Malware, along with targeted attacks that can move laterally and evade traditional detection methods, are a huge and growing concern. Popular hacker tools like Mimikatz are being combined with stolen NSA tools to create powerful new attacks.
Because the stealthy abuse of authentication protocols like NTLM, LDAP AND Kerberos and common it tools like DCE/RPC and WMI allows hackers to obtain and use admin privileges, these attacks are alarming. Some experts have dubbed this practice “living off the land” — leveraging risky administration yet fundamental system tools to propagate attacks. It’s high time we rolled out the barbed wire carpet and rendered the “land” infertile for cybercrime.
Warning Worms
The attacks of mid-2017 were a painful warning of what can happen when hackers sow their malware seeds on systems that have no way of controlling the longstanding risks inherent in protocols and the tools like NTLM and DCE/RPC. The best way to do this is to limit the use of these authentication protocols to instances of verified need by adding MFA challenges and real-time monitoring and analysis capabilities.
In the aftermath of NotPetya, researchers found that after the initial infection, the attackers used a combination of Mimikatz, PsExec, and WMI to steal credentials and continue spreading from machine to machine, holding data ransom or outright destroying it.
Among the victims were major international corporations, some of which suffered millions in damages and spent months restoring operations. Even more alarming, sites hacked by NotPetya but not activated in July distributed yet more malware in October. This attack, called BadRabbit, was smaller but showed evidence of sophisticated planning and collaboration — fueling concerns that those responsible have more devious tricks in their arsenal.
How is this still a problem?
It’s not practical to update or block everything on a network that carries risk of being exploited. For example, you can’t blacklist PsExec, Powershell, and WMI, common network administration tools and remote administration methods that are also favored by hackers. Again, these tools use authentication protocols such as NTLM — shutting these down entirely could break critical network functions, especially in legacy systems.
Traditional security solutions like anti-virus won’t flag the activity of these tools because they aren’t malware, they’re legitimate tools being used to spread malware.
The answer lies in limiting access privileges as well as automatically detecting and blocking abnormal behavior. It’s essential to ensure that risky protocols are being used only when necessary, by approved and verified users and machines, in secure and expected ways.
Eliminating the use of outdated protocols whenever possible, and adding layers of authentication and verification in limited cases where it is necessary for approved admins to use the protocols, significantly reduces the risk of data breaches and APT schemes.
Monitor, Analyze, Control
It’s cliché by now, but worth emphasizing, especially in this case — you cannot control what you cannot see. You must be able to see all authentication traffic (which is often encrypted) to reduce the risk of unapproved and malicious use of IT applications. Most organizations have been limited to event log files, which don’t include vital information like host IP addresses.
With the ability to monitor, analyze, and enforce policies on Windows authentication traffic, network admins can better detect and prevent the use of Mimikatz and other tools.
Malicious software tools use the same protocols and methods that IT admins use for regular remote administration such as DCE/RPC and WMI. The tools are used to perform tasks like reconnaissance and privilege elevation. As both legit and non-legit applications are using standard protocols in a similar manner, a classic firewall approach of blocking any type of communication is bound to fail. This kind of traffic must be routinely monitored and analyzed for identity, behavior, and risk triggers.
For example, the Mimikatz DCSync and DCShadow commands allow an attacker to obtain or modify domain password hashes. Once an attacker has sufficient privileges, these commands are relatively hard to block as these operations are performed in the networks legitimately by some password replication services. This is where having close attention on the small details on domain controller traffic is important so that you can properly determine what is legitimate traffic vs not legitimate.
Remote administration includes running remote Powershell, WMI command and queries, and PsExec. Yet these tools have been associated with POS attacks, ransomware, banking Trojans, and webshells (which were instrumental in the Equifax breach).
They are particularly effective at enabling the lateral movement of malware without the need of an zero--day vulnerability. Once attackers have gained access through these tools, they can operate on a network in much the same way a legitimate administrator can. It’s no wonder that these protocols, and the tools that rely on them, are so popular with hackers.
Who Is Using What, Why, and How
Through regular monitoring and analysis, admins can get a more comprehensive view of who is using what authentication protocols, and for what purposes. Insider risk is a major component of credential compromise and malware infiltration. Whether the insider’s intent is criminal, willfully negligent, productivity-driven — or simple human error and carelessness — employee behavior is a pervasive threat can’t be ignored.
After years of emphasizing user training and security awareness, the collective consensus is that we need more reliable ways to combat insider risk, especially when it comes to credential compromise. After all, even the most enthusiastic “culture of security” can’t overcome fundamentally insecure technology that is widely used and accepted as standard (if not optimal) practice.
Towards a More Resilient Network
Implementing solutions and policies that ensure greater control over and insight into the use of vulnerable network protocols and tools will have a three-fold impact. First, security teams can effectively and comprehensively address some of the most persistent sources of risk in the network.
Second, security and network pros can reclaim their tools and keep them out of the hands of bad actors, depriving hackers of their favorite skeleton keys. Third, closely monitoring and guarding fundamental network components better prepares security teams to keep up with the cat-and-mouse game played by sophisticated hackers.
Attempting to discover, track and block every malware variant or exploit kit is a Sisyphean task, especially when third parties in your ecosystem may not be as diligent.
Most organizations have realized they can’t stop every incursion. The emphasis on risk management is an acknowledgement that the best bet is making it harder to damage operations, spread malicious code, steal valuable data, and carry out multi-phase attacks. Monitoring and analyzing common IT tools will make life harder for attackers, catch them in the act, and keep them from using your network as their hideout and hunting ground.