Vectra comments on the international crackdown of IM-RATs
December 2019 by att Walmsley, EMEA Director at Vectra
The comment by Matt Walmsley, EMEA Director at Vectra on the international crackdown of IM-RATs:
‘Remote Access Trojans (RATs) are an insidious set of attacker tools that invade our systems, data and privacy. With so much legitimate remote access happening across our networks and hosts, there’s plenty of opportunity for RATs to operate undiscovered as they hide in plain sight.
Whilst it’s good to see law enforcement agencies taking down RAT selling and using criminals, the pathways and services that RATs exploit remain open and hard to monitor for many organisations. Signatures exist for the most common RATs, but skilled attackers can easily customize their own RATs or build their own using common remote desktop tools such as RDP. This is held up by some recent analysis we made on live enterprise networks that found that 90% of surveyed organisations exhibit a form of malicious RDP behaviours. This type of behavioural detection approach instead of trying to perfectly fingerprint each RATs’ signature can be achieved with machine learning models designed to identify the unique behaviours of RATs. By analysing large numbers of RATs, a supervised machine learning model can learn how traffic from these tools differs from normal legitimate remote access traffic and so spot “RATish” behaviour without prior knowledge of the attack, or individual RAT’s code.’