Kill all RATS! Trust no one…

Kill all RATS! Trust no one…

Henry Dalziel | General Hacking Posts | February 7, 2014

KILL ALL RATS! Yeah – that’s right! Kill’em.

If you find a Remote Access Tool (RAT) in your network then you must – absolutely – and with no hesitation – discover who, when, and importantly how the RAT was embedded on your system or machine(s). If you don’t, then may Donnie Brasco offer some simple advice: ‘fuhgeddaboutdit’.

For those confused, here’s a quick background and ‘definition-refresher’ on what Remote Access Tools (RATS) are:
A RAT is software that allows a remote user (hacker) to remotely control a system, i.e. they have physical access to a compromised computer. Of course, there are plenty of legitimate uses and vendors that utilize RAT’s (Team Viewer is possibly being the best known), however, whilst desktop sharing and remote administrative tools have many legal and highly useful uses, when we refer to “RAT” software, there is usually a negative connotation associated with it. A malicious RAT is usually associated with with criminal or malicious activity and are typically installed remotely or physically (in person).

Here’s the real fear: was the RAT an insider job?
Transparency is key, trust is everything – but in reality who do you trust and how do you measure and designate that trust? Trust might come easy to some, and less so for others but here’s the rub: it’s called human nature. Anger, frustration, jealously or sheer criminal opportunity to make a quick buck can cause an employee to steal data or quietly insert a RAT or logic bomb on your systems.

When it comes to securing our information (a lot of which is obviously confidential) we all tend to look outwards and firm up our defenses from automated scripts, bots, trojans, social engineering hacks, script kiddies etc – but increasingly, we need to look inwards. According to the Theft Research Center, three of the top 15 data breaches of 2013 were a result of insiders, i.e. those already employed by the organization from which data was removed maliciously.

Disgruntled employees
More commonly we see data breaches occur from disgruntled employees seeking revenge. No one knows exactly how much damage has been done over the years by employees downloading and sharing (for example) sensitive files and customer databases but the figure must surely run into the billions.

Risk management is a huge subject (side note, we actually ran a Hacker Hotshot on Risk Management titled: “SimpleRisk: Open Source Risk Management Tool”) and one re-occurring theme is that people are the biggest potential security threat. Sure, there are plenty of levels of human risk, not least from unwitting accomplices downloading a virus or a Trojan Horse, but there is a trend amongst certain hackers to spear-phish particular employees in an organization.

What’s the solution?
It’s difficult to say. In most cases, an intentional breach of data from an upset employee must surely be the result of being laid-off, a lack of recognition or just plain anger towards the pay check that they are receiving. It’s difficult to even try and offer remedies to each of these ’causes’ but invariably, the ancient philosophy of treating your peers and juniors with respect and recognition must go someway in eliminating insider threats.

The theft of data by simply inserting a USB drive and copying files and folders is likely the most common insider hack, but the installation of a RAT on an organizations network shows total disregard and blatantly constitutes a far wide reaching security threat and level of criminality. Controlling and monitoring your networks is vital, and as the title of this post says, if you find a RAT in your network – Kill it!

In Summary
What are your thoughts? Surely everyone agrees with us that the monitoring of networks is (obviously) vital and in fact a required CISO role – but what are your thoughts about the ‘insider threat’ do you think it is as prevalent as we have suggested? We’d love to hear from you and thank you for your comments!

Leave a comment or reply below...thanks!