Sponsored: Thinkst on Defending off the Land - Risky Bulletin

Summary5 min read

Risky Bulletin Episode Summary

Title: Sponsored: Thinkst on Defending off the Land
Host: Risky.biz
Guest: Marco Slaviero, CTO at Finx
Release Date: February 2, 2025

Introduction to Defending off the Land

In this episode of Risky Bulletin, host Kathleen engages in an in-depth discussion with Marco Slaviero, CTO at Finx, focusing on the concept of "Defending off the Land." This approach mirrors the adversarial tactic "Living off the Land," where attackers exploit existing local applications and binaries to execute malicious activities undetected. Instead, "Defending off the Land" leverages the same native tools to protect and monitor systems without introducing new software, making it a stealthy and efficient defensive strategy.

Current State and Implementation at Finx

Marco Slaviero provides an overview of how Finx is integrating "Defending off the Land" into their cybersecurity framework. He explains:

"We've been doing canary tokens for a long time now and it sort of helps us think a little bit around how we can help people defend their networks."
— Marco Slaviero, [00:50]

Finx utilizes canary tokens to address visibility gaps in large estates where deploying Endpoint Detection and Response (EDR) systems on every asset is impractical. Marco emphasizes that their approach is not a product but a set of techniques and best practices aimed at empowering sysadmins to enhance their existing defenses using native tools.

Understanding Visibility Gaps

Marco discusses the challenges organizations face with visibility gaps, especially in extensive networks where some assets are too old, unique, or vendor-controlled to support EDR installations. To mitigate this, Finx employs canary tokens as a fallback mechanism:

"You might place API keys on a host where you can't actually install software, but you can at least drop a file. And canary token API keys would give you a way to detect that somebody's actually been on that particular host."
— Marco Slaviero, [00:50]

This method allows organizations to monitor unauthorized access even on systems where traditional monitoring tools are absent.

Defending off the Land: Techniques and Strategies

The conversation delves into the specific strategies Finx is exploring to implement "Defending off the Land." Marco outlines how leveraging built-in system tools can both defend against and detect malicious activities without introducing new software:

"If we look at what's already present on a machine, what can we use to then build detection mechanisms?"
— Marco Slaviero, [00:50]

Examples discussed include using native Windows tools like Netsh for proxying network traffic and scheduled tasks for system configurations, which attackers might exploit. By repurposing these tools, Finx aims to create detection mechanisms that operate quietly within the existing system environment.

Research Efforts and Community Engagement

Marco emphasizes that "Defending off the Land" is primarily a research initiative at Finx, not a commercial product. This distinction allows them to focus on developing innovative techniques without the constraints of productization:

"It's not a product that we're trying to push to people... it's more like an advice to customers."
— Marco Slaviero, [03:59]

Their research was highlighted at Black Hat Europe, where they presented 11 distinct techniques for enhancing system defenses using native tools. One notable example is the IDP Canary Token, a deceptive app integrated into platforms like Okta and Azure Entra. This token alerts teams when an unauthorized application is accessed, thereby indicating potential breaches.

Practical Applications and Examples

Marco provides concrete examples of how these defensive techniques can be implemented:

IDP Canary Token:
A fake Salesforce app on the Okta Dashboard that alerts administrators when accessed. This deception tool helps detect compromised credentials without installing additional software.

"An attacker who breaches... doesn't know that, and they'll get an alert saying somebody's clicked."
— Marco Slaviero, [05:06]
Projected File System Subsystem (ProjectFS):
Utilizing Windows' ProjectFS to create a fake file system that appears legitimate but contains no actual files. Accessing these fake files triggers alerts, revealing unauthorized activity.

"You can create these entire fake file systems and then obviously alert on whenever these files are open."
— Marco Slaviero, [05:06]

Accessibility and Usability for Sysadmins

While these techniques are powerful, Marco acknowledges that they require a certain level of expertise:

"These are techniques for competent sysadmins to use to expand on their own detection mechanisms... this is for a little bit more advanced teams in terms of their capabilities."
— Marco Slaviero, [08:14]

Finx provides open-source scripts and documentation on their GitHub repository, allowing skilled sysadmins to adopt and adapt these methods within their environments. However, the complexity of some techniques means they are better suited for organizations with experienced IT teams.

Sources of Inspiration and Ongoing Research

Marco outlines Finx's approach to identifying and developing defensive techniques, which centers on understanding current attacker behaviors:

"If we don't know what attackers are currently doing, like, we're going to miss them."
— Marco Slaviero, [10:46]

Key sources include Digital Forensics and Incident Response (DFIR) reports and their internal bibliographic database, Citation. This research-driven methodology ensures that Finx's defensive strategies are aligned with the latest threats and tactics used by adversaries.

Community Feedback and Future Directions

Following their presentation at Black Hat Europe, Finx received positive feedback from the cybersecurity community, particularly regarding the practicality of the IDP Canary Token. Marco expresses satisfaction with even modest adoption:

"If we've explained that to somebody who's now picked that thing up, I'd consider this thing a win."
— Marco Slaviero, [13:22]

While not all techniques are immediately applicable as commercial products, the ongoing research continues to inspire and enhance the field of cybersecurity defenses.

Conclusion

This episode of Risky Bulletin provides valuable insights into innovative defensive strategies within cybersecurity. Marco Slaviero’s discussion on "Defending off the Land" highlights the importance of leveraging existing system tools to enhance security without the need for additional software. Finx's research-driven approach not only addresses visibility gaps in large and complex networks but also empowers skilled sysadmins to implement robust defenses aligned with current threat landscapes.

Notable Quotes:

Marco Slaviero on Canary Tokens:

"You might place API keys on a host where you can't actually install software... to detect that somebody's actually been on that particular host."
[00:50]
Discussion on Defending off the Land Approach:

"If we look at what's already present on a machine, what can we use to then build detection mechanisms?"
[00:50]
On Research Versus Product Development:

"It's not a product that we're trying to push to people... it's more like an advice to customers."
[03:59]
Regarding Advanced Techniques for Competent Sysadmins:

"These are techniques for competent sysadmins to use to expand on their own detection mechanisms... this is for a little bit more advanced teams in terms of their capabilities."
[08:14]

This summary encapsulates the key discussions from the podcast episode, providing a comprehensive overview of Finx's approach to cybersecurity through "Defending off the Land." For listeners seeking to enhance their network defenses without expansive software deployments, Marco Slaviero's insights offer practical and research-backed strategies.

Loading summary

Transcript24 lines

[00:00]
A
Foreign Campano. And this is a Risky Business News sponsor interview with Marco Slaviero, CTO at finx. Welcome, Marco.
[00:14]
B
Hi there, Kathleen.
[00:15]
A
Marco, we're here today to talk about defending off the land, a concept that's exactly what you think it is. It's the opposite of living off the land or Lore wins, a concept where attackers use locally installed apps and binaries to execute malicious operations undetected. In the case of defending of the land, you obviously use local binaries to defend and detect attacks and threat actors. Marco, what's the state of defending up the land at fingst? Is this at an experimental phase or is this something that's already in your product in one form or another?
[00:50]
B
The background for us for defending off the land is we've been doing canary tokens for a long time now and it sort of helps us think a little bit around how we can help people defend their networks. And one of the things that becomes apparent for folks who have large estates is they have these visibility gaps. And so a visibility gap here might be something like EDR is a fantastic product class, generally for monitoring your estate, for finding out what's been breached and then responding to it. But the reality is in a larger state, you can't deploy EDR across every asset in that estate. It's just not possible. Some of those, some of those resources might be too old, they might be just too weird, or maybe they just don't belong to you, they belong to a vendor and you can't actually install things on it. And for those sorts of assets, we found people using canary tokens as the sort of stopgap mechanism to give them some visibility on those hosts. So you might place API keys on a host where you can't actually install software, but you can at least drop a file. And canary token API keys would give you a way to detect that somebody's actually been on that particular host. And last year our Labs team led by Jacob sort of really started exploring this concept in more detail and where they sort of came down to was this idea, as you say, of defending off the land. And for us, one of the key things is looking at attackers and as you say, attackers living off the land is a well known sort of class of attacker techniques and tactics at this point. And they are looking for local tools, local facilities that are already on the assets that they compromise. So they don't have to bring their own tools, they don't have to install things, they don't have to make changes, right? So like if they want to proxy Network traffic, they can rely on Netsh on a Windows machine, or if they want to set up the systems, they can use a scheduled task and not set up their own. And so we basically said, well, look, if we look at what's already present on a machine, what can we use to then build detection mechanisms? And that's really the sort of underlying theme behind a bunch of this work. Now to your question on whether this is an experimental thing or a product thing, for us, we're very clear on this, like, it's not a product. And we say that specifically because by definition, when we talk about defending off the land, we're saying this is for places where you can't install products. And so if we then turn around and say, and here's the product you can use, it sort of negates that sort of underlying principle. So we're saying, given a stock standard, say Windows host, that you can't actually install new things on, what can you do on that host to defend it? And really, for us, this means coming back to, in essence, a whole bunch of old school sysadminish type tasks. And so it's essentially giving new ideas to sysadmins for how they can configure or write little scripts on their host where they currently have monitoring gaps. But to finish it off, you know, it overlaps somewhat with our canary tokens, but we don't see this as a, as a product that we're trying to push to people.
[03:59]
A
It's more like an advice to customers. Right?
[04:02]
B
Exactly.
[04:02]
A
Like many customers view your canary tokens as a backstop to EDR visibility and then you provide this as a visibility gap to your tokens. Right?
[04:12]
B
Yeah. And it's for us like that this work, that Black Hat Europe was essentially exploring that space and sort of saying, hey, here's a bunch of things that if you're a sysadmin on a Windows network in particular, because we only looked at Windows, these are things that you could be doing. And then, you know, we sort of documented a bunch of these techniques. They're sitting up on our GitHub, the stuff's all open. And some of them do rely on our free canary tokens for kind of ease of use, for the alerting aspect to it. But if you're like a competent sysadmin, you actually don't need the canary token stuff at all. You can certainly just look at some of these techniques, pick the ones that work for you and deploy them in your own Windows network.
[04:51]
A
You mentioned your talk with Jacob Tory at Black Hat Europe last year. I remember that talk. You also mentioned that some of these techniques can be used for deception and frustrate attackers. Can you give me an example how you do that?
[05:06]
B
Yeah, for sure. So, you know, we kind of introduced this sort of broader concept of defending of the land, but then we really got quite specific and we sort of, we gave 11 techniques and we're not going to have time to go through all 11. But you know, one of the, I think, quite nice examples, and it's sort of a little bit out of left field here, is we've created an IDP Canary token. And essentially what an IDP Canary token is, it's a fake app that would exist on your Okta Dashboard or your Azure Entra Dashboard, right? And so users log in, they know that, you know, your company doesn't use Salesforce, but there is a little Salesforce icon on their Okta Dashboard. You, as part of your onboarding say to folks, look, we don't use Salesforce, stay away from that one. But an attacker who breaches or an attacker who compromises somebody's credentials and accesses, for example, their Okta Dashboard doesn't know that. And they'll go clicking on that Okta link on that Salesforce link rather, and you'd get an alert saying somebody's clicked and you'd get the username of the person who's clicked. And like you don't have to install anything in that instance, right? Like there's a small config change in Okta to add a new app and you have this way to detect when somebody has breached your Okta instance. Now that's not actually a Windows specific thing, that's sort of moving more into cloud. But you know, if we look at maybe one of the Windows techniques that we spoke about built into Windows is this projected file system subsystem projectfs. And a projected file system is essentially a user mode file system. And so very roughly what you can think of it as is you have a bit of PowerShell that runs and it will process all the file system API calls for opening files, accessing files and so on. But on like in your Windows Explorer, what you are exporting is essentially what looks like a legitimate file system. And so somebody can be browsing around what they think is the local hard disk or a directory on the local hard disk. But those files are essentially a mirage. They are not. There's no actual files there. Whenever you open a directory or a file in that subtree, it's actually calling into some powershell which is just serving whatever content the PowerShell chooses to. And so you can create these entire fake file systems and then obviously alert on whenever these files are open, but without actually having to have any content there. And you can of course even expose this projected file system, this fake file system to the network. And so now you have the ability to list very interesting sounding documents with even real content. Well, not real content with fake content, but underlying it. There's not even a file system that literally just comes out of a PowerShell script. And so that's quite an interesting capability that is built into Windows and Defenders can use for deception.
[07:57]
A
For example, having these dordins, if we can call them that, is fine and dandy. But how many of these are easy to set up and use and how many? Like you mentioned, some require a PowerShell script and a scheduled task, but others may require a VM honeypot or something like that.
[08:15]
B
Correct. And this sort of comes back to the thing that we say, or with our exploration of the space, we're not saying this is a product that you just install and it goes away and works. We are very definitely saying these are techniques for competent sysadmins to use to expand on their own detection mechanisms. And so like ideally in an environment in which they have teams who are quite familiar with Windows sysadmining, this is basically a library of ideas and tools for them. But this is not for folks who are just starting out, trying to deploy their first kind of security monitoring. Like you're going to get bogged down in this thing. This is more, this is for a little bit more advanced teams in terms of their capabilities.
[09:01]
A
So let's say I'm a customer. Where would I find these tricks and techniques? Like, is there a special section on your support page or something?
[09:09]
B
No, not at all. So this is not part of our product. Like this is really when we say we did this work to sort of generate this thinking and discussion around defending of the land. This is not part of our product and we don't really have plans to include it.
[09:22]
A
As we said, it's more of a research capability effort or something like that.
[09:27]
B
Exactly. So for us this has been a research effort. It's, you know, as I said, we don't see ways here, or at least for a number of these things. Like they don't lend themselves to being turned into product. But in the same way that there's a bunch of techniques that generally aren't productizable, this is one of those.
[09:46]
A
Yeah, you're basically researching the space in the Hope of finding a good future canary. Right.
[09:52]
B
So it is research in the space. And some of these things, you know, as we basically play with them, it gives us an opportunity to explore, as you say, the space. Some of these techniques are like, they lend themselves slightly towards the product. So the IDP canary token that I spoke about, like the fake octa panel, that one is present on canary tokens, we probably will pull that into the commercial side as well at some point that, that one's pretty easy to put in. But like generating Projected File System PowerShell scripts, that's. @ this point, we don't see any future position for our product or for that technique to be in our product.
[10:28]
A
That's how research goes. 90% is going to waste. I also want to ask, where do you look for these techniques? Are you informed by offensive security? Or do you just look at various security products and say, hey, there's an easier way to do that?
[10:47]
B
We're pretty clear on the idea that if we don't know what attackers are currently doing, like, we're going to miss them. Like, if you're not meeting attackers where they are, then the sort of tools that you build or the sort of techniques that you try and imagine are likely to miss them. And so our basis for this is looking at what attackers currently do. So the DFIR reports are pretty good for that. So understanding those, reading those. So the folks@dfirreports.com are one of the big sources for us understanding what attackers do and then reading that and going, you know, the attackers are taking these steps through their campaigns. At each of these steps. Is there something that we could have done here using local techniques on these different assets that would have revealed the presence of that attacker? We also, so we run Citation, which is our bibliographic database of security publications. And that gives us pretty good insight into also the sort of research that's coming out on the attacker side. But that research is not. And you'll know this well, like, it doesn't always translate into things that actually malicious actors are doing. The bleeding edge of security research often doesn't directly map into what threat actors are doing. But yeah, looking at DFR reports, looking at what threat actors are doing, this is. And the research that's been put out, these are sort of the major places for us to look in terms of product gaps. Essentially, we, for, for this work, our thinking was, what can we do when there's no product? And so the gap is a glaring gap. It's not, you know, we're not trying to do sort of a feature comparison of pick an EDR and saying, well, they can't detect that. Can we do you know, can we detect that particular thing in this case? Our starting premise was for hosts that have no edr. What can we do? And that is a pretty big visibility gap.
[12:34]
A
So you say this is not part of your product, but after your black hat talk, did you get any feedback.
[12:40]
B
From people experimenting with this in the immediate aftermath? There are. So there's interest in it in terms of people playing with the IDP token, I think is going to be that like the fake octopay, the fake octopanel, that one has interest for sure. And so, you know, because it's also, you sort of get the sense here that there's. When the things are easier to deploy, you know, there's obviously going to be more interest. But we'd even be fine if this assists like a handful of sysadmins over a period of time. Like we thought it was interesting work. And actually in honesty, that drives quite a lot of our researchers. We don't necessarily have to see, certainly we don't have to see commercial impact. That's not a driver for us on doing this research. Our labs team, their mandate is not specifically to drive the product forward, it's to put out interesting security research. And so in this case, we put out these 11 techniques. Even just like Project Fest is an interesting idea. And if we've explained that to somebody who's now picked that thing up, I'd consider this thing a win.
[13:46]
A
That's how research works. It's small steps all the time. 300 academic papers later, you have a usable product. Marco, thank you very much.
[13:55]
B
Kathryn, thank you so much for your.