This video inspired me with the following thoughts.
They say becoming a cybercriminal has never been so easy. You can indeed get tons of resources, software with pre-built attacks, POCs (proof of concept), leaked passwords, and more for free.
Even advanced threat groups publish now their exploits, like dark open-sourcing. Some attacking tools are so comprehensive and well documented that even people with minimal technical background can start using them (e.g., beginners, script kiddies).
It can mislead unexperimented people who find some stuff on the Internet or available onion servers and start attacking in the wild but dramatically underestimate the defense capabilities.
So far, so good. We’ll save our tears for another day.
From the defenders’ perspective, things have also evolved tremendously. Companies use now advanced security solutions with intelligent features that can catch most threats, so even if you try some popular exploit kits or basic attacks, you will probably fail miserably, perhaps get caught.
However, advanced attackers and cybercriminals know that. They are focusing more and more on evasion to remain undetected and trick defenders with unusual strategies, for example:
- using uncommon approaches such as steganography and other additional layers of obfuscation
- limiting phishing campaigns to way less individuals to optimize the success rate and remain undetected
- tricking algorithms and ML-based systems (Machine Learning)
- exfiltrating data as leverage to threat companies in case the ransomware attack fails, which happens now frequently with ransomware removals and remediation strategies
- anticipating APT (advanced persistent threat) analytics, as many security vendors map known groups and their techniques
- fooling Windows Defender and other antivirus solutions, perhaps deactivating them and the firewall before installing malware
- predicting defender’s reactions to unknown or unusual command lines (e.g., googling suspicious commands captured in logs)
I found the last one pretty interesting: “what would I do if I was a security analyst and I found logs with a series of instructions I’ve never seen before”?
Like Dave Kennedy suggested, I’d probably use a search engine to check whether it’s legitimate or not. At least, it would tell me what it is. However, advanced hackers could have disguised their malicious payloads in legitimate processes, and, for now, even AI and other detection technology would not save my ass.
I might get fooled with the logs if Google keeps telling me it’s not a suspicious process, but there’s still a chance I’d dig into it and maybe spot the sophisticated obfuscation and lateral movement.
I take this next-level threat as an invitation to constantly train and rely on detection tools only as one of the multiple layers of security, a necessary one but not a sufficient one.