skill
- Posted on
Aristotle once famously said, “Knowing yourself is the beginning of all wisdom.” That adage holds as true today for the modern healthcare organization as it did for the people of ancient Greece.
Healthcare organizations falling victim to ransomware and other cyberattacks still happens at an alarming rate. While dwell times are decreasing, it is still not uncommon for attackers to dwell on a network for weeks to explore an organization’s internal infrastructure, exfiltrate data and ensure widespread compromise of devices, before they launch any malicious payloads.
If one considers how this behavior so often goes undetected, it makes one consider that perhaps we don’t know and understand the behaviors of our own IT infrastructure well enough. After all, if we can’t say with confidence what is normal behavior on our network, how are we ever supposed to identify, in a timely manner, something that is not normal?
We too often limit ourselves by solely focusing on tools that try to detect known bad, but often forget that clearly understanding known good can be just as, if not more, important.
In recent years, this understanding of what, as well as where, behaviors are supposed to be occurring on a given network has become increasingly critical as attackers have been shifting more and more to living-off-the-land strategies, where legitimate tools that are native to an operating system, or commonly installed on desktops and servers, are abused for malicious purposes.
LOL often provides an effective way to bypass security tooling, as many LOL techniques are difficult for security vendors to outright block without negatively impacting a portion of their customer base.
For example, endpoint security is sometimes bypassed by an attacker invoking the bcdedit command, built into Windows, that allows for computers to be booted into safe mode for troubleshooting and repair.
Powershell, cscript, wscript, certutil and numerous other commands and applications are routinely abused similarly. The LOLBAS project provides great insights into a plethora of ways these abuses can occur.
