Finding Cybercriminals (aka “The Bad Guys”) Through Behaviors
“Back in my day,” the retired IT leader says, “We trusted in our intrusion detection systems (IDSs) to find the bad guys on our networks.”
“How did it work?” asks a young CISO.
As the elder considers the question, he peers off into the distance. “We’d download signatures nearly every day in the hopes that they’d help us catch one. Those IDSs would watch for bad code, and if they spotted it, we’d pounce!”
“Did it work?” asks an IT specialist, who leans in to listen.
“Not on your life!” the old timer admits. “By then, the bad guys figured out how to live off the land, using our own tools to hack us.”
Signatures Aren’t Enough
Cybercrime has become ever-more sophisticated, yet organizations continue to fight back with too many tools of the past.
Many off-the-virtual-shelf hacking tools take advantage of known vulnerabilities to attack systems and networks. As the code and the communication (e.g., command and control—or C2) methods they use are discovered, firewall and IDS signatures can be updated to automatically detect them.
Regrettably, new vulnerabilities crop up every day. This means IDSs and firewalls continuously play catch-up with new signatures that might mitigate the risk. Worse, sophisticated cybercriminals use “living off the land” techniques that can effectively side step these signature-based detection methods.
Living off the land isn’t a new technique. For decades, intruders on networks made use of tools administrators use for their daily tasks, like network scanning tools (e.g., nmap and ping) or scripting tools (e.g., Windows PowerShell). Many years ago, I advised my IT team to make sure there were no compilers installed on our UNIX servers and to remove any unneeded network tools. An intruder could have used a compiler to create hacking tools on the fly within our environment. Unfortunately, modern IT teams can’t afford to remove tools like PowerShell, which are critical for their daily tasks.
Signature-based detection tools can be highly effective in determining if an attack is under way. Most of the time, if an IDS detects the signature of a highly risky piece of software on your network, it’s a clear indicator of compromise (IOC) and your security operations staff can respond appropriately. If an intruder has logged in as an administrator (perhaps by credential stuffing or a social engineering attack) and uses PowerShell to attack internal systems, the IOC is less obvious—until it’s too late.
How, then, do you detect a living-off-the-land attack?
When attackers use our own tools against us, we can no longer count on single events or software signatures as IOCs. Instead, we must observe behavior over time and look for anomalies:
- Are administrative accounts being used at unusual times of day?
- Are logins occurring from unusual locations or on atypical systems?
- Is a user accessing networks or systems he or she typically doesn’t?
- Are unauthorized scans being performed?
To have any hope of finding an intruder living off the land, we have to keep good records of network and system activity. We need comprehensive historical and real-time logs to compare new activity against a baseline of “known good” behavior. (Let’s not think about what might happen to that baseline if the intruder has already been on our network for many months!)
We also need those records to forensically investigate an attack to determine how the intruder got in and where that attacker went on the network.
Finding an intruder based on behavior using our own tools is not easy work. But, the latest security orchestration, automation and response (SOAR) tools with built-in machine learning show great promise. It’s early days yet, and false positives will be an issue until the SOAR tools are properly trained. Yet, there’s hope for embattled security operations centers (SOCs).
How Much Trust?
Matthew Todd explores the pros and cons of a zero trust cybersecurity approach.
It’s important to remember intruders aren’t always outsiders. Insider threat—the threat of internal staff using its own legitimate access to commit fraud or damage—is a significant concern.
Insiders can look very similar to attackers living off the land, in that they use common internal tools and access in potentially unusual ways. One key difference is that insiders more often take advantage of access within applications (like a finance system) rather than administrative access to systems or networks. Insiders are more likely to commit fraud for their own gain, rather than install ransomware, for example.
To combat the insider threat, we need to employ similar machine learning-based SOAR tools as for network- or system-based attacks, but perform the analysis within the context of application usage. We need to collect application logs in real time and analyze them within SOAR for behavioral IOCs.
Those IOCs will help us stop not only the insider threat, but also social engineering attacks. For instance, behavior-based detection can alert us to an insider diverting funds to a personal account or to a junior accountant manipulated into sending a wire transfer.
If we are aware of living-off-the-land attacks and insider threats, we can think and take action defensively. A number of tools and techniques can help us defend against and mitigate the impact of these kinds of attacks:
- Zero trust and network segmentation can help to minimize access unless specifically authorized and helps track user access.
- Multi-factor authentication, if used properly, can be very effective in limiting the progress of intruders, for example, to escalate privilege or run certain tools.
- Access rights within networks, systems and applications should be reviewed periodically, and rights should be appropriately limited.
- Tight control over administrative accounts (on networks, systems, or in applications) is helpful in minimizing access. Be sure not to let IT staff use administrative accounts for normal business activities, such as surfing the web.
- Requiring certain operations to use a check-and-balance approach can help thwart insider crime, like wire transfers requiring at least two people.
Keeping in mind the concept of intrinsic security, which enables a more proactive approach to threat management by embedding security into apps and data, is another defensive step in the right direction. Across an environment, it can help to automate vigilance and enforce known-good as much as possible, so your security team can focus on the cyberattack unknowns to come.