What can be learned from the case studies of the Playbook 2021 in which companies are victims of cyber attacks? In a series of articles, Sophos experts travel back into the future and devote themselves to various specific aspects of IT security in order to derive recommendations that can be implemented by everyone.
As described in the Sophos Active Adversary Playbook 2021, attackers like to use tools used by IT administrators and security professionals to make it harder to detect suspicious actions. Many of these tools are recognized by security products as “Potentially Unwanted Applications”, PUA for short (or RiskWare or RiskTool), but they are essential for daily use by IT teams. To deal with this, administrators have to ask themselves two central questions with regard to the company's IT policy: Do all users have to be able to use these utilities and must these utilities be able to be executed on every device?
What are PUAs?
PUAs are admin tools that are bundled with an operating system (e.g. PowerShell) and offer options for automating and managing devices in a network. In addition, there are additional third-party tools that are widely used to extend functions such as port scanning, packet capture, scripting, monitoring, security tools, compression and archiving, encryption, debugging, penetration testing, network management and remote access. Most of these applications run with system or root access.
Why IT's blacklist is problematic
If admin tools are installed and used internally by your own IT team, these applications are useful tools. However, if this is done by other users, they are considered PUAs and are often identified as such by reputable security solutions for end devices. To allow them to freely use these tools, many administrators simply add the tools they use to a global exclusion or allow list in their endpoint security configuration. Unfortunately, this method also allows the tools to be installed and used by unauthorized persons, often without any monitoring, warnings or notifications.
How do cyber criminals use PUAs?
The configuration of security policies that allow PUAs should therefore be done with care. Because such a free ticket is worth gold for the cyber criminals and there is also no insight into the use, intent and context of the tool.
If a tool has been excluded, a threat actor can still attempt to install and use it, even if it is not already installed on a particular device. The attack technique known as “living off the land”, however, requires that attackers use existing functions and tools in order to avoid detection for as long as possible. They allow actors to conduct discovery, credential access, privilege enhancement, defensive circumvention, persistence, network sideways movement, collection and exfiltration without waving a single red flag.
Only allow PUAs in the company in controlled mode
The first step is to check the current global exceptions in the company:
- Are They Necessary?
- Is a reason given for the exclusion - or was it “always there”? Those responsible should investigate why the security solution first recognized the PUA - could it already be used maliciously?
- Do the exclusions really have to apply to ALL servers and devices?
- Is the admin tool still required or can it be switched to an integrated function?
- Do you need more than one tool to get the same result?
Based on numerous case studies, Sophos recommends only allowing PUAs on a very controlled basis: specific application, specific machines, exact times and selected users. This can be achieved through a policy with the necessary exclusion, which is also removed again if necessary. Any detected use of PUAs that is not expected should be investigated as it may indicate that a cybercriminal has already gained access to the systems.
More at Sophos.com
About Sophos More than 100 million users in 150 countries trust Sophos. We offer the best protection against complex IT threats and data loss. Our comprehensive security solutions are easy to deploy, use and manage. They offer the lowest total cost of ownership in the industry. Sophos offers award-winning encryption solutions, security solutions for endpoints, networks, mobile devices, email and the web. In addition, there is support from SophosLabs, our worldwide network of our own analysis centers. The Sophos headquarters are in Boston, USA and Oxford, UK.