Early in September, Dell SecureWorks Counter Threat Unit™ Special Operations (CTU-SO) issued an alert about how threat actors are using sophisticated attacks via implementing a company’s own tools to compromise and steal data. This particular alert piqued my curiosity.
CTU-SO further elaborated that in the past year “the threat actors accessed the target environment using compromised credentials and the companies’ own virtual private network (VPN) or other remote access solutions.” The research team also noted that threat actors were “living off the land,” using credentials, systems and tools they collected along the way instead of backdoors. By using a company’s own tools, the threat actors made it difficult for IT security professionals to distinguish adversary activity from that of legitimate users — pushing detection times out to weeks, months, or even years.
The researchers described three attacks where threat actors did not have to use malicious software to achieve their goals. The concept of “living off the land” is what prompted this phone interview with Phil Burdette, Senior Security Researcher at Dell SecureWorks Counter Threat Unit (CTU).
Inquisitive minds want to know
Bev Robb: How would an attacker nab an employee’s credentials?
Phil Burdette: In 50 percent of our targeted threat response engagements this year, we’ve not been able to identify the initial access vector of the adversary. It can be quite challenging for incident responders to determine how threat groups enter a network because often the necessary instrumentation required to collect and capture investigation data is not available.
Attack number one, the first intrusion involved nabbing an employee’s credentials to log into the manufacturer’s Citrix system.
In the first example, the threat actors compromised the company’s own endpoint management solution so they could move laterally and blend in by mimicking legitimate activity. The same system that the IT staff used to patch software on workstations was used by the adversary to steal credentials, install backdoors and exfiltrate data.
Attack #2 – Using stolen Citrix credentials
Robb: How were the employee credentials stolen?
Burdette: We are unsure of how the initial credentials were taken from the environment. Adversaries are using the same legitimate tools that the company uses to conduct daily operations.
Robb: Can you elaborate on “living off the land“?
Burdette: “Living off the land” is when threat actors use native or legitimate tools to conduct their operation. Examples include compromised credentials used to VPN into the victim’s network, PsExec for lateral movement, or the File Transfer Protocol (FTP) for data exfiltration.
Another example of “living off the land” is when the adversary uses the Remote Desktop Protocol (RDP) to connect to remote systems. This is the same way the system administrators will login to remote systems to administer them or troubleshoot problems. The challenge for network defenders is distinguishing between legitimate and illegitimate RDP activity inside a network.
As a simple example: The desktop protocol is a native windows functionality that allows logins to your computer. Oftentimes, IT technology staff will use these mechanisms to troubleshoot problems. Whether it’s email or another system problem, they will use this protocol to login and take control of your computer– that is the same functionality used by an adversary to log in to a computer such as a domain controller, database server or file server, where there is information of value to the threat actor. They will use the same tools to be able to connect to that system, operate on that system, and take data off it. They are using the same tools that most people resonate.
Attack #3 – Pharmaceutical company
Robb: In the pharmaceutical attack, the attacker was able to social engineer one employee via “phishing messages.”
Burdette: This was an interesting one, because there were actually 12 phishing messages sent–the same one, to 12 employees. Unfortunately, only one user clicked on the link – but it only takes one user to click, and what happened was the email purported to be from the Information Technology team. Therefore, the email sent by the threat actor purported to be from the same organization as the IT staff stating that they had set up a new email server, “Please click the link and login with your credentials to verify that everything works”.
One user clicked on the link, which brought them to a fake Outlook Web Access page that appeared to mimic what they would expect to see if they were logging into their company Outlook Web Access page. The employee entered their credentials, their user name and password and the threat actor captured those. Within hours of those credentials being entered into the Outlook Web Access page, the threat actor was using the credentials of the employee to login remotely to the network using the victim organization’s own VPN solution – but as the threat actor this time.
So, at this point, the actors were masquerading as a legitimate employee by logging in.
Burdette: This happens quite frequently, whether it is a VPN solution, Citrus solution or web mail solution – any of the solutions that enable us to work remotely- whether traveling or working from home, are also attack surfaces for threat actors to gain remote access to our networks via employee backdoors. The challenge is – How would security staff distinguish threat actor activity from a normal user logging in? It is a real challenge.
Robb: Yes, the challenge appears to be quite complex.
Burdette: Yes, that is one of the first places we look. That’s why it is really important to understand the behavior of adversaries and not just focus on the tools and the network infrastructure. That was the case with the pharmaceutical intrusion using employee backdoors. They walked in the front door using the correct tools and within two weeks were able to exfiltrate data from the environment. When they exfiltrated, they actually used File Transfer Protocol (FTP) to transfer the data out of the environment.
The company allowed for the use of FTP for legitimate business reasons took advantage of this to point data in a different direction, which would allow a threat actor to exfiltrate that data from their environment.
Robb: What would be an ideal way to “audit” privileged user accounts?
Burdette: That is actually very challenging. One of the things we recommend is from a technology solution standpoint, is a privileged account management solution. What it basically does is limit the usefulness of privileged accounts by rotating the passwords at a higher frequency, so if a threat actor were able to obtain the user name and password of a privileged account – such as a system administrator – the threat actor would attempt to use the compromised credentials, but would not be able to successfully authenticate. That immediately throws up a red flag for network defenders to investigate.
Robb: Did any of these companies utilize security awareness programs/internal training?
Burdette: I’m not sure what security awareness training might have occurred. However, I will say that the threat actors were very clever when they pretended to send messages from the IT staff at the victim organization. We all receive countless emails from our IT department informing us to actions we need to take or providing us with system status updates. Our adversaries recognize this and take advantage of the situation by crafting phishing messages similar to our daily email regiment.
Robb: What is the weakest link(s) for these type of attacks?
Burdette: The weakest link is the lack of instrumentation required to hunt for threat actor tradecraft. Traditional security controls focused only on the network perimeter or those requiring pre-knowledge of a threat are unable to identify threat groups who are living off the land.
Robb: Do you have any further advice on how a company can mitigate these type of threats?
Burdette: Internal security staff need to know what “right” looks like in their organization and then partner with external subject matter experts (SMEs) who study threat group tactics, techniques, and procedures (TTPs). By combining skill sets, network defenders are positioned to most effectively and efficiently hunt, contain and eradicate threat actors.
In conclusion: The CTU coined the tactic “Living off the land” because it involves adversaries using little or no malware to target the companies’ own system credentials and tools to roam the network, infect, and collect company data.
It is integral for companies to know their own networks well, so that they can discern legitimate network activity versus threat actor activity. Implementing endpoint security systems that concentrate on threat behavior, IDS/IPS (or hybrid), and a firewall, along with strong communication skills between internal IT staff and the incident response team is a good start.
This post was written as part of the Dell Insight Partners program, which provides news and analysis about the evolving world of tech. Dell sponsored this article, but the opinions are my own and don’t necessarily represent Dell’s positions or strategies.