Don’t underestimate your adversary—there are some security practitioners out there who might dismiss your everyday hackers and threat actors as typical “script kiddies,” while true in some cases, this is probably not the case in most. Enter the danger of not knowing your enemy
“If you know yourself but not the enemy, for every victory gained you will also suffer a defeat.” (Sun Tzu)
There’s actually a decent chance the people working within today’s various newsmaking threat groups are seasoned system administrators, developers, or security researchers. One can acknowledge it takes serious skills to stay ahead of law enforcement and literally dozens of security companies. Defenders often have to fend off a multitude of attacks; meanwhile, the adversary only needs to hit the target once. Using commercial technology and standard system tools ups the ante for defenders. It’s one thing to flag malicious software use occurring in your network; it’s another altogether when it’s Powershell, for example, and a valid user. The burden is entirely on the network defenders to figure out if the Powershell use is legitimate or if that user has the privileges or need to make those processes occur.
When threat actors “live off the land”, they’re leveraging what’s already on a system or available in the marketplace. It’s essential to understand that even the scariest of threats make use of what’s available: They’re skilled, not to mention it becomes challenging to figure out who’s in the estate if everyone else is using the same tools. Living off the land, so to speak, is a hallmark of highly proficient threats. They can work well with not only their own bespoke technology but are also very comfortable with what’s on the market. In this blog, I’ll talk a little bit about some of the ways adversaries are using to try to get in, as well as what they do with system tools and off-the-shelf if they manage to get inside.
Knocking on Doors
If you have network infrastructure exposed to the internet at large, you’ve seen the marks of scanners in network logs. Using the analogy of a locked building, scanners typically knock on doors and lightly turn door handles while also noting where windows have curtains open or drawn. Scans are used by friend and foe to find vulnerabilities, so it’s important to understand the roles they play: Adversaries are using them in bulk to find vulnerable infrastructure to attack, while defenders are using them to stay compliant and patched.
Scanners range from tools that perform basic network mapping, such as Nmap, to more in-depth and specialized scanners, such as Nessus or OpenVAS, which might look at vulnerabilities with more context. There are also scanners that look at specific web applications. Some are paid, while others are free. Alongside the scans from the good guys and the bad guys, researchers and security companies conduct various passive and active scans for analysis and reporting. Finally, in one more layer of noise, your own security vendor may also conduct regular scans for security, compliance, or penetration testing.
The topic of scanning shows up on various dark web forums and marketplaces. For example, in one recent forum post, a longtime contributor made an exhaustive list of every single type of scanner and its capabilities, numbered into the dozens. In addition to this, dark websites are often filled with various posts around scanning, including purchasing services, friendly how-to articles, and ratings for multiple tools.
So, what can we as security practitioners do about scanning? Fixes sound simple in the abstract but can be difficult in practice. Generally, it means keeping the external stuff patched, for starters. It may also involve extra work to ensure web servers and applications are not returning stack trace or default version information to help attackers craft future exploits.
On a practical note, an organization should audit and close off unneeded services and ports to the world while also hardening what needs to be public. Blocking known bad IP ranges and ISPs can help reduce the noise from scanning; however, without a lot of context around specific infrastructure or actor methods (which are ever-changing), attribution of scanning can be difficult. This is especially true for uncovering malicious scans since a rented botnet can handle the scanning at a distributed, large, and relatively anonymous scale.
System Insider Threats
Once inside the network, we move to the concept of “living off the land”. As we mentioned before, there’s a pretty good chance that an adversary who ends up inside the castle walls is probably familiar with system tools. It’s not uncommon to see malicious use of Linux’s bash shell script or Windows Powershell. There are dozens of ways to “hack in”. On a low-and-slow attack, an adversary might enter and watch the environment for a time to ascertain what’s normal, find their location with a network, test connectivity, or perhaps learn about the user profile they now own. If configurations don’t allow for things like downloads or executing files, a piece of custom tooling might be a perfect solution but runs the risk of getting caught quickly by security tools or settings.
Searching on just “bash” alone on the Mitre ATT&CK page reveals dozens of instances of bash use tied to known APT tactics, malware techniques, and various enterprise and mobile tactics. Powershell is no different and is also highly favored for all of its uses. It’s been seen in at least four out of eleven CISA alerts from the first half of 2021 and shows no sign of slowing down, especially when tied with other threat tactics.
Other system tools can help with establishing a presence within a network. Examples of this behavior may look like:
- Setting a Windows scheduled task or a cron job in Linux to keep malware coming back, even after a system cleanup and restart.
- Modifying registry keys in Windows help attackers hide malicious files via normal Windows processes that aren’t discoverable via signature-based security tools.
- Using tools such as WinRAR or 7zip to grab files for exfiltration during either a ransomware attack or a nation-state breach.
In addition, users with elevated privileges can dump system processes to discover logins and credentials or use them to create new user accounts to stay inside, much as the community observed during the “Great Exchange grab” of 2021.
Threat hunting can often discover these system behaviors, but this can take time. In its simplest explanation, threat hunting is looking for an incident without an actual incident occurring. A threat hunter working through logs to discover these system anomalies often needs to know what looks normal in a given environment. Hunting also requires knowledge of how system tools and processes interact and what seems legitimate versus an actual malicious event. Administrators can lock down features like Powershell having administrative rights, but it’s not always perfect. Taken in with other indicators and questions, however, sometimes the clues are there in plain sight.
Sometimes, the system tools aren’t enough, but there are other legitimate tools that can do the job instead. Sometimes these tools are commonly found within an organization for various needs, and threat actors have also adopted them for ease of use. While this is by no means a complete listing, these are some of the names that often surface in security articles and product demonstrations. They also feature heavily in MITRE ATT&CK analysis of known adversary tactics and techniques.
One of the most familiar tools for these jobs is Mimikatz, which has been around for decades. Originally designed as a proof-of-concept for Microsoft vulnerabilities, it has grown in capability, including some magic around credentials and user accounts. While it’s likely that it’s been flagged by many security tools out there, it remains free, available, and updated. Given its signature is probably well-known, chances are that if Mimikatz pops up on a network, it’s a bad sign, whether a bad practice or adversary tactic. There are also variants such as MimiPenguin that have similar capabilities, only on Linux machines.
Probably the next most notorious of these technologies is Metasploit, which was initially developed for penetration testing. The framework was designed to be adaptable while staying open-source, which means legitimate red teams use it, along with the adversaries they’re emulating. What made it so popular and accessible was because it was essentially a scanner that you can load exploits into once someone found a vulnerability. It can be used across a variety of operating systems and has modularity across variants. This is another one whose signature is well known, so if you’re not undergoing a pen test and see Metasploit active, it’s probably not for something good.
Finally, the upstart that has shown up recently is Cobalt Strike. Listed as the #2 threat in Red Canary’s 2021 Threat Detection Report, it’s another tool designed for red teaming. For red team purposes, it shows network defenders how to defend against a fast-moving attacker using some of the latest tactics, which may take an adversary just minutes and hours to achieve objectives. It has evolved into a Swiss Army knife of offensive capabilities that mirrors and bests some of what other red team tools can do. It does really “fun” things like process injection and can launch its payload, known as a Beacon, via several Windows system tools like Powershell or COM, which makes it useful to adversaries. It gained a lot of popularity with ransomware this year, and several known attacks included indicators of Cobalt Strike, in addition to some historical examples with APTs and other criminal actors.
How can I understand adversary TTPs?
One of the most straightforward and most interesting infographics in threat intelligence (next to the intelligence cycle, of course) is the Pyramid of Pain concept. The premise is simple: If you can deny an adversary their tactics, techniques, and procedures (TTP), you’ve caused them a great deal of pain. Much more than your typical static indicators of compromise, as David Bianco writes, since TTPs are actual behavior rather than tools, these require a great deal of rethinking and retooling if prevented by defensive tactics. In this instance, if the defense is good, rather than rethinking and retooling, they’ll probably move on to an easier target.
This is why it’s crucial to understand how effectively adversaries use system tools and commercial software. Adversaries know these are cost-effective and require very little investment, especially when bringing other groups into their exploits. It’s probably less to have to teach and learn with common tools available. Also, why burn a perfectly good zero-day on a problem that can be solved with an open-source red team tool; or spend money to develop malware when other options are freely available? They’re also banking on organizations being soft targets who rely on the lower levels of the Pyramid of Pain. Static indicators have their use, but the actual behaviors, tools, and process artifacts cause the most pain for adversaries.
At Digital Shadows (now ReliaQuest), we can help you in your quest to deny adversaries a foothold in your environment. Our intelligence comes from monitoring the dark web, catching the chatter on specific campaigns and threat actors, and sometimes talking about what they’re using against the community. For example, we see when you have data exposed that adversaries can use or when they’re registering domains to spoof your customers or abuse your intellectual property. If you’re curious about where you stand with your risk management, take SearchLight (now ReliaQuest’s GreyMatter Digital Risk Protection) for a spin for a week, or set up a demo. We’re happy to help you understand the risk you take and provide some solutions to help mitigate that risk.