David White | September 9th, 2022

If an organization were to build an optimized cybersecurity posture from scratch, its priority should be to retain an experienced, well-trained, and curious team of security analysts and engineers. Without a dedicated team or 24×7 Security Operations Center (SOC) in place, constantly monitoring for suspicious activity, the tools that will eventually be layered on top of one another will merely become obstacles for threat actors to work around.

Businesses, vendors, and security providers understandably tout the need for and quality of their latest tools, but often fail to share the potential shortcomings of their proposed solutions. Security tools are constantly improving and detecting more nuanced malicious activity. At the same time, however, threat actors are creating and utilizing new tactics, techniques, and procedures (TTPs) to avoid detection by anti-virus, endpoint detection and response (EDR), and other commonly deployed security controls. The bottom line is automated tools can only do so much to impede increasingly diverse attack campaigns. This includes tools labeled ‘zero-trust’ or with capabilities such as stopping ‘never before seen’ threats. In most instances, high-quality tools are as advertised; however, none offers a preventative for all TTPs.

The primary failing of tools is they target known vulnerabilities or work through predetermined rulesets to assess the ‘safeness’ of whatever is generating an alert. Furthermore, if threat actors break a payload intended for encryption into many pieces, the programmed heuristics may not have enough data to make the correct diagnosis. Even when an alert is received, tools do not have the capacity to block all activities. Without a human available to immediately investigate and remediate, an alert is just a message on a screen.

Threat actors commonly utilize tools already in the targeted environment, or functions already available within Active Directory services for enumeration or to escalate privileges; utilizing these items would not trigger concern for many EDRs. They exploit the fact that most networks host multiple tools that are pre-approved by the rulesets.

To illustrate this challenge, our 24×7 SOC recently handled an incident wherein the security tools deployed within the targeted environment were bypassed. We noticed a tool was added to the network in a manner and place it did not belong, raising immediate suspicion. Threat actors installed VirtualBox software to circumvent deployed security tools and, without the response of our human engineers, a malicious payload would have spread.

VirtualBox requires administrative rights to install, meaning the threat actor entered as or was able to escalate privileges to an administrator’s account, which likely started by harvesting legitimate credentials via a phishing campaign. Having this administrator access allowed them to get around security controls as administrative accounts often require minimal safeguards while also having the ability to turn off most security tools (which is not a best practice). By installing VirtualBox, the threat actor was able to create a Windows 7 machine providing the perpetrator with an ‘invisible’ machine that was able to communicate with all other internal machines, providing an ideal staging place for the malicious code.

In most cases, threat actors utilize newly created machines to spread ransomware. By keeping the malware on the virtual machine and calling to it, threat actors employ fileless malware techniques, a common tactic for subverting standard security tools. The tools installed on the legitimate machines could neither observe nor scan the malware as the file never actually resided on their systems, only within this implanted box.

Fortunately, we had a dedicated team of experts monitoring this environment allowing us to isolate and investigate the suspicious behavior as soon as it became apparent. As we suspected, the installed VirtualBox was malicious but ultimately detected and unable to persist in the environment, which remained unaffected.

It is true that tools create necessary alerts, but if no one is there to receive those alerts no action can be taken. Weekends and holidays are by far the most common time for attacks and a 24×7 SOC sees those immediately, whereas a typical team may not see them until the following week. By then it’s too late.

Additionally, there are instances where alerts are made for suspicious activity but are left as only informational alerts because they do not match a specific ruleset identifying the activity as malicious. This type of alert often sneaks by standard toolsets unnoticed. Security tools are necessary and important in optimizing the capabilities of analysts and engineers. With a team constantly monitoring everything, each alert gets reviewed regardless of severity.

A truly mature security posture requires the training and curiosity humans bring to the table in our quest to stay ahead of threat actors seeking to devastate partner environments. As adversaries constantly build workarounds for the latest tool upgrades, we ensure that a savvy team of humans, attune to the nuances of each unique threat actor’s evolving playbook, always remains standing in the adversary’s way.