Automation of the Adversary: How to Combat Autonomous Threats With Security Intelligence
May 6, 2020 • The Recorded Future Team
Automation is a powerful asset to any company — unfortunately, automation is also a powerful tool that cybercriminals leverage to attack their targets. Threat actors can use it to control the distribution and communication of malware, provide commands, and initiate future phases of an attack — such as deploying additional malware.
Cybercriminals and state-sponsored actors are creating a multi-billion dollar cybercrime industry. From stealing individuals’ lifelong savings, to influencing political heads of state, attacks are being carried out frequently and quickly through mass-volume, unsophisticated mechanisms. Threat actors recognize that this is an ideal situation for the use case for automation.
Automation and the Emotet Threat
Multi-staged malware campaigns are becoming all too frequent. So much so, that the US-CERT has raised alerts regarding a specific one: Emotet — a prolific email distribution malware. Emotet is notorious, impacting regions around the world, from the United States, to Europe, to Southeast Asia. It is known to infect a system, perform data exfiltration, and install a second payload, such as the banking trojan, Trickbot — and it performs all of this automatically.
Executing the Emotet campaign requires well-organized criminal activity consisting of multiple teams or varying criminal entities. Routinely, Emotet campaigns are reported in bi-monthly waves. The quiet periods between attacks are almost certainly used to set up automation for the next wave and prepare new C2 infrastructure.
The introduction of crime-as-a-service (CaaS) through the digital black market has only added fuel to the fire, enabling multiple criminal entities to collaborate easily. In the case of Emotet, one group may be responsible for preconfiguring the autonomous distribution, while another may coordinate the autonomous C2 communication process.
Modular-based malware like Emotet can receive C2 commands that are pre-programmed and autonomously distributed, depending on the initial information gathered. This enables the malware to swiftly adapt with additional capabilities from new modules.
Modular-Based Malware Is Ideal for Automation
Emotet is not the only automated attack method to cause havoc and destruction, however. Many successful cyber threats maliciously scan the internet for common vulnerabilities and pass discovered systems to other autonomous solutions — which, in turn, initiate exploits and bruteforce passwords.
Where data leaks have occurred and mass credentials are available, autonomous systems regularly perform credential stuffing to online services, and take full advantage of credential reuse. Credential stuffing attacks impact individuals and users of organizations whose credentials provide access to online services, such as Office 365. Threat actors can then exploit the access to a business’s environment and files — such as customer, financial, or intellectual property documentation.
Combating Autonomous Threats With Security Intelligence
Threats are evolving in sophistication, but mass-volume attacks remain the greatest threat. Automation provides cybercriminals with not only volume by the breath of scope, but also speed in execution. It is automation that enables cybercriminals to identify, exploit, and execute at lightning speed. This efficiency only further incentivizes their activities.
It is not all “doom and gloom” for companies and organizations, however. By automating your security with intelligence, you can combat threat actors who use automation to scale their attacks. Start by gaining an understanding of your information flows, your detection methods, and your responses — then automate to accelerate processes and reduce costs.