Living off the land and why it’s so hard to pick up good hackers

Posted on 2020-02-11 by Matt Strahan in Offensive security

A lazy Tuesday

“I need a list of high value clients for our board meeting tomorrow. Get it to me so I can review it and practice tonight.”

As much as she’d like everyone to submit tickets over the fancy ITSM system the CIO paid for, when the CIO gives a direct request like that, Steph the sysadmin just has to follow. Luckily although it’s annoying to get this kind of request in the afternoon, it’s not particularly hard to fulfil.

Steph loads up Tableau. With SSO she doesn’t even need to sign in. She can make a custom report of the high value clients, plug in financials and client figures, and click export. The report, though, is a bit big so she can’t just send it over email. Instead, she knows the CIO can retrieve it over Office365, so she uses OneDrive and sends the CIO the link so he can download it when he’s at home.

She only has one more task. Someone in finance put in a ticket to reset their password. Steph logs into Active Directory, resets the password, and sends the info to finance. Done for the day, she packs up.

Not an atypical story is it?

When looking at that story, nothing strikes you as particularly odd does it? Steph’s accessing client data, but she has authorisation to access the data. She also needs to be able to reset passwords otherwise how else will people get access to their accounts when they’ve forgotten the password?

If you were given a list of the actions Steph took, you’d probably pass it over. It’s just the regular sysadmin work.

Let’s look at a similar story.

A malicious Tuesday

Eve had just compromised Steph’s account and was considering next steps. She wanted to know more about the company she was targeting. How about she grabs a list of high value clients?

She loads up Tableau. With SSO she doesn’t even need to sign in. She creates the report, and exports it out. There has to be some way to exfiltrate the data. There it is – the organisation uses Office365 and OneDrive. She loads the report up onto OneDrive so she can retrieve it from another system.

What next? Well going through finance is a potential way of monetising the access. She changes the password of a member of finance and looks to get to work.

Let’s take stock and compare

The only real difference between these two stories is the motivation. One was looking to help, the other was looking to harm. They ended up taking the exact same actions though. If you were to look at Steph’s actions and pass over them, wouldn’t you do the same for Eve’s?

This gets to one of the biggest issues when it comes to detection and forensics. The activities performed by hackers tend to not just be similar to the activities performed by systems administrators, but can actually be identical. Sysadmins need to install new software, change account credentials, log into business critical systems, create reports on customer and client information, set up and review file shares, upload data, login to security systems and turn them on or off, manage logs, insert or delete data.

The toolset and activity for post-exploitation of a good hacker can be very similar to the toolset for a systems administrator, so how can you tell the difference? That’s the crux of it. It’s almost impossible to tell the difference. And if a human can’t tell the difference, how would a security system?

Finding the malicious actors in your network can be hard and it’s only made harder when you know that malicious actors generally don’t look malicious. They might just look like anyone else trying to do their jobs.

About the author

Matthew Strahan is Co-Founder and Managing Director at Volkis. He has over a decade of dedicated cyber security experience, including penetration testing, governance, compliance, incident response, technical security and risk management. You can catch him on Twitter and LinkedIn.

Cover photo by Carlos Muza on Unsplash.

If you need help with your security, get in touch with Volkis.
Follow us on Twitter and LinkedIn