VideoBytes: Offensive security tools and the bad guys that use them

Hello Folks!  In this Videobyte, we’re talking about what penetration testing tools malware gangs love to use and why they are better than what you can get on the black market.

This article describes the VirusBulletin talk of a security researcher from Interzer Labs, Paul Litvak, in which he discusses his effort to identify how often offensive security tools (like Mimikatz) are used by criminal threat actors.

His findings showed an alarming trend, and his observations boiled down to a theory that criminals are reducing their overhead by utilizing (sometimes freely available) offensive security tools, meant to identify weaknesses for network penetration testers, to do much of the heavy lifting they need to infiltrate networks.

For example, in many cases tools used for lateral movement, initial infection and remote access were all created by security researchers. At the same time, tools for information gathering, which are much better in black-hat groups than those used by penetration testers, tended to be more customized for the criminal user.

Another interesting observation was that for tools which had a greater amount of technical complexity to use, the tool was used less often by attackers. Meaning that introducing greater complexity into the use of these tools, may act as a deterrent for some criminals.

Alternatively, developers of these tools should also utilize unique identifiers (symbols, characters, data chunks in the code) to make them easier to identify by scanners.

Either way, the discussion between whether Offensive Security Tools help or hurt more will continue, but this study certainly gives one point toward those who would prefer these tools be better protected.