claiming damages if they are vulnerable to a known exploit, and make it easier for their customers to do so. We've all seen the stories where some yutz is caught and charged with some eye-watering amount of "damage" to the victim's computer systems with civil penalties to recover the "lost" money. Meanwhile, the company "generously" pays out pennies-worth of account monitoring and the like.

          Making it so that the company is on the hook for all damages from both sides might go a ways to "concentrate (their) mind(s) wonderfully," as Mr. Johnson might have said.

          (Oh, and documentation showing that: "I asked for 'X' resources to mitigate 'Y' security issues, which were refused by 'Z'," should be an automatic "get out of jail free" card for any IT personnel with responsibility for security. The penalty should be on the higher-ups, not on the workers in the trenches who are given responsibility without authority.)

    2. fidodogbreath

      Re: Unlikely to change anytime soon

      I am firmly of the opinion that absolutely nothing will change until businesses feel a direct, immovable financial impact from failing to secure their systems. [...] When businesses feel fear -- real, brown-trousered fear in the C-suite -- then they act. Until then, nothing much.

      These are the kinds of attacks that might cause a Code Brown on Mahogany Row.

      You're right that most execs don't shit themselves over a few million customer credit cards or PII records getting hacked. They'll run a PR campaign, offer some credit monitoring that >90% of the affected customers won't sign up for anyway, and in a few weeks it's back to business as usual.

      IP is a different matter. It costs a shit-ton of money to design and engineer things like stealth fighters, rockets, supercomputers, cutting-edge chip fab tech, cancer drugs, etc. Having a 9- or 10-figure investment stolen by a competitor -- especially one backed and protected by an untouchable nation-state -- might soil a few top-grain leather chairs and well-tailored trousers.

  5. Anonymous Coward
    Anonymous Coward

    Quote: "I can't believe WMI and Powershell is still being misused in such a dramatic fashion," he said. "It is time Microsoft got their act together."


    Not pick on Microsoft. It's the WHOLE INDUSTRY that needs to get real. We've known this since 1999 when Scott McNeally said "You have zero privacy anyway. Get over it." The industry as a whole HAS DONE NOTHING.


    And here we are twenty years later wondering why hackers are getting comfortable in corporate networks, "island hopping" to other networks. Obvious isn't it? No one cares. What will it take for the industry to pay attention and do something?

  6. Anonymous Coward

    Insert anti-Chinese anti-Iranian and anti-Russian propaganda

    Part of the cause is a skyrocketing rate of attackers targeting intellectual property. As companies (and governments) in China and Russia increasingly look to lift tech and documents from their competitors

    motives and methods may very well reflect roiling geopolitical tensions — be it uneasy trade relations with China or what looks to be a new nuclear arms race with Russia — as nation states seek competitive advantage.

    Have these companies ever considered not exposing their secret intellectual property to the public Internet.

    1. Fungus Bob

      Re: Insert anti-Chinese anti-Iranian and anti-Russian propaganda

      You have some strange ideas about how to run a business...

    2. fidodogbreath

      Re: Insert anti-Chinese anti-Iranian and anti-Russian propaganda

      Have these companies ever considered not exposing their secret intellectual property to the public Internet.

      Now, that's just crazy talk.

  7. pavel.petrman

    Re "I can't believe Powershell is still being misused in such a dramatic fashion"

    I read every now and then that monitoring Powershell is now a first thing to do when setting up intrusion detection. Five Powershell sessions suddenly popping up in accounting after it has never been used in the last five years? You don't need another hint at what's on.

  8. Claptrap314 Silver badge

    Quote: "I can't believe WMI and Powershell is still being misused in such a dramatic fashion," he said. "It is time Microsoft got their act together."

    It was time they got their act together around '94.

    Boot sector infectors were the bane of computer users BEFORE the internet. Win95 came out as a system to be networked, with approximately 0 attention paid to security.

    Because approximately 0.01% of the market had the ability to understand the s******* that was about to be unleashed.

    1. doublelayer Silver badge

      There are many security fixes they could work on, but it's a bit unfair to blame powershell for this. The fault is at least partially on bad administration. Should the admins want, they could simply disable powershell. They could lock it down. They could monitor it. Powershell is also not by design insecure, but simply allows attackers to execute scripts without having a noticeable file stored on disk. If more of the industry was using Linux, we'd hear about the terrible security hole of shell scripts, because attackers could use them to execute commands on remote machines (see XKCD 1808, specifically the title text). In either case, it is not powershell or the interpreter of your choice that is at fault, but whatever security problem (whether the fault of bad software or incompetent administration) that allowed them to get in and the other one used to escalate from the system they first got to to one with more privileges or at a different location. Only by analyzing the most prominent security holes can one assign blame to the correct piece of software and the entity responsible for making it insecure.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like