By Jordyn Alger – Tactics, techniques, procedures (TTPs) are used as fingerprints to identify actor groups — when common tools, platforms, or infrastructure are used, we gain confidence as defenders in our hypothesis on which Threat Actor group we’re dealing with. The appearance of new tool kits in play could speak to the evolution of existing actors, or a newly formed group emerging.

The use of ordinary and legitimate corporate tools does two things for the miscreants:

1. It may allow accidental bypass from other security tools in an environment, as known software is baked into allow-listing groups which may have been enabled. In this case the use of Syteca for gathering credentials and monitoring the environment may have been ignored by security tooling.
2. The use of expected productivity platforms (e.g. Google Sheets or Microsoft SharePoint) for command and control (C2) would have blended in a bit more with normalized corporate traffic, increasing the time to detect, and slowed investigations a bit.

We should expect the use of ordinary and legitimate corporate software as the norm — we refer to this as living off the land. Why would an attacker introduce new software, create more noise in logs, and increase the likelihood of detection when “allowable” software gets the job done for them?

We have long seen Threat Actors exploiting vulnerability research in security technologies, and for good reason. The old adages here ring true (“the cobbler’s kids have no shoes” and “never drive the mechanic’s car”) in that security software can’t ever have enough scrutiny. The eternal vigilance required to build self-defending security platforms knows no end. Moments like these should encourage us to seek diverse perspectives in security testing, transparency in findings, and active vulnerability disclosure and bounty programs incentivizing partnership with the research community.   Read On: