NEW VIDEO: Security Weekly - How to protect AWS metadata services (used in Capital One breach). Watch now!

Preventing Attackers from Living off the Land

A recent IBM X-Force Report is the latest to highlight the rise in use of network administration tools as a means to commit cyber crime. According to the press release, “More than half (57 percent) of attacks analyzed by X-Force in 2018, did not leverage malware and many involved the use of non-malicious tools including PowerShell and PsExec to evade detection.” These so-called dual-use technologies provide the ultimate playground for threat actors who know that it’s easier to hide inside approved software and services than it is to drop new, malicious software in another’s environment. The report says it best: “Increasing awareness of cybersecurity issues and stricter security controls are making it harder for cybercriminals to establish footholds on target systems.” Though on the surface improvements in defender tools and techniques seem to present a bigger challenge to cyber criminals, in reality these speed bumps have just affected a course correction, as evidenced by the data cited above and similar findings from other major tech vendors. Because many traditional network security tools have evolved to reliably detect bad code or processes, PowerShell and other tools like it are the perfect cover for attackers to move laterally through companies’ networks and find data-rich databases and applications.

Installed by default on Windows machines, PowerShell is a common administrative tool for automating and managing tasks. As such, many attackers have command over how PowerShell works, how to write and/or change scripts, and how to manipulate it for malicious purposes. The key benefits include: PowerShell provides full administrative access to core operating system functions, it executes payloads directly from memory (making them harder to detect), and it grants remote access capabilities by default. Ironically, it’s this same functionality and ubiquity that makes PowerShell attractive to both defenders and attackers alike. Various industry reports state that attackers can obfuscate scripts to evade detection, but the truth is that, in most cases, they don’t have to because the mere fact of PowerShell running in an environment is expected and therefore largely overlooked in complex, noisy operating environments.

Come see Edgewise at Secure360 Twin Cities, May 14-15, 2019 in Prior Lake, MN

PowerShell basic capabilities

As with other types of attacks, PowerShell attacks often start with the exploitation of user credentials or system vulnerabilities. Once inside the perimeter, the attacker can leverage overly-permissive admin access privileges to execute commands, change proxy settings on servers, harvest passwords, and more. The most common way attackers use PowerShell, though, is as a downloader.

As a scripting language rather than an obvious piece of malware, PowerShell easily evades detection by traditional security tools that look for signatures to tip off anomalous behavior. Importantly, PowerShell includes the capability to monitor what types of connections end processes make, and admins can restrict connections between hosts, servers, applications, etc., Given that is a standard network tool, though, overly-restrictive policies may impact performance and availability.

Living off the land to cause a data breach is clearly a tactic that’s not going to go away anytime soon. Though there are logging and monitoring capabilities provided in the tool itself, many administrators have these functionalities turned off due to excessive noise and the aforementioned performance and availability potential problems. The key in stopping malicious use of PowerShell is looking at the connections it’s making and the behaviors it’s exhibiting. Is a server talking to another server it’s never connected to before? Is a database suddenly connecting to the internet or sending excessive amounts of data?

There are a hundred ways to obfuscate scripts or commands with a dual-use technology, but an attacker cannot hide bad behavior...if defenders are looking in the right places for the right things. Traditional network security tools like IDS do not have the granularity to prevent bad behavior. An organization’s better bet is to implement network security tools that allow infrastructure and operations teams to create least-privilege protection policies governing what can talk to what inside the network. Before that can happen, the organization needs a complete picture of all communicating and approved assets and reliable baselines of normal or expected behavior. Once baselines are established, policies can be used to block unexpected behavior, like a user downloading macros from an Office document (which then deliver malware to the user’s system and spreads to connected machines, servers, and other networked assets). Or, policies can be configured to prevent the communication of systems running unsigned scripts or trying to bypass execution policies.

Zero trust methodology fueled by machine learning

Two key components should be part of the technology used to prevent malicious PowerShell execution: zero trust and machine learning. Zero trust principles dictate that all network traffic should be treated as potentially suspicious until it can be positively verified against a set of criteria. The verification process needs to happen every time a communication request is sent or received. Doing so ensures that if PowerShell, or any other piece of software or service in the environment, is tampered with, the infection can’t propagate to the rest of the network.

Machine learning, for its part, isn’t meant to be a magic cure-all. Buzzwords be damned, security tools that incorporate machine learning simplify the process of baselining and change management, as networks and the traffic on them constantly change (especially in cloud and container environments). Using these baselines, security policies can adapt without breaking dependencies and/or availability of system resources.

In conclusion, infrastructure and operations teams will always have tools in their environments that can be usurped by threat actors for malicious purposes. It would be close to impossible to eliminate every instance of every tool that can be dual purpose. That said, using PowerShell and similar tools does not mean that defenders are destined to have their networks breached. Instead, organizations should implement technologies that:

  • Identify and monitor all communicating assets
  • Baseline normal behavior using machine learning
  • Build zero trust protection policies based on verifiable communication patterns
  • Alert on behavioral anomalies in real time
  • Adapt to dynamic networks such as the public cloud
Katherine Teitler, Director of Content

Written by Katherine Teitler, Director of Content

Katherine Teitler leads content strategy and development for Edgewise Networks. In her role as Director of Content she is a storyteller; a translator; and liaison between sales, marketing, and the customer. Prior to Edgewise, Katherine was the Director of Content for MISTI, a global training and events company, where she was in charge of digital content strategy and programming for the company's cybersecurity events, and the Director of Content at IANS, where she built, managed, and contributed to the company's research portal.