BIZTECH: You’ve talked about cybercriminals “living off the land” after they get inside an organization’s network. What do you mean by that?
It starts with the fact that threat protection has become quite advanced. On the endpoints and on the server, there’s quite a lot of technology that’s actively looking for malicious files and malicious activity. Adversaries have caught on to the fact that instead of using a well-known malicious tool, they can actually use system components that are part of the operating system. That’s living off the land.
PowerShell, for example, provides a way of managing devices and computers. In a way, it provides a scripting interface for an attacker to run a variety of tasks, including moving files from one place to the next, running code and changing access privileges, even exfiltrating files without leaving the telltale signs that traditional security measures will be looking for.
That’s something that not a lot of people are talking about or noticing, and there’s quite a difficulty in identifying these kinds of attacks. I like to shine a light on it, because somebody in the organization needs to build some expertise in it. It’s not something you can build a firewall around, and it’s not something that you can easily turn off.
BIZTECH: Are there other examples of this style of attack?
Yes. The British and American authorities have come out with a report on an attack called VPNFilter. This is an attack using components of routers. Not a home router, but routers that are in factories and other infrastructure — for example, a water treatment facility in Ukraine. The hackers were running some of their own malware, but also using the administrative protocols that are built into the router itself. They were basically using the firmware, the code, that’s on the router, and using that as a back door. This is another way of living off the land, using the vulnerabilities that exist in the network technology.
But these are just examples. The broader point is that threat actors now have a very wide and sophisticated arsenal of tools at their disposal, including tools that are developed by nation-states — for example, the exploits that were leaked from the U.S. National Security Administration, tools like EternalBlue and EternalRomance.
Previously, these would be considered sophisticated capabilities; now, these are widely available. For the cyberattacker, they don’t need to be in a bunker working for six months looking for the next zero day, or even to buy that next zero day with a suitcase filled with unmarked bills. They can really just get a lot of capabilities from these leaks or from using whatever is in the operating system of the router or the server.
The arsenal of tools available to adversaries has really become quite diverse and sophisticated. We’re really looking at a different threat landscape than we were two or five years ago.