Security, et al

Randy's Blog on Infosec and Other Stuff

«  Certificates and Digitall... | How to Detect Low Level P... »

Catching Hackers Living of the Land Requires More than Just Logs

Mon, 21 Dec 2015 13:56:30 GMT

If attackers can deploy a remote administration tool (RAT) on your network, it makes it so much easier for them. RATs make it luxurious for bad guys; it’s like being there on your network. RATs can log keystrokes, capture screens, provide RDP-like remote control, steal password hashes, scan networks, scan for files and upload them back to home. So if you can deny attackers the use of RATs you’ve just made life a lot harder for them.

And we are getting better at catching so-called advanced persistent threats by detecting the malware they deploy on compromised systems. We can say this because experts are seeing more attackers “living off the land”. Living off the land means for an attacker to go malware free and instead rely on the utilities, scripting engines, command shells and other native resources available on systems where they gain an entry point.

By living off the land, they keep a much lower profile. They aren’t stopped as much by application control and whitelisting controls. There’s no malware for antivirus to detect.

And Windows provides plenty of native resources for this kind of attacker. (Linux and UNIX do too, but I’m focusing on Windows since client endpoints initially targeted by today’s attackers mostly run Windows.) You might be surprised how much you can do with just simple batch files. Let alone PowerShell. And then there’s WMI. Both PowerShell and WMI provide a crazy amount of functionality. You can access remote systems and basically interface with any API of the operating system. You can open up network connections for “phoning home” to command and control servers and more. This is all stuff that in years past required an EXE or DLL. Now you can basically do anything that a custom built EXE can do but without touching the file system which so much of our current security technology is based on.

How do you prevent attacks like this? PowerShell has optional security restrictions you can implement for preventing API access and limiting script execution to signed script files. With WMI it’s not as clear. Obviously all the normal endpoint security technologies have a part to play.

But let’s focus on detection. It’s impossible to prevent everything and mitigate every vulnerability. So we can’t neglect detection. The challenge with detecting attackers living off the land is 2 fold. The activities you need to monitor:

  1. Aren’t found in logs
  2. Are happening on client endpoints

Both of these create big challenges. Let’s talk about #1 first. A.N. Ananth and I describe the types of activities that are clues to possible attacker living off the land in 5 Indicators of Evil on Windows Hosts using Endpoint Threat Detection and Response and I encourage you to watch that session which is full of good technical tips. But the point is that the thing you need to watch for aren’t in the Windows security log or other logs. Instead detection requires a combination of file scanning, configuration checks, querying of running processes and so on. All stuff that requires code running on the local system or very powerful and complex remote access. If we were only talking about servers we could consider deploying an agent. But to catch todays threats you need to be monitoring where they begin which is on client endpoints – the desktops and laptops of your employees. And there’s no way to remotely reach into that many systems in real time even if you overcame the technical hurdles of that kind of remote access. So that leaves agents which always causes a degree of pushback.

But it’s time to stop calling them agents. Today what we need on endpoints are sensors. It’s a subtle but important shift in mindset. In the physical world, everyone understand the need for sensors and that sensors have to deployed where the condition is being monitored. If you want to know when someone enters your building at night you need sensor on every door. Likewise, if you want the earliest possible warning that your organizations have been compromised you need a sensor on every endpoint.

So I encourage you to start thinking and speaking in terms of leveraging your endpoints as a sensor rather than yet another system that requires an agent. And look for security vendors that get this. EventTracker has done a great job of evolving their agent into a powerful and irreplaceable endpoint security agent that “see” things that are just impossible any other way.

This article by Randy Smith was originally published by EventTracker

email this digg reddit dzone
comments (0)references (0)

5 Indicators of Endpoint Evil
Auditing Privileged Operations and Mailbox Access in Office 365 Exchange Online
Live with Dell at RSA 2015
Understanding the Difference between “Account Logon” and “Logon/Logoff” Events in the Windows Security Log

Comments disabled

powered by Bloget™


Recent Blogs


Additional Resources