This week a new Palo Alto Unit 42 report revealed that researches have observed cybercriminal groups moving away from their long time post-exploitation toolkit of choice, Cobalt Strike, and are now instead opting for the sophisticated Brute Ratel tool.
Dirk Schrader, resident CISO (EMEA) and VP of security research at Netwrix, comments below on these new findings and what organisations can do to protect themselves from potential data breaches and other subsequent risks imposed by this change:
“The recent report by Unit 42 about a new C2 tool called Brute Ratel C4 becoming the attackers’ favourite choice over Cobalt Strike as the known enemy should ring the alarm bells for cyber defenders. And here is why: this tool seems to avoid EDR and AV detection at large as it has built-in capabilities to keep traces, especially those in memory, hidden. This forces organisations to comprehensively verify their cyber security architecture.
“As detection capabilities installed on endpoints (such as EDR and AV) are not sufficient to uncover command and control activities using Brute Ratel C4, IT teams need to ensure organisational security by addressing all three primary attack surfaces: data, identities, and infrastructure.
“Tools like Brute Ratel C4 or Cobalt Strike are used by attackers to establish a channel back to the control centre – one that can be virtually undetectable. This is the key element of their attack chain. Organisations’ cyber defence approach should be aimed at breaking that chain while staying resilient to the attack. IT teams can start improving their organisation’s cyber resilience by identifying what kind of valuable data is stored and where exactly it resides. This will help concentrate the security efforts on what is most critical. For example, if sensitive data is open to a group of users deemed too large, it should be quarantined and brought to the IT team’s attention. Notably, this measure is excessive for non-sensitive data and will just distract the attention of security personnel.
“Another layer to keep an eye on is identities. Control over user and service accounts, along with the implementation of access management, are the cornerstone of identities security. Privileges should be managed carefully – granted for a specific session and then must be revoked when the session ends. Such an approach eliminates standing privileges in place, therefore, reducing the attack surface of the organisation.
“The final piece of this puzzle is maintaining the integrity of organisational systems – detecting any change happening to organisational assets and infrastructure, any file dropped, DLL amended, or a configuration change that diminishes the security posture. Early detection is key to increasing chances of preventing an actual data breach.”