Know the various ways cybercriminals evade detection by using only a network’s own sanctioned tools for the attack.

The best way to test if a door is locked is to try to open it. Similarly, one of the best ways to test your computer security is to try to breach its defenses using known tools. These are referred to as ‘grey hat’ tools and they are used legitimately by penetration testers and red teams to launch attacks with benign payloads on computers and networks.

The majority of grey hat tools are licensed, open source tools, published and freely available on community source control repositories like GitHub and SourceForge. Their features and functionalities are largely indistinguishable from malware.

Also, many grey hat tools are designed to obfuscate a given executable, shellcode, or scripting language payload for the purposes of evading detection by anti-virus software. Others may provide library code containing common exploitation methods, keylogging, anti-debugging techniques, or code to detect the presence of a sandbox, virtual environment, or instruction emulation. Some simply help with facilitating communication to a command-and-control server by providing a framework for client-server communication with a given attack target.

LotL is worrisome

Defenders know that, unlike malware, these grey hat tools are meant to test defenses. The tools’ appearance on the network may not automatically trigger concern. With the increasing popularity of living-off-the-land-style (LotL) attacks—the approach taken in the execution of the Singapore SingHealth data breach in 2018—there is growing concern about how and where some of these tools are used in the penetration testing process to ensure they cannot be abused by a real attacker.

Unfortunately, there is no way to prevent anyone with nefarious intentions from using these legitimate kits to produce, deliver, or enable a malicious attack, and many make the most of this. However, not all attackers abuse grey hat tools in the same way.

In a year like 2020, when most of the world’s organizations are working remotely and may not have adequate cybersecurity protection implemented, it is more important than ever to understand who might use them for the wrong reasons, and how. Let us take a look at some ways these grey hat tools can be used or exploited.

Know the cybercriminal pyramid

The cyberthreat landscape is a complex ecosystem, and the malware community resembles a kind of pyramid. At the top are the apex predators, the advanced persistent threats (APTs), that are highly-skilled and resourced and often nation-state funded. At the bottom are the vast numbers of the ‘script kiddies’, unskilled attackers with few resources, out to make a quick buck by hiring or leveraging the tools of others. In the middle are the operators that have the skills need to modify some, but not all, tools and moderate resources to mount attacks. Grey hat tools are used and abused by all of them.

Entry-level and mediocre operators may use grey hat tools ‘out of the box’ unchanged. The advantage to a novice or poorly-resourced attacker is that this can allow them to pull off a more complex attack by means of abstracting some of the difficult aspects of the job.

However, the more creative malware authors will often modify a given grey hat tool further, in an attempt to expand or customize its capabilities or make it harder for security software to detect. Among others, multiple miner botnets, including Kingminer, Lemon Duck, and Wannaminer implement this approach.

Spot the difference

There is some good news: when the more entry-level attackers decide to leverage such tools, it can actually make life easier for defenders. This is because the open source element means defenders can see exactly what a specific tool is capable of, and there is often little variation in the techniques involved if the tool is used as-is. This makes it easier to focus protection on the attack a given tool is capable of generating out of the box.

It is important that computer security solutions protect systems from the attacks facilitated by these tools, since the evidence suggests they are used in plenty of attacks and this is one way of achieving the goal to stay one step ahead. The fact remains that, for cybersecurity professionals, the major disadvantage of open source grey hat tools is that they are often used in legitimate scenarios, and it is not immediately obvious when they are being used for malicious purposes.

One way to address this challenge is through application-security-based detections, although this involves relying on end users such as corporate IT teams to do some of the work. Another way is to introduce a human-led threat hunting service. Known as Managed Detection and Response (MDR), this type of service complements the advanced behavior-based algorithms of security software with skilled humans who perform a nuanced analysis taking into account the context of a tool’s behavior. If you can identify an adversary based on their goals and the behaviors/tactics/techniques seen while trying to achieve those goals, then whatever tool they are trying to do it with does not matter as much, if at all.