For years I've been saying the key to preventing attacks is to stop malware from running and that the best way is to implement application whitelisting. Well, times change and new techniques emerge.
Application whitelisting works really well for highly controlled environments but there are 2 things that need to be acknowledged:
- For many organizations, application whitelisting isn’t the right fit as they are looking for something that requires little to no administration
- More recently, attackers have been advancing from traditional malware exes and dlls into more exotic methods of running arbitrary code.
The bad guys are learning to stay off the disk to avoid file based detection technologies. Instead they are developing fascinating ways to live inside the memory of trusted, seemingly innocuous processes. Of course, this makes it more difficult to achieve persistence but one tool simply stores itself in the registry which tends to get less attention than the file system.
So, as both defenders and attackers become more and more sophisticated we're seeing traditional exes and dlls fade in popularity or get pushed further down the attack life cycle. And in talking to some of the smart folks at Carbon Black, defense comes down to preventing attacks as opposed to malware which may or may not be an artifact in the attack. This means looking at an attack as a sequence or stream of events which individually may have little or no significance.
A great way to demonstrate this is with a shrink-wrapped RAT (remote administration tool) cooked up from completely organic and natural ingredients. One that allows the attacker to really “live of the land”. I'm talking about PowerShell Empire. Empire is an all-powershell RAT that is highly modularized and extensible. In some ways it reminds me of Meterpreter.
Empire proves what you can do with just PowerShell and is easy to use even if you aren't a PowerShell expert. Empire has something like 100 modules. Empire comes with built-in Mimikatz functionality in straight PowerShell without touching disk.
In this next webinar I will demonstrate how PowerShell Empire works and how it really proves the point that today's defense is about the attack event stream just not blocking bad EXEs.
By the way, in case you are thinking that blocking or detecting Empire is simply a matter of locking down or watching for PowerShell – think again. The makers of Empire have combined a number of sophisticated techniques to run PowerShell in a zombie process without ever firing up powershell.exe. It's crafty. But it's also easy; all the sophistication is abstracted away with a nice turnkey case built around it.
And let's be clear, this webinar isn't just about PowerShell as an offensive weapon – even though that is a big deal in itself. The PowerShell angle is more of a proof of concept around the bigger message about focusing on attacks instead of just malware. Then Jon Ross from our sponsor Carbon Black will briefly show you how their new product Cb Defense helps you do just that.
Please join me for this technical and fascinating real training for free ™ event.