Living Off the Land Attack: Hackers Using Your Own Tools Against You

You found the backup wrap up your go-to podcast for all things

backup recovery and cyber recovery.

In this episode, we're talking about living off the land attacks.

And it's honestly, I think one of the sneakiest things that bad guys do, they

get into your environment and instead of bringing their own tools, because

you know they might trip your alarm systems, they use your tools against you.

Things like PowerShell or WMI tools that you're likely already using.

My co-author, Dr. Mike Saylor, breaks down how this works.

Why it's so hard to detect and what you can actually do about it, I think, uh,

there's a lot of value in this episode.

By the way, if you don't know who I am, I'm w Curtis Preston, AKA, Mr.

Backup, and I've been passionate about backup and recovery for over, can't

believe it, 30 years ever since I had to tell my boss there were no backups of the

production database that we had just lost.

I don't want that to happen to you, and that's why I do this.

On this podcast, we turn unappreciated admins into Cyber Recovery Heroes.

This is the backup wrap up.

Welcome to the backup wrap up.

I'm your host, w Curtis Preston, AKA, Mr. Backup, and I have with me a

guy who seems to laugh at my errors.

Persona, Molly nios going Persona.

I am good, Curtis.

I nothing like with friends like this who needs enemies.

Exactly.

I just, I, I make, I make, I make mistakes.

And you, well, honestly, I get, I get I like them too.

I, it makes it, making me laugh.

Makes me laugh.

It's just funny that, uh, how long has the, has it, it been called the

backup wrap up at least two years now.

I think about, oh yeah, probably two years.

And I still, my brain wants to say Backup centrals restore it all, which

is the original name of the podcast.

But, um, anyway, I don't know.

Well, welcome to our, uh, pity party, Mike.

Doctor Mike Saylor.

How's it going?

It is going well guys.

Thanks for having me.

My co-author on our lovely book, learning Ransomware Response and

Recovery, which Mike, I understand you, you have some to show us.

You don't have it hung yet, but there he is.

The official.

Framed copy of our book.

Yeah, just hold it just like that.

For the next, for the next half hour.

Yeah.

Very.

Yeah.

O'Reilly does that.

They send you a copy when, uh, um.

You know, when it's ready.

And by the way, I just got a, I just got news from one of my folks

on LinkedIn that the book said it's gonna be there on Tuesday.

So they, you know, they ordered it in, they ordered it in January and uh,

Amazon says it's gonna be there Tuesday.

So, very exciting.

Any,

So for all our listeners, go out, order the book, listen, or then you can actually

read what Curtis and Mike have been doing

yeah.

many, many, many, many months.

Many, many months.

And then give us a review on Amazon, uh, if you, if you like it,

then come back

yeah.

come back to the podcast

And comment.

be going, no, because we'll be going more in depth into many of these topics.

Yes, we will.

Yes, we will.

And today we're talking about something that honestly, I, I had, I had heard

the, I had heard the term, but it wasn't, you know, given that I don't, uh, live

that side of it the way you do, Mike.

Um.

The, um, this term living off land was something new to me.

So, uh, I, why don't you give us a, do you have a story that kind of gives

us an idea of what we're talking about when we talk about living off the land?

Well, there's, there's lots of stories.

Um, but living off the land is, is often part of some bigger,

bigger campaign, bigger attack.

Something you hear about in the news.

You know, somebody got hacked, somebody had ransomware, somebody,

you know, lost a bunch of data.

the living off the land.

Part of that was simply, um.

Something that facilitated that attack to some degree.

So, and, and from, as an auditor, an IT person, cyber person, you know, I

harp on organizations all the time.

Whatever you build, make it focused on whatever it's doing.

so, you know, the other term for that is system hardening.

You know, uh, delete things you, you don't need.

Turn stuff off, you're not gonna use, close the port.

Don't talk to things that you don't need to talk to.

Um, those are all fruits of the land that a bad guy could use,

uh, to facilitate an attack.

Some of those you can't turn off, uh, like Windows Management as an example, or

WMI, uh, the operating system needs that.

Uh, there are other things like PowerShell, uh, whether it's a, a

system that uses it or an admin that uses it for scripting, but story short.

Uh, bad guys will figure out a way to circumvent the security controls you

have that are looking for the deployment or installation of bad guy tools.

they'll get through that, that filter, that gate, uh, by using

tools that are native to the systems that they're attacking, uh, in

order to facilitate their attack.

Um, so.

If

So.

there was a story in the book, you talked about a Seattle logistics firm, it was

hit by a Conti ransomware, uh, variant.

It was saying that it, it infected 60% of the firm servers and it, it was the

same thing where it was, they somehow used the administrators, the, their

administrative tools against them.

Yep.

So windows management and very powerful at, at deploying.

Um.

You know, code or, or malware across an environment, and especially if it's the

admin or a service, running as an admin.

I remember years ago we, we, uh, we responded to an incident where it

was actually the, it was the security tool that was running, uh, a service

with administrative privileges that was compromised by a bad guy.

And they used the security tools itself, service that was running to, uh, to spread

the, the malware across the environment.

So Mike, just a clarification.

you say living off the land, is it specifically just taking whatever

tools are in an environment and using that in order to propagate your

attack or to, uh, execute your attack?

Or is it also, for instance, um.

resources a as an example, someone might have had some virtual machines sitting

around that they sort of forgot about from an inventory perspective or other

things that might be deployed in a company that they're not, no longer tracking,

doesn't get the latest security patches.

Those sort of things that they then start to think about when you talk about land.

It, it would definitely escalate to that if, if they have the

time to identify those, but.

Traditionally living off the land is, is services or applications,

uh, resident on the machines they're attacking or using to attack.

Now, as a bad guy, they, they find this, this, uh, this target

host with all these goodies on it.

but then they realize, well, this is the admin's computer, so if I do stuff from

this computer, they may note, they may notice some latency or resource drain.

so maybe they do some recon first, or they figure out a way to stand up a

virtual machine in that environment.

Uh, ideally using a dormant one instead of, you know, setting off some

potential bells about creating a new one, but then migrate those tools or

figure out if there's a way to, to, uh, uh, employ those tools on that

virtual machine that's not being used.

that's a, that would be a pretty good tactic.

Yeah, I, it comes from, you know, the, the term, you know, for those

of us that have been, uh, lived in either a suburb or urban environment

or entire life, the concept of living off the land is that you're going.

To literally live off of what is available.

You know, that this term is, is an old term.

It doesn't have anything to do or that originally didn't have anything to

do with, uh, the world of computers.

The idea is you're gonna live somewhere and you're going to

use what is available on that.

You know, that property in order to, uh, survive.

And so I, I think, I think that's a perfect term.

Uh, you know, think of like an episode of Survivor, uh, basically right?

You're only allowed to use what's a avail, what's there, right?

And so that's why, you know, they call this a living off the land because you're

going to use, you know, you, meaning the, the attacker is going to use whatever

tools are available to them and, and why.

What, what's the purpose of that?

Uh, Mike, meaning that, you know, why don't I want to, let's say I've got this

great tool that does this amazing thing.

Why wouldn't I, if I've got access to the environment, why wouldn't I just

install this, this great tool that I have that does this cool thing?

Why would I do this living off land?

So there's a couple of layers of, uh, hopefully a couple of layers

that organizations have in place.

Uh, one of those is monitoring incoming payloads.

Uh, so a file type.

Well, and I guess that's the other part.

How, how would you get that payload into the environment?

Is that a, an attachment to a phishing email?

Is it compromised credentials?

Uh, in either case?

Uh, payloads usually have a, a, you know, a good amount of baggage with them.

It's not a, you know, it's not kilobytes.

It's usually megabytes and sometimes, uh, multiple mega, you know, a hundred,

400 megabytes of, of size, depending.

Um.

So the, the, the first layer is, or the first hurdle is how do

I get it into the environment?

The second one is, how do I get past all the filters, whether that's

antivirus and malware, spam filter, et cetera, that's not gonna strip

that attachment or that, that payload out of the, the communication.

And then the last part of that is a lot of times, uh, ideally we would limit.

Uh, a user's ability to install something on an endpoint, uh, to,

uh, you know, a privileged account.

Uh, so if, if, if you compromise the, you know, the receptionist, she shouldn't be

a local admin, uh, so she shouldn't be able to, that account shouldn't be able

to install stuff locally, that payload.

So if you can craft your, your attack utilizing tools that are resident.

You're simply connecting to the machine and running that stuff that's already

installed and you're running it locally.

The other benefit of running it locally, uh, is that a lot of times

those services are already installed and using administrative privileges.

Is it also true though, Mike, that I know you talked about how do you get the

malware in or whatever the package is into the environment, like from an attacker's

perspective, once they've sort of, like you mentioned PowerShell earlier, right?

Once they sort of have a methodology to propagate the attack, to actually

live off the land, that's something they can then replicate in other

companies, organizations, and not just limit it to like one company, correct.

Right.

Yeah.

So fundamentally windows and environments work the same.

You know, there, there are some of the older ones have a few services and, and.

Methods for communicating that are probably still enabled versus

today's, um, I think there's a lot more network segmentation and

some other things that, that are common today than there used to be.

Uh, but for sure, if you can build a, an attack strategy in a Windows

environment, um, you should be able to replicate that to some degree just

about any, in any Windows network.

When you were talking about the, the hurdles.

W would another hurdle be even, even if you've got, you, you

managed to download the file, you managed to get past the filters.

Would there be additional filters required to actually execute this, uh, tool?

If, if you're talking about some, yeah.

Yeah.

Um.

a lot of environments would require administrative

privileges in order to execute.

So as an example, a normal user might not be able to run registry editor or

even a command prompt or even change their desktop, you know, wallpaper.

Um, and so, yeah, after, after you install it, you, you've also

gotta figure out, you know, what privileges do you need to run it.

Now I remember what I, now I remember what I forgot.

You, you, you brought up a topic a couple of times and it's, it's outside

of the scope of what I wanted to talk about today, but I thought we'd

just talk a, talk about it, a little about it, and that is this concept

of not allowing, uh, regular users to have admin on their own machines.

I know that as best practice.

The question is, is it common practice?

Uh, whi which way that they do have admin practice.

they do not have, that I, I know that it's best practice not to give Joe Schmo.

You know that that shouldn't have admin, admin even on his local

machine, even though that is.

You know, inconvenient to him.

Uh, we often talk about that security is, is inconvenient.

Right?

Right.

So even though that's inconvenient, it's also inconvenient to the IT

people because now that anytime Joe Schmo needs a new tool, we have

to be the one to go install it.

Which sounds amazing in terms of security, but it also sounds

like a giant pain in the butt.

What, uh, what, how common is it that people actually do this?

Uh, that's, that's a, how common it is is difficult.

But I can tell you in in regulated organizations, you know, those that

have to be compliant with something.

Uh, there is a, a control check for making sure that local, you

know, users don't have, you know, um, more privileges than they need.

Well, then organizations get around that by justifying the need for a user to

have, uh, you know, admin privileges.

And, and I see that even, um, and, and well, you know, mature.

Uh, and secure environments.

An engineer has local admin because he needs to run, you know, some kind

of CAD software with, you know, the ability to manipulate memory and, you

know, graphics and all this other stuff.

Um, thinking, well, it's justified.

Well, bad guys realize this too.

So those are the users they're gonna target.

They're not gonna target the receptionist, uh, you know, for, for the most part.

Um.

So it depends, uh, in, in smaller organizations where, you know, the,

the, it, uh, you know, support doesn't want to have to answer the call to

help someone install, you know, widget.

Uh, they would much rather just give them the ability to do that and, and

not have to take so many phone calls.

Um, but in larger organizations that leads to what we call shadow it.

You know, the, the ability to download and do stuff and make changes and build

things without it being involved, well, that lends itself to more issues down the

road with patch management and conflict and vulnerabilities and other things that

it doesn't know about because they weren't involved with helping you do those things.

And so, you know, restricting access and privilege is, is necessary in a large,

um, user environment for a lot of reasons.

Persona, do you?

Go ahead.

Security is one of those.

Persona.

You, you remember the, uh, the episode, the wifi is down

Yep,

one of our OG episodes, and they, that particular person said that they had,

what was it, 450 SaaS applications.

applications.

Yeah.

That just blew me away when they said that.

Um.

So Mike, this is all, um, like amazing, just learning about off the land attacks.

How come it isn't talked about more often?

Like it seems that this would be very common for a lot of the attack vectors and

what guys are doing, but like Curtis, like you mentioned at the start of this, right?

It's things, something you had really heard about.

So it, it, it is, it's not the, it's not the sexy part of the attack.

Right.

So when you're telling a story, that's the part where people

start to Yeah, absolutely.

You know, that's the part of the, that's the part of the story where

people's eyes kind of gloss over 'cause it gets pretty technical and

it's not as exciting as, you know.

They, they, they broke in and they, and then they, they made off with all the

goods, uh, all that stuff in the middle.

People just kind of get blurry about because it's, it's not the, it's not

the, it's not the cause of the effect.

It's the, it's the creamy feeling.

that excites me sometimes, but, uh,

I, if I, if I can make an analogy, there was recently this, uh, huge.

Uh, uh, heist at the Louvre, right?

Where, where the guys, and like I'm drawing an analogy where like the living

off the land was like the yellow vests.

Like they just pretended to be part of the crew.

Uh, and so people just, they did, you know, it wasn't the

sexy part that attacked that.

They managed to just sort of look like they belong there and just sort of

get in and out in the middle of broad daylight and steal the crown jewels.

Um, yeah.

many, are so many ties to, to the kinetic world with cyber,

you know, all those analogies.

Uh, I can, I've, I've done social engineering and, and red teaming and

breaking into buildings for years and.

All of that stuff is very similar.

You know, as soon as I make it in a door a building, the first

thing I target is the break room.

And I get a cup of coffee.

'cause somebody that's walking around with coffee less suspicious than someone

that's wandering around aimlessly.

Uh, and then, you know, if you've got a clipboard or a name badge or a

notepad or whatever, I can tell you I started, I started breaking into

buildings upon request, not, not

Yeah,

uh.

understand.

Man, 2004.

So 22 years.

Uh, and not once, never once has anybody stopped and asked me if I needed help

or are you, who are you here to see?

Or who are you or nothing?

22 years.

I, I, maybe I, people don't wanna talk to me, that's fine.

But, but that's helped me be successful at social engineering.

By the way, I love, I love your, I love it when you use fancy

words like the kinetic world.

I, I've never heard anyone call it the kinetic world before.

You mean like the real world as opposed to the cyber world.

and you can touch stuff.

Okay.

I've never, I've literally never heard the term kinetic.

I, I know the term kinetic.

Like,

fall then?

what's that?

That's

Where

the,

fall

that's the virtual world.

there's the kinetic, there's the kinetic, uh, matrix of, of things

that supports the, the, the cyber.

Uh, you know, and I guess you could, you could do analog

and digital too, but, yeah,

All right.

I just, I just, I had to call that out.

is, is in the kinetic world.

What's that?

The Nebuchadnezzar, the ship in

Oh, right, right.

It's in the kinetic world.

Exactly.

Exactly.

Nice, nice, uh, deep reference there.

So we, so this is about, we're, we're, we're in the environment, right?

But basically we wanna spread around.

We want to do stuff without being attacked, and the best, I'm

sorry, without being detected.

And so the best way to do that is to use tools that.

Again, aren't being monitored because they're just part of the

normal, uh, way of doing business.

Does that sound about right?

then.

And, and you're right.

And, and those tools can facilitate the different phases of an attack.

So sometimes, uh, you know, those tools are used to do reconnaissance and,

you know, the, the, the slow, the low and slow stuff, the stealthy stuff.

'cause you don't want to get caught before you're able to, to really,

you know, kick up your attack.

So you do the, the reconnaissance stuff really quietly and then you use

those tools to pull down, you know.

The other parts of your attack.

So maybe you've got payloads or, additional software like Mimi

Cats as an example for credential harvesting and that kind of stuff.

So you would, you would go slow and, and methodical first, and then once

you figured out how you, what you need to do next or what your, you know,

the, the, the environment looks like.

you, you start to do more.

You, you're more active and, and you take more risk.

Uh, and that's where you would, you know, evolve your attack

into, into different tools.

Mike, how, what role does the, you know, like the level

of credentials play in this?

Um, you know, if you're doing a living off of the land attack,

what role does, like the level of credentials that you're using play.

Man, what do I always say?

It depends, right?

Um, so.

You know what?

I'm just gonna cut every time you ever say It depends.

I'm gonna make a super cut and it'll be a four hour long video, but go ahead, Mike.

Somebody did a meme, uh, where, where they took all the ums.

Oh, it was, it was our intern program.

So the interns were, were doing a presentation and we, we, we give

them constructive feedback and they were using the filler words, the ums

and the, and so somebody, somebody on one of the other interns did

a compilation of all the ums and

Wow.

And so it was just a consistent, um, uh, uh.

So your answer is, it depends.

so it does depend, uh, and what I mean by that is it depends on the

capabilities in the environment to monitor for weird stuff.

So it would be weird for the receptionist to run PowerShell in an environment

she's also a, you know, a computer science student or something like that.

It would not be weird for an admin to be running these

administratively related tools.

Or scripts or uh, uh, activities.

So in the cyber world, we have tools that do what are called

user and behavioral user behavior.

I'll get it right in a second.

User and event behavior analytics or UEBA.

a user, it creates a baseline, so type of user, type of device.

And it, it tries to delineate between what's normal on these anomalies.

So if you've got a. Even an admin account that doesn't use PowerShell

very often if a bad guy compromises that environment and that admin

account, now he's running PowerShell in some weird way that should, that

could be flagged or should be flagged.

But it depends on, depends on the capabilities in that environment.

Now Windows inherently you, you can set up logging and alerting,

but a lot of organizations don't.

They don't, they don't wanna spend the time it's noisy.

'cause Windows environments talk a lot.

Uh, and then.

Even if there is an alert that one or two or a few, it people are busy putting

out fires and it's gonna be a day or a week before they go, Hey, there was this

alert thing, that I need to look into.

So it's a mess.

Uh, but yeah, uh, there, there are ways of there identifying weird

stuff based on the type of user, uh, that's conducting that activity.

So, I know you talked about monitoring, alerting, Mike.

there other things that.

can do because with these living off the land attacks, it's already

there, like all the tools are there that this person needs.

so basically saying you're screwed if you're trying to protect these things

and prevent these sort of attacks from using the tools that already exist.

You are not, and.

And, and it, it, it's just how much overhead do you wanna put

on securing your environment?

One of the things, just taking you back to another example of a resource

that's available 24 7 that shouldn't be.

And, and I'm, so I'm alluding to, you know, some of these administrative

tools being available all the time, even if the administrator doesn't

need it, remote access into your network from supporting vendors.

Why is that available 24 hours a day if I don't currently need your help?

It's because someone's too lazy to go turn off the modem and yeah, I said modem,

or disable that VPN access or suspend that user account because it, it's,

it creates overhead very similarly.

can suspend services running on in our environment.

We can turn off, uh, administrative services that aren't being used when

they're not necessary, don't do that.

And then ideally, um, because we don't do that, uh, you would wanna

monitor for the use of those things.

And a lot of organizations still think that we don't need that, or it's too

expensive, or, you know, we don't have the skillset, you know, whatever the case is.

There's always, there's excuses after excuses, but.

Yeah, I think, I think this, we, we've talked about this, uh, and

we're gonna give, we're gonna give a couple action items here.

Uh, we've talked about, like, one of the things that comes up a lot is RDP, right?

And that RDP is very, very useful.

But RDP open all the time, and RDP, especially RDP, accessible via.

The internet, right.

Directly accessible via the internet is just, you're just, it's just,

there's like asking for trouble.

Right?

Um, and so there are ways to turn it off and turn it on when you need it.

Uh, and there's also, and, and, and you know, again,

you, you, you, you alluded to.

You alluded to, there's, there's a, there's a budget,

uh, aspect of this, right?

So there are remote access tools that are much more secure

than RDP that you could enact.

Uh, it, it's just, it's going to increase your costs, but perhaps

increase your costs a little bit with a much higher level of security.

I, I think it's a matter of like finding, finding that sweet spot, right?

Where, where's the, some things I think we can do.

Where it's, it's a, there's a little bit of hassle and I, I, I'll give another

perfect example of something that you suggested back on a previous podcast

that I enacted in my personal life.

And that was using, um, you know, you, the idea was that don't have, uh, you

know, when you, when you go into your bank, like don't have a bunch of other

tabs open and all that kind of stuff.

And, and the way I, and the way I. Decided to implement that was, if

I do anything that's that level of security, I do it in a different browser.

Right.

Meaning a different brand of browser.

Right.

And, and then I, um, and since I use Chrome as like my main browser,

I implemented a, uh, I, there's a tool that allows me to blacklist.

Certain sites, right?

Like Citibank, right?

I can say if I ever, 'cause, 'cause I, I don't know if you

know this, Mike, I forget stuff.

I got CRS like a lot and I forget that I, that I told myself, I'm

not gonna log into Citibank on my.

Chrome browser.

And so I do it.

I'll type in, I'll type in citi.com, and Chrome will say, you know, you

told us not to let you do that.

And I'm like, oh yeah.

And then I go over to Firefox minor level of inconvenience for

a significant change in security.

And I think it's a matter of finding those things for these

living off the land, uh, attacks.

Does that sound about right?

It does.

And if I could continue your bank analogy a little further.

So your browser would be the living off the land part, especially

if you save your password.

Yeah.

Uh, so that guy just has to compromise your machine and identify

the browsers you use and then.

Yeah, trial and error.

Chrome doesn't work.

Oh, Firefox does work.

Oh, and you saved your password.

So now I'm, I'm in your bank because I've used the resources

available to me on your machine.

Well, then the, the evolution of that activity would generate,

you know, some kind of log, or event triggers in the bank, right?

So somebody logged in at 2:00 AM from a different IP address than, you know, your.

Recent IP addresses.

Right.

a, an email or a text message potentially related to that.

if they buy stuff or change stuff, you should hopefully have

alerting or events related to that.

And if there's any transactions over a certain threshold, you should have

alerting related to those things.

Right.

are the, those are the things.

And just going back to the living off the land part.

know, bad guys are gonna do reconnaissance first and be quiet, but then when

they're ready to, to execute their, plan, they're not necessarily as up, uh, as

concerned with how loud they're gonna be.

'cause it's gonna happen very quickly.

Hmm.

Nice.

So let's talk.

Go ahead, prana.

we, so Mike, I know you said that people will act fast.

How far or how much time is taken usually in that first step of kind of scoping

things out, using, uh, living off the land versus, okay, now I'm actually

gonna execute and sort of run with it.

And like you said, they don't care how loud it is.

They're gonna make a bunch of noise, break a bunch of things, but

they're trying to go as quickly as possible before they're detected.

If I could write, it depends backwards so that it would show up the right

way, I would, uh, but it depends.

But like is it like 90% of the time is typically spent in the first phase

and less time is spent in the second?

Is that a fair assumption?

and there, there are some good statistics around that.

But yeah.

As an example, a, an attack that could last four hours had probably 30 to 90

days worth of reconnaissance ahead of it.

Hmm.

So, yeah, that's interesting.

Um.

So, uh, all right, well, let's talk about, we, PowerShell has come up a lot.

What, what can we do with PowerShell and, you know, is there anything that's like

the easy idea that I talked about earlier?

Is there a way to easily disable and re-enable PowerShell when we need it?

So of all the environments that I've, I've worked with or in.

Very few of them use PowerShell very much.

There's usually that one, that one admin, that one person that knows how to use it

and that uses it because they're, they get it and then man, it makes life easy.

Everybody else doesn't need it.

And in a lot of cases, PowerShell is not necessarily required or

needed across an entire environment.

Hmm.

You might just need it between your admin machine and Office 365 or

those, or, or your server cluster, take it off of everything else.

And, and that just, that goes back to hardening.

So how do I harden my network?

Well, you've first gotta understand your network, right?

Know yourself.

What, what do I, what am I responsible for?

How do all these things work?

What is their primary role?

Hopefully you've got one machine for one role.

We, we would call that a bastion host, like your web server's, just

your web server, that's not also your financial server or your backup server.

Uh, and then for, for those roles and that purpose of that machine, what's needed,

what's necessary to, to support it.

Like you don't need Bluetooth active on a production server.

It doesn't need to be a web server unless it's a web server.

You don't need.

Uh, it doesn't need print server services running.

so those are just examples of the services running.

Well, now let's, let's look at all the, the, the overhead from a, a file and

help, uh, you know, software perspective.

Your server doesn't need Microsoft Solitaire and games.

It doesn't need all the help.

It doesn't need all the help files, it doesn't need templates.

And, and all of the, the pre-installed.

You know, garbage that the, the vendor, whether it's Dell or whoever, uh, so much

that can be done to, to make a machine run more effectively and securely.

If you can really understand what it's gonna do, and then

take everything else off, turn it

But Mike, that takes, but that takes work.

it, it takes work.

So again, it depends.

So if, if I've got all these machines.

And I spend the time to develop what I would call a, a golden image, right?

So, um, I, I take one machine and I say, this is exactly how I want this done.

Well create an image of that and apply it on the other, however many.

And then for each one of those golden images, I can add back on top of

that base golden image, the things that are particular to that server.

So your, so your golden image is, is, is, uh, like in this case, uh,

PowerShell is disabled everywhere.

But then for that one person who needs PowerShell, you can turn it on.

Correct.

Yeah.

And that's, that's great too because if you have an issue with that

machine, re-apply the image, right?

Uh,

Hmm.

Yeah.

from scratch without having to figure out what broke and how to fix it.

Is there, is there a way for us to figure out the tools, esp if we're,

if we're, if we're trying to secure things for, you know, against a living

off the land attack, is there a way to figure out the tools like PowerShell

that are in use in our environment?

By, by the use of, by looking at like the ports that they're using, for example.

There are, um, and.

And, and there's free tools.

One's called Nmap, uh, another one's called Wireshark.

Uh, so those are network protocol analyzers, so you can run

that across your environment.

It'll tell you by IP address.

Here's the ports that are open and based on the, the

default service for a given port, it'll, it'll give you a description of what it

thinks might be running on that port.

But bad guys are also pretty good, uh, at, at changing what ports are being

used so that you're not suspicious of, uh, um, of network activity.

Like we had an incident call on on Friday where a school district

said, I think I'm getting hacked.

I just shut my network down.

right, well, let's look into that.

Well, it was, uh.

Um, expired certificates for a website, and then on the back

end, the logs showed that,

data was going out.

Uh, iic ICMP data was going out to this, uh, AWS IP address.

Well, ICMP by itself, not a bad thing, but to a, uh, an IP address that

maybe doesn't have a good reputation.

That could be a bad guy just sending, like intentionally changing what

port they're sending data out so that it looks like ICMP, but maybe

it's just low throttle, you know, throttled down data exfiltration, uh,

turned out to be a false positive.

It was actually their web filter for the school district.

but, uh, we helped them learn something new that day.

but bad guys do that.

Uh, our, our engineers will exfil credentials over the DNS port

because you can't block DNS.

hardly anybody's, you know, monitoring that port.

Right.

you just do it slow and methodically, then you could, you could exfil quite a

bit of data, uh, over a period of time.

Yeah, I think we talked about that with when we had, um, uh, what's his name?

Uh, Dwayne Persona.

The Red Teamer.

Yeah.

When we had the red teamer on there, he talked a lot about, about the use of DNS.

Um, you know, you gave me a memory back when my daughter was young and I was a

little concerned about some of the traffic that I was seeing, uh, coming into.

Um, the computer she was using and I went and I bought a SonicWall firewall, right.

That had content filtering.

And she came in the front, she came in the front, it was literally

just sit, there was a box, a SonicWall box sitting on the couch.

She walked in, she goes, SonicWall, what's that doing here?

And I said, well, yeah, it's for this.

She's like, they use that at the school.

It won't let you do anything.

And I'm like, yes.

I was like.

I bought the right one.

Um, anyway, so the other, uh, so something you talked about with, um, this idea of

that it was going to a place that maybe that isn't quite trusted, that brings

up another concept of this idea, either either application, white listing or IP

address, white listing in terms of is that another way that we can And, and, and it's

another tool where it's, when you start, it's probably gonna be a giant pain.

Right.

If you say no applications are allowed to be used except for those

that have been blessed by it, it's gonna really suck for a while.

But is that, again, this goes back to the turning off, um, admin, is

this a common practice as well?

I.

It is.

And if you put the work in upfront, it's gonna be a little less headache.

And what I mean by that is if, if you want to implement.

You know, kind of white listing, black listing policies start

with getting to know everybody.

Like go sit with the engineers, go sit with the accounting and executives

and find out what they're using, or do some of your own homework.

You know, there's logs out there.

Uh, but go, go talk to them about what you want to do and, and the, the purpose,

like we're, we're doing this to, to make things, uh, safer, but it also helps us

reduce risk and problems with computers and, you know, all that good stuff.

So help me understand.

What you need to do your job, and then I'm gonna use that to, to develop a

plan to, to make us all safe and, and, you know, better, better, you know,

better running and, uh, environment and computers with fewer problems.

So you really have to do that research upfront where you're looking at

the, the things that are being used.

And again, you can do, you can use the network monitoring tool to do that.

These are the things that are happening.

What's that?

I've got another, another example of that and, and.

Yeah, how you, how you do this.

Uh, and, and by this I mean this exercise of, of understanding what

your business needs or what the, your employees need to do their job.

a lot of times it just, no, nobody spends time on an exercise like that

until there's smoke or fire, right?

And then, and then we're like, well, what caused it?

Why did this happen?

How did you let this get this bad?

You know, that kind of thing.

And, and really, if you, if you.

understand security and whether that's physical security or cyber, it's gotta

start with understanding what you're protecting and how this whole place works.

A good example of that would be a school district.

Schools in Texas primarily don't care to have network connections to

China unless you've got like some sister school and there's a program

over there and this kind of thing.

the most part, we don't communicate with China.

Uh, a a a public school in Texas.

So why are we allowing traffic from China to even reach our network?

Right?

So there's that.

Alright, well then, uh, uh, a bigger kind of, more interesting story is I

had a friend that worked for match.com as their IT security person, and they

didn't do any geo IP blocking at the firewall and they were getting hit

millions of times a day from overseas.

And a lot of those, the intent was to create fake female profiles in the

application, uh, for the only purpose of phishing, um, personal email addresses

out of the male members of match.com that they could then spam those male

me, those male uh, members', personal emails with, uh, pornography links.

And those bad guys were making millions of dollars a day through phished pornography

link clicks because of bots on the dating site that were coming from overseas.

And the moment, I'll tell you how bad this was, the moment that they

implemented geo IP blocking@max.com,

The traffic to 10%.

well, uh, from an organized crime perspective, this is how bad it was.

Uh, you know, they were just kind of a, uh, an introverted kind of nobody.

They just did their job and went home and played Xbox, you know, that kind of thing.

And one day they went home after having implemented geo ip blocking.

It did, it had such an impact on the organized crime ring

that was running this thing.

they had actually shipped a wooden casket and it was propped up on their front porch

that told them to undo the GOIP blocking.

Oh

That doesn't sound good.

That's the dark side, you know.

Um, so, uh, all right.

Well, I, we could, we could talk about this all day, but I, I, I, I

think we get, you know, identify.

Things that you need to, you know, that your organization needs to get the job

done, places that your organization needs to communicate with to get the job done.

Investigate all that stuff and then start investigating, locking things down, right?

Turning off applications that aren't being used, turning off regions that are, that,

that we have no reason communicating with.

And, um, and, and consider application white listing, uh, you

know, and, and no administrative privileges on machines, right?

Unless, unless that.

Person needs and I'll, I'll tell one final story about this.

Going back a hundred years when I was consulting at a certain

communication company and um.

I, we had determined, or I had figured out that, that all their

engineering team had, um, admin route on their Unix workstations.

And I talked to the boss.

I was like, there is no reason that they need route on

their, on their workstations.

And so I went around and I. I changed the root password.

The, uh, each of them had a use, like, let's say the user ID was Curtis.

There was a user ID called Curtis Zero that had a UID of zero, which was

basically root and they had that password.

And I went around and I removed that entry and I rebooted the machine, right?

And, um, one of the guys was really, really angry and, um.

He was like, well, you know when you reboot the machine, like the

license manager doesn't come back up.

And I go, well, if the license manager needs to come back up when you reboot the

machine, why don't you just put it in the startup file so that it reboots or so it

restarts when they reboot the machine.

He says, I don't know how to do that.

And that's her is why you don't have root.

And I actually like your, your story about the, the Unix environment

because, um, you could, you can take away people's and, and I and I, and I

will also promote this, even if you're an admin, run your machine as admin,

Right,

machine as a normal user and then elect to run applications as admin.

You just have to put your credentials in every time,

right.

save you.

So similar to the Unix environment, you know, you, you, you run as a normal user

and then you pseudo to, to route when you need to use, and that also creates a

log, uh, an audit log of If everybody's using Curtis Zero, then no one, there's

no accountability for who did what.

It just says Curtis zero.

That was actually my nickname in high school.

Curtis Hero.

Anyway.

All right.

Well, thank you very much, Mike.

Uh, and everyone thank you persona again.

No, this was good.

Yeah.

All right.

That is a wrap.