8 hours 28 minutes

Video Transcription

Hello and welcome to another application of the minor attack framework discussion.
Today we're going to be looking at our case study in the execution phase. So I want to introduce you to Ah, quick sentence here,
living off the land.
Now, when you think about living off the land, you probably think about living off the grid. You are self sufficient. You've got a source of water that you use. You've got a way that you get rid of waste. You've got a way that you get food, you stay warm, you know, separate from the grid
and you communicate in a manner that is maybe through letter or something off of that nature. Maybe you don't communicate at all.
So how does that look with respect to
a cyber attack or a threat actor in the way that they act in the way that they moved to an environment.
So let's start with the semantic 2019 Internet security threat report. So this report is from February of 2019 and eso it is going to be the source of our particular statistics today.
So at the time of this report, power shell attacks have increased by 1000%
based on those that were blocked in 2018 on the end point. So again, this is what semantic was blocking the amount of that. As's faras, the blocks go went up by 1000% since 2018 to 2019 so that's a big number.
And then, at the time of this report, Microsoft Office files accounted for almost half 48% of all malicious email attachments. Previously, in 2017 this had only been 5%.
So the statistic there was that the number of
Microsoft files
that were malicious had gone up exponentially as well.
Groups such as Maley, Bug and Knickers were identified as preferring to use macros and office files as their preferred method to propagate payloads. And then last but not least, it was noted that on average, 115,000 malicious powershell scripts were blocked each month,
Onley accounting for less than 1% of power shell use.
when we talk about this concept of living off the land, these particular methods are native to Microsoft. Power Shell is native to Microsoft. Microsoft Office is a native application that you can install and use. Macros is built into
office documents and things of that nature. So what we're seeing is this concept, which you know I've seen in articles, and it's come up in the last few years. But it's nothing. New is the concept that an attacker uses preinstalled entrusted system tools to carry out their work.
And some of the reasons that this is happening is that there are many tools within Windows that can be used to carry out cyberattacks. The tools air there
for legitimate administrative purpose. But savvy threat actors are finding that they could use these tools to their advantage, and then growth of these L O T. L living off the land activities is in part from a reduction in the availability of zero day vulnerabilities. Plus, it takes a lot of work to find him. I've heard,
then referred to his Silver bullets, and so it's something that
these groups will put a lot of time and effort and energy into. But they're hesitant to use them because once they do,
the information is out there, especially with Crowdstrike in these other groups that, you know, could potentially pick up on that activity and then work with vendors to patch that particular Zahra day attack. And so we've talked about tools like Power Shell Scripts, BB scripts. There's W. M. I. P s exact just to name a few
that are native to the Windows environment. And a big part of why these types of attacks are becoming more and more prevalent is because
threat actors can use these tools
and it doesn't get flagged right away, especially if you're not looking for anomalous activity. It's just a standard tool running a process or a script, or whatever the case may be.
The other thing we're seeing is a bug bounty programs and things of that nature, if you think about it, are pushing
a lot of the easy and low hanging fruit and, uh, the readily accessible systems out of the picture. And so again, we come back to this need to do research on zero day vulnerabilities and things, that nature that is causing it to be that much harder and resource intensive for threat actors to do what they do. So
again, the idea of using native tools using tried and true methods like fishing
and things of that nature to get payloads or macros and things that nature to be run in an environment that can then piggyback off of legitimate services or processes
is something that we're starting to see more and more up. So now comes
the component of this that I want you to engage in. So how is this concept
being addressed in your organization When you think of living off the land,
consider your current controls within your organization. Do you feel confident that they could could catch anomalous activity,
right? And aside from the tools mention, what other ways could you see an attacker living off the land?
And so don't just be motivated to do these two parts, but actually think through Okay, if someone were to use power Shell, would we catch that if someone were to use W. M I. If someone were to use some item and control panel If someone were to use a batch script or
some type of command prompt, or if they were to,
let's say, use a service that's native toe windows to give them access to the system, how would we know what they were doing? How would we be able to block that? How would we be able to defend against that. And so take the concepts that we've been looking at in the minor attack framework some of those mitigating factors, as well as some of the detection techniques
and apply those to your organization and on a scale of 1 to 10 10 being most confident, one being not confident at all.
How would you feel that your organization's capabilities would be able to address an attacker that is living off the grid? Not using known malware variants, not using any type of malicious tools, things of that nature?
Where do you think you fit in today as far as that's concerned, So good luck on this. Please take your time. Look, do it. Go back and review the framework and the execution phase as well as the initial access face. And just consider those controls
and things of that nature when you're going through this particular study and don't hesitate to look at the semantic 2019 report as well
as a reference and to get some additional information.
So with that in mind, I want to thank you for your time today and I look forward to seeing you again. Sin

Up Next

Application of the MITRE ATT&CK Framework

This MITRE ATT&CK training is designed to teach students how to apply the matrix to help mitigate current threats. Students will move through the 12 core areas of the framework to develop a thorough understanding of various access ATT&CK vectors.

Instructed By

Instructor Profile Image
Robert Smith
Director of Security Services at Corsica