UK.gov teams up with Five Eyes chums to emit spotters’ guide for miscreants’ hack tools

The UK’s National Cyber Security Centre and its western intel pals have today put out a report spotlighting the most commonly wielded hacking utilities.

The study sets out five categories of publicly available hacking tools used by crims, spies and hacktivists worldwide. The list won’t come as too much of a surprise to penetration testers but is nonetheless valuable for its intended audience of enterprise security defenders.

The intel is designed to give enterprises a better awareness of what they’re up against so they are better positioned to prepare defences.

The dossier (PDF) offers a “snapshot, rather than a compendium” of tools miscreants are likely to throw at targeted networks, with the malign utilities helpfully organised by the order in which the baddies are likely to deploy them.

  1. Remote Access Trojans (RATs): Stealthy programs for planting backdoors or exfiltrating data
  2. Web Shells: Malicious scripts planted on web servers to give remote admin control
  3. Mimikatz: Hoovers up memory-resident passwords and other credentials
  4. Tools for lateral movement in already compromised networks such as popular penetration-testing kits
  5. PowerShell Empire: This framework allows hackers to break into more sensitive machines after they have gained a toe-hold on compromised networks
  6. Command and control obfuscation and exfiltration tools: Utilities used to disguise a hacker’s location

Often these tools are not inherently malicious and might be legitimately used by pen-testers to find vulnerabilities, but they can nonetheless be abused to hack into networks, execute commands and steal data. The NCSC acknowledged that dual use can make detection of these tools more difficult.

“Many… are used in conjunction with each other, presenting a formidable challenge for the network defender,” GCHQ’s cyber assurance arm said. “The NCSC and our partners have seen them used in incidents led by hostile state actors and criminals of widely varying capability.”

The NCSC said simple steps could go a long way towards thwarting potential attacks. Key defences include multi-factor authentication, network segmentation, security monitoring and patching. All this fits in with NCSC’s core security advice guidelines.

The list is the fruit of research efforts by GCHQ and its closest western intel partners in Australia, Canada, New Zealand, and the US 1.

The study “provides network defenders with an insight into some of the incidents that we and our partners are managing, highlighting the tools’ capability and examples of use, plus detection and mitigation advice – all linked into published NCSC guidance”.

The cybersecurity agency said it welcomed feedback from industry and academics about the study and how to build better defences more generally. ®

Bootnote

1 The US Department of Homeland Security, Canadian Centre for Cyber Security, Australian Centre for Cyber Security, New Zealand National Cyber Security Centre and CERT New Zealand. These are all the assurance (defence) arms of government agencies covered by the Five Eyes alliance.