Source URL: https://blog.talosintelligence.com/when-legitimate-tools-go-rogue/
Source: Cisco Talos Blog
Title: When legitimate tools go rogue
Feedly Summary: Attackers are increasingly hiding in plain sight, using the same tools IT and security teams rely on for daily operations. This blog breaks down common techniques and provides recommendations to defenders.
AI Summary and Description: Yes
Summary: The text discusses the growing trend of attackers using legitimate system tools and binaries—referred to as Living Off The Land Binaries (LOLBins)—to execute malicious actions, which complicates detection efforts for security teams. It emphasizes the importance of robust asset management, behavioral baselining, and continuous monitoring to identify potential threats and safeguard organizational environments.
Detailed Description:
The text elaborates on a scenario where a security incident involving the suspicious use of legitimate tools triggered alerts in a Security Information and Event Management (SIEM) system. This incident highlights a broader trend observed in cybersecurity where attackers increasingly leverage built-in system tools (LOLBins) instead of traditional malware to carry out attacks, making detection more challenging:
– **Incident Overview**:
– An alert from a company’s SIEM indicated unusual activity involving the running of trusted system commands (e.g., whoami, nltest, nslookup) and suspicious tools (e.g., Mimikatz).
– The attacks demonstrate a strategic shift where threat actors utilize familiar software to carry out malicious intent.
– **Understanding LOLBins**:
– LOLBins are legitimate tools already present in operating systems that attackers exploit for unauthorized activities.
– Their inherent trust and normal usage scale pose significant challenges for detection mechanisms.
– **Wider Tool Usage**:
– Alongside LOLBins, a growing variety of commercial and open-source tools are exploited by attackers, adapting to target environments for stealth.
– Open-source tools such as DonPAPI, utilized for credential dumping, illustrate the risks tied to widely available legitimate software.
– **Detection Challenges**:
– The text emphasizes the complexity of detecting malicious activities due to the use of familiar and trusted software which blurs the lines of normal and abnormal operations.
– Security teams need to be vigilant and question the context of tool usage, especially during unusual hours.
– **Preventive Measures**:
– Effective incident response hinges on:
– **Asset Management**: Maintain clear inventories of installed software and their legitimate use cases.
– **Behavioral Baselining**: Establish what normal operations should look like to detect deviations.
– **Continuous Monitoring**: Implement systems to identify known tactics, techniques, and procedures (TTPs) leveraged by threat actors.
– **Threat Intelligence Alignment**: Stay updated with current threat trends to inform monitoring strategies.
– **Final Insight**:
– The overall message underlines the need for security professionals to ask critical questions regarding the tools and behaviors observed in their environments to proactively prevent and respond to potential security incidents. Effective detection goes beyond identifying what is running to critically analyzing why it is running, especially at odd hours.
This depth of analysis serves as a call to action for security professionals to adapt their strategies against evolving threats that leverage operational tools in unconventional ways.