07 Jan Backdoor attacks: How they work and how to protect against them
In today’s business environment, companies must do everything in their power to prevent network breaches. With attacks coming from nearly all sides, it can sometimes be difficult to ensure that every vector and point of entry is protected.
Recently, there has been an increase in backdoor attacks. Here, we’ll take a look at just what a backdoor attack entails, what makes them such a dangerous risk factor, and how enterprises can protect themselves.
The basics of a backdoor attack
According to Trend Micro’s report, “Backdoor Use in Targeted Attacks,” applications that allow for remote access to computers – known as backdoors – are often used for targeted attacks. In these types of breaches, hackers leverage backdoor programs to access the victim’s network. The benefit of this attack vector is that the backdoor itself can help cybercriminals break into the infrastructure without being discovered.
“Often initially used in the second (point of entry) or third (command-and-control [C&C]) stage of the targeted attack process, backdoors enable threat actors to gain command and control of their target network,” report authors Dove Chiu. Shih-Hao Weng and Joseph Chiu wrote. “In fact, research reveals that many of the backdoors used in targeted attacks have been specially designed with the ability to bypass any kind of intrusion detection system (IDS).”
Intrusion strategies in backdoor attacks
Backdoors not only provide a disguised point of entry for hackers, but can also offer a number of strategies for intrusion. Trend Micro’s report noted that these include:
- Port binding: Utilized before firewalls were commonplace, port binding involves specific information configurations to reveal where and how messages are transmitted and delivered within the network.
- Connect-back: Once firewalls were put in place on many networks, hackers began using the connect-back approach, where backdoors are leveraged to connect the targeted systems to cybercriminals’ C&C server systems. This also allows for a reverse connection from the servers to the victim platform through ports not under firewall protection.
- Connect availability use: This strategy involves the use of several malware samples to not only breach the network but remain there undetected for long periods of time. This extends the window hackers have to steal sensitive data from the target. The first malware, or “first-line backdoor,” serves as a platform to download the second sample, the “second-line backdoor,” which performs the actual theft of information.
- Legitimate platform abuse: The report noted that abusing legitimate platforms has become more common especially as hackers must now work harder to side-step security systems. Within this strategy, cybercriminals abuse a valid platform – like a blog, for example – and utilize it for the storage of C&C server data.
These are just a few attack strategies that can be carried out with backdoors. Trend Micro noted that other approaches include common services protocol or file header abuse, protocol or port listening, custom DNS lookup use, and port reuse.
In addition, Tripwire noted that software isn’t the only system that can have a backdoor. Hardware components including authentication tokens, network appliances, surveillance systems, and certain communication infrastructure devices can also have malicious backdoors that allow for cybercriminal intrusion.
How to protect against backdoor attacks
Cloud Security Alliance noted that because many backdoor attacks are known for being able to prevent detection by many discovery tools, protecting against them can be difficult. However, there are strategies that can be leveraged to help reduce the risk of a breach of this kind.
First and foremost, companies should have firewalls in place that can block entry points from all but authorized users. This is especially important as the execution of a port-binding backdoor attack is nearly impossible should a firewall be present.
In addition, Cloud Security Alliance encouraged robust network monitoring particularly of any open source-based programs.
“Unlike surpassing huge barriers in influencing (or writing) an industry-standard, open-source projects enable someone to choose any of the missions of open-source projects in hundreds of mirroring sites opening up a broad surface of attack,” Cloud Security Alliance stated.
In this way, businesses should be choosy about the open-source applications they use and ensure that they come from a reputable source.
Network monitoring is also key when it comes to protection from backdoor attacks. Monitoring can help guarantee that any suspicious activity – such as information being gathered by a command and control server – is flagged with network administrators. IT staff can then react quickly to get to the root of the issue, stop the attack, and mitigate any damage.
Another protection measure involves the use of an anti-malware solution. Trend Micro noted that because some backdoor attacks include the emulation of network traffic, the network activity, therefore, appears genuine and does not set off any alarms. However, an anti-malware system like Trend Micro Apex One Endpoint Security is able to detect backdoors of this kind.