Risky Bulletin Episode Summary

Title: Sponsored: Thinkst on Defending off the Land
Host: Risky.biz
Guest: Marco Slaviero, CTO at Finx
Release Date: February 2, 2025

Introduction to Defending off the Land

In this episode of Risky Bulletin, host Kathleen engages in an in-depth discussion with Marco Slaviero, CTO at Finx, focusing on the concept of "Defending off the Land." This approach mirrors the adversarial tactic "Living off the Land," where attackers exploit existing local applications and binaries to execute malicious activities undetected. Instead, "Defending off the Land" leverages the same native tools to protect and monitor systems without introducing new software, making it a stealthy and efficient defensive strategy.

Current State and Implementation at Finx

Marco Slaviero provides an overview of how Finx is integrating "Defending off the Land" into their cybersecurity framework. He explains:

"We've been doing canary tokens for a long time now and it sort of helps us think a little bit around how we can help people defend their networks."
— Marco Slaviero, [00:50]

Finx utilizes canary tokens to address visibility gaps in large estates where deploying Endpoint Detection and Response (EDR) systems on every asset is impractical. Marco emphasizes that their approach is not a product but a set of techniques and best practices aimed at empowering sysadmins to enhance their existing defenses using native tools.

Understanding Visibility Gaps

Marco discusses the challenges organizations face with visibility gaps, especially in extensive networks where some assets are too old, unique, or vendor-controlled to support EDR installations. To mitigate this, Finx employs canary tokens as a fallback mechanism:

"You might place API keys on a host where you can't actually install software, but you can at least drop a file. And canary token API keys would give you a way to detect that somebody's actually been on that particular host."
— Marco Slaviero, [00:50]

This method allows organizations to monitor unauthorized access even on systems where traditional monitoring tools are absent.

Defending off the Land: Techniques and Strategies

The conversation delves into the specific strategies Finx is exploring to implement "Defending off the Land." Marco outlines how leveraging built-in system tools can both defend against and detect malicious activities without introducing new software:

"If we look at what's already present on a machine, what can we use to then build detection mechanisms?"
— Marco Slaviero, [00:50]

Examples discussed include using native Windows tools like Netsh for proxying network traffic and scheduled tasks for system configurations, which attackers might exploit. By repurposing these tools, Finx aims to create detection mechanisms that operate quietly within the existing system environment.

Research Efforts and Community Engagement

Marco emphasizes that "Defending off the Land" is primarily a research initiative at Finx, not a commercial product. This distinction allows them to focus on developing innovative techniques without the constraints of productization:

"It's not a product that we're trying to push to people... it's more like an advice to customers."
— Marco Slaviero, [03:59]

Their research was highlighted at Black Hat Europe, where they presented 11 distinct techniques for enhancing system defenses using native tools. One notable example is the IDP Canary Token, a deceptive app integrated into platforms like Okta and Azure Entra. This token alerts teams when an unauthorized application is accessed, thereby indicating potential breaches.

Practical Applications and Examples

Marco provides concrete examples of how these defensive techniques can be implemented:

1. IDP Canary Token:
   A fake Salesforce app on the Okta Dashboard that alerts administrators when accessed. This deception tool helps detect compromised credentials without installing additional software.

   "An attacker who breaches... doesn't know that, and they'll get an alert saying somebody's clicked."
   — Marco Slaviero, [05:06]

2. Projected File System Subsystem (ProjectFS):
   Utilizing Windows' ProjectFS to create a fake file system that appears legitimate but contains no actual files. Accessing these fake files triggers alerts, revealing unauthorized activity.

   "You can create these entire fake file systems and then obviously alert on whenever these files are open."
   — Marco Slaviero, [05:06]

Accessibility and Usability for Sysadmins

While these techniques are powerful, Marco acknowledges that they require a certain level of expertise:

"These are techniques for competent sysadmins to use to expand on their own detection mechanisms... this is for a little bit more advanced teams in terms of their capabilities."
— Marco Slaviero, [08:14]

Finx provides open-source scripts and documentation on their GitHub repository, allowing skilled sysadmins to adopt and adapt these methods within their environments. However, the complexity of some techniques means they are better suited for organizations with experienced IT teams.

Sources of Inspiration and Ongoing Research

Marco outlines Finx's approach to identifying and developing defensive techniques, which centers on understanding current attacker behaviors:

"If we don't know what attackers are currently doing, like, we're going to miss them."
— Marco Slaviero, [10:46]

Key sources include Digital Forensics and Incident Response (DFIR) reports and their internal bibliographic database, Citation. This research-driven methodology ensures that Finx's defensive strategies are aligned with the latest threats and tactics used by adversaries.

Community Feedback and Future Directions

Following their presentation at Black Hat Europe, Finx received positive feedback from the cybersecurity community, particularly regarding the practicality of the IDP Canary Token. Marco expresses satisfaction with even modest adoption:

"If we've explained that to somebody who's now picked that thing up, I'd consider this thing a win."
— Marco Slaviero, [13:22]

While not all techniques are immediately applicable as commercial products, the ongoing research continues to inspire and enhance the field of cybersecurity defenses.

Conclusion

This episode of Risky Bulletin provides valuable insights into innovative defensive strategies within cybersecurity. Marco Slaviero’s discussion on "Defending off the Land" highlights the importance of leveraging existing system tools to enhance security without the need for additional software. Finx's research-driven approach not only addresses visibility gaps in large and complex networks but also empowers skilled sysadmins to implement robust defenses aligned with current threat landscapes.

Notable Quotes:

• Marco Slaviero on Canary Tokens:

  "You might place API keys on a host where you can't actually install software... to detect that somebody's actually been on that particular host."
  [00:50]

• Discussion on Defending off the Land Approach:

  "If we look at what's already present on a machine, what can we use to then build detection mechanisms?"
  [00:50]

• On Research Versus Product Development:

  "It's not a product that we're trying to push to people... it's more like an advice to customers."
  [03:59]

• Regarding Advanced Techniques for Competent Sysadmins:

  "These are techniques for competent sysadmins to use to expand on their own detection mechanisms... this is for a little bit more advanced teams in terms of their capabilities."
  [08:14]

This summary encapsulates the key discussions from the podcast episode, providing a comprehensive overview of Finx's approach to cybersecurity through "Defending off the Land." For listeners seeking to enhance their network defenses without expansive software deployments, Marco Slaviero's insights offer practical and research-backed strategies.