The Hacker Mind Podcast: LoL

Living off the Land (LoL) is an attack where files already on your machine, ie your operating system, are used against you. They would be undetectable, right? 

Kyle Hanslovan CEO of Huntress Labs joins The Hacker Mind to discuss recent LoL attacks, specifically the Microsoft Follina attack and the Kaseya ransomware attack, and how important it is for small and medium sized businesses to start using enterprise grade security, given the evolving nature of these attacks. 

Vamosi: Whenever there's a data breach, a ransomware attack, large security event in general, I would like to learn something about how it happened. You know, peel back the onion to see what steps were used in the exploit chain. To see all the cool ways an attacker evaded detection in a system. One of the more clever techniques is to hide in plain sight. Consider something called steganography. This is the practice of concealing messages or information in non secret texts or data, such as an image. If you think about it, an image file format has a lot of unused space. If you look at the specs for say a JPEG, there's a lot of space in the file that is typically not used. And even if it's all used, there are ways to change the colors and the pixels so that the human eye can't really see the difference. But a machine like this becomes an opportunity for someone to fill that space with other code or messages. Think of it as a Trojan horse. Unless you're specifically looking for messages within images. They're typically hard to find. In a 2010 academic paper, researchers found that the Xbox gaming system among others, enabled gangs and terrorist organizations to communicate also found that defendants sentenced to house arrest particularly sex offenders, who were often prohibited from using a computer to access the internet still had access to the gaming consoles, and therefore regrettably, still having the capability of training elicit photos over the internet. So I started thinking about other ways to hide messages or even how to get malware onto a system without it being detected. What if you hid in plain sight by using the files already on your computer? Like all the unused files within your operating system? They'd be allowed, right? In a few moments. I'll talk to somebody which shows us how it can be done

[Music]

Vamosi: Welcome to the hacker mind and original podcast from for all secure. It's about challenging our expectations about the people who hack for a living. I'm Robert Vamosi. And in this episode, I'm talking about living off the land or fireless malware, specifically looking at Felina Microsoft Office attack the cocea ransomware attack and how important it is today for small and medium sized businesses to have enterprise grade security, given the nature of these attacks.

[Music}

Vamosi: For about a decade,  I wrote for Forbes.com. And, while I was there, I got to interview Katie Moussouris a few times, Katie Nickels once , and a lot of people not named Katie. One Forbes.com interview stayed with me so when I saw that person at RSAC this year, well, I figured it was a good opportunity for the two of us to catch up. 

Hanslovan:  Kyle Hanslovan CEO and Huntress.

Vamosi: So a lot has happened in the world in the last two years. And a lot has happened with Kyle's company.

Hanslovan: Yeah, yeah. You know, what's exciting for us is we started this business that when we came from NSA and said you know what, there is a large, unaddressed market that doesn't have access to expertise. So we built a managed security platform that's laser focused on delivering that expertise and simplicity at a cost the market could actually afford and that's a pretty rewarding situation. You know, we're now over 200 employees, protecting about 70,000 businesses, so I'm feeling really good from the last time we talked.

Vamosi: One thing you'll notice is that while Kyle founded the company, it's called Huntress and its logo is that of a woman. There's a good story behind it. About how the company got its name. 

Hanslovan: So most people asked me all the way down to Huntress, why does she have logos and no offense? There's a lot of hyper masculine companies down there. I won't pick on any here, but think about it name your first cybersecurity company. Maybe I'll pick on one CrowdStrike you know, it's just a bit masculine and even though we're all three male founders, I've got daughters and I said you know what, we can be a tad bit more inclusive, all the way down to her eyelashes. And so yeah, we hunt. We hunt with a little bit of you know, XC sexy flair, and that's what the hunters is all about. 

[Music]

Vamosi: Living off the land or fireless malware is a threat actor leveraging the utilities readily available on a system. These could be in the operating system, or it could be a third party that's been added. It's a sneaky way to exploit a system without any of the existing preventative tools.

Hanslovan: What's wild is most folks are still just grasping with the concept that malware isn't always something shady that people bring to computers sometimes it's how do you use the basic features built into the computer to do bad things, hence living off the land. My favorite one recently we've seen over and over as hackers have just almost completely stopped bringing their own exfiltration tools are seeing more and more like OneDrive or Dropbox or all these built in tools, Why carry some tool to exfiltrate data out when you could just live off the land and use those tools to exfiltrate for you. It's fun.

Vamosi: So it's a matter of looking through the OS and finding old utilities, things that were left there from previous versions for backward compatibility. Now, as the attacker, you don't have to bring anything to the system. The system has already given you the tools that you need.

Hanslovan: So we noticed it was a trend like all things cat and mouse base and hackers were really getting ticked off that their malicious payloads were getting caught by the antivirus. So we noticed the evolution was well you can't catch my new shady code if I don't bring some shady code with me. So it was almost out of necessity rather that they said you know what? I have all the abilities built into Windows or built into Linux or Mac to do this for me. Why don't I use the trusted ones that I'll get by antivirus. And that was kind of the beginning of what we saw.

Vamosi: Perhaps Kyle can give us an example of how this works in the real world.

Hanslovan: Yeah, there's a lot and I'm going to start simple if we need to, we can dive in. My favorite example of how this works is it's not always additive, meaning they need to bring in their own complex payloads. Sometimes, for instance, if you already have like PowerShell a built in component to the operating system, you don't need to carry anything with you. You bring your own PowerShell script or code but that's no exe. That's no DLL and you just run it and that's maybe the simplest version most IT folks can understand. Then there's the more sophisticated attack, one that hides within legitimate programs by the virtue of adding DLL files that can call out to a malicious payload, but you didn't nail it. Sometimes it can be really complex DLLs and they call that hijacking or DLL hijacking and what they'll do is they'll use a legitimate program that depends on a library, bring their malicious library with them and it gets sometimes side loaded. So that means trusted application runs its side loads this less trustworthy DLL and that's often a way to be able to get around some heuristics or behavior based detection

Vamosi:  Then there’s the more sophisticated attack, one that hides within legitimate programs by virtue of adding DLLs that call out for malicious payloads

Hanslovan: But you didn't nail it. Sometimes it can be really complex DLLs and they call that hijacking or DLL hijacking. And what they'll do is they'll use a legitimate program that depends on the library, bring malicious libraries with them, they get something sideways. So that means trusted application runs instead loads this less trustworthy DLL and that's often a way to be able to get around some heuristics for behavior based detection.

Vamosi: In a sideloading attack, an attacker places a spoofed malicious DLL file in a Windows’ directory so that the operating system loads it instead of the legitimate file.

Hanslovan: So we often see hackers when they're trying to do this sideloading or living off the land twofold. It really depends what problem we're trying to solve. Most often we see this on initial infection, when they get in, that's when they're under the most scrutiny and so it'll be when the operating system is running. They can do this. But if you think about persistence, that's an idea for long term access and becoming unprotected. It's really nice to say, You know what, you're gonna catch me if I use the typical persistence mechanisms. So why don't I do some side look why don't I use these legitimate tools so comes up in loads of applications, you know, kindly low mine hours 

[Music]

Vamosi: What makes Kyle’s story compelling is that Kyle used to work for a three-letter agency. He used to think like this--how can I get on someone’s box without them knowing. So it's the perspective that he brings to the commercial world. 

Hanslovan: Yeah, so my background was in offensive cyber operations. I worked at NSA both as a contractor and in the military for about 15 years, building those implants, building these exploits to do some of these attacks that we are currently talking about..

Vamosi: So it's interesting. Kyle was doing this for the government, doing this for the good of a nation. And yet, here are our attackers doing the same thing. It's kind of interesting how the thought process proceeded. Both of these parties arrived at the same conclusion. 

Hanslovan: It was a synthesis, right? We needed it for our own long term persistent access. If you imagine a counterterrorism threat. You want to make sure that you're there no matter what they do with their laptop or computer and cyber criminals started adapting the same they said, You know what I want to collect your credit card whenever I want to gather your data whenever so you're exactly right of this technique transformed and now it's part of everyday cybercrime.

Vamosi: Okay, raise of hands out there? Before this podcast, had you heard about Living off the Land Binaries or LolBins? If so, congrats. If not, keep listening. These are fairly clever attacks.

Hanslovan: Okay, raise your hands out there before this podcast. Have you ever heard of living off the land binaries or low bins? If so, congratulate yourself, If not, keep listening. He's a fairly clever attacker, unfortunately, living off the land, persistence side loading. These are ones that I would call off the shelf. 

Vamosi:  It's funny when he phrases it that way, that it's off the shelf, that it's so standard that you don't even have to think about it. It sort of lowers the bar as to who might actually be using it.

Hanslovan:  A lot of even the publicly available penetration testing or attack simulation tools have these now built in natively. Don't get me wrong, some hackers use much more sexy and sophisticated attacks and versions of these, but the premise has now become part of just the everyday playbook. 

Vamosi: So like anything, there's degrees of low bans, there's off the shelf, and there's still that hidden nation state, super sophisticated level as well.

Hanslovan: And it's going to depend on how good they're at evasion. So for the low level using PowerShell anybody can do it any script kitty any basic it practitioner could do some of this and be able to use these built in tools. However it starts escalating into you know what, I don't want to get caught because security tooling has gotten better at looking at these malicious techniques. Even Windows Microsoft has added techniques for looking at living off the lands like in their built-in defender and so as a result, they've almost forced hackers to level up their game. So we even see like mid level to far complex, you know, abusing built in tools that we never knew. 

Vamosi: And recently we’ve started to see some of these attacks in the news.

Hanslovan: So we can see like complex using just using building features within Microsoft Office it was called the Follina attack.

Vamosi: Here’s Network Chuck explaining at a high level the Follina attack in Microsoft office.

Network Chuck:  Let's say I receive an email, a phishing email. And inside that email is a harmless looking word document that of course I have to download, but as you may have guessed, this is not any normal word document you see when I open this thing first, okay. It's blank, nothing there, but then they get this strange popup, this troubleshooting message. Now remember this thing, it's the key. We'll come back to it here in a bit. Now, while this thing is running, something else is happening. I'm not aware of it. You see the hacker. He already has me. At this point. He has a reverse shell to my system. He has control of my system and I have no idea what's going on. I'm just sitting here, sipping coffee, trying to wake up. So clearly something happened here and it had something to do with that word document and Microsoft word. But it's not what you think because typically in Microsoft office hacking scenarios, it comes down to macros. Macros are fantastic. There's scripts that allow you to automate a lot of the tasks in Microsoft office. And of course, hackers use that to do nefarious things, but by default, in most situations, macros are disabled. And that's what makes this hack. So interesting. Hackers found another way, another path that a path that is still unblocked, it all comes down to this thing right here, the Microsoft support diagnostic tool or MSD T for short, for some reason, this tool, which is meant to help you troubleshoot issues. When you, when it's invo, when it's run, it allows you to run commands. And when I say you, I mean the attacker, the hacker.   

Vamosi. Here’s Huntress Lab’s John Hammond, who I interviewed in Episode 13 about Capture the Flag competitions,  with more technical nuance on this attack.

Hammond: Let’s start with with background on how the security community learned of this. On May 27. There was a tweet shared by now SEC or nao underscore sec, a security researcher that was looking around in virus total for different attack vectors in targeting CVE 2021 40444 which was a previous vulnerability that would take advantage of the M HTML protocol shenanigans stuff targeting Microsoft Office documents that couldn't be used for initial access or remote code execution with just a simple Office document. What we're talking about now is a separate vulnerability but very, very similar in any way. This individual found some interesting document that was using an external reference inside of the Microsoft Word document that would call out to an external HTML file. And that HTML file would stage and load code to be ran sort of through the msdt protocol or file schema handler now msdt Is the Microsoft support diagnostics tool using special parameters or some specific syntax and semantics to be able to invoke PowerShell code through this was novel and interesting and weird and not something that I think the security community has been tracking before. So within a few days other security researchers like Kevin Beaumont, Jake Williams, amongst others started to share this information and kind of suggest to others Hey, we should be looking at this because this can be pretty dangerous. It's sort of a rerun of CVE 2021 40444. But very different in that hey, it's not patched right now. This is being exploited in the wild. Granted I think I'm only aware of hate that one malicious sample, but it's not too far-fetched to think that we're going to see a lot of this maybe in the coming days. 

Vamosi:  The thing is that the Folina attack has been there for a while. If someone had figured this out a few years ago, they could have been using it all this time, you know, living off the land until the research community got it and realized how it could be weaponized.

Hanslovan: This is using nothing more than built in features in the operating system within Office to load and run malicious payloads downloaded from the internet. But as of a week ago, no one had really even known about that in the security research community. So that's a great example of what it looks like at the low level and obviously people ratcheted up to the high level to get past you know, defenders and threat hunters.

[MUSIC]

Vamosi: As mentioned, there are two ways to do living off the land attacks. One is to use the native operating system files, and the other is to use files of a common third party application. Within the OS part of the problem is that large enterprises have unique requirements that sometimes causes operating systems like Microsoft Windows, or platforms like Microsoft Office to retain legacy utilities, services and features long past when they should. As such when the operating system releases a new version each year. That discontinued old versions like Windows NT out there have ghosts within those modern operating systems.

Hanslovan   Yeah, so most often we typically see it in operating system files and the reason for it is you can depend on them. Microsoft, we're using them as the example in windows they love their backwards compatibility. So if you find a good Walden or living off the land binary, you can almost count on that sucker having backwards compatibility to Windows 2000.

Vamosi: In order to cater to large enterprises, which are sometimes slow to move to newer versions of the software. Microsoft, for example, has to maintain its backward compatibility. I mean, organizations have invested time and money integrating their systems with others and you remove a service Ufa feature, you'll find that you'll hear from those large organizations pretty quickly. So it's a devil's bargain. Keep the old utilities around long after the original operating system. It came with has been discontinued or simply discontinue the service feature altogether. Then again, there's probably not many services or features in the native operating system left for bad guys to plunder, 

Hanslovan   sometimes slim pickins a lot of the common ones had been found. So hackers have sometimes started moving to more esoteric examples, like I previously mentioned with Felina. Or in some cases, they're looking at third party commonly used apps. Think about does chrome have a capability does for instance, in FTP software have a capability? Could they use some of these even teams, teams is often used right for chat and communicating are sometimes seen teams being used for sending malicious files exfiltrating malicious files communicating lateral movement, and that's a good example of where the hacker said, You know what, in this limited case, I'm going to use a third party app or something that's not a native operating system 

Vamosi: So I'm wondering are there particular industries that are targeted by these types of attacks?

Hanslovan When it comes to initial access? We generally see attackers or threat actors use these Regardless of industry. However, there are cases that you start seeing much more tailored approaches like when you start getting into into industrial control systems, it gets a little bit better to masquerade your attack as some of the commonly used applications. So we sometimes see the low bins being tailored more towards the target environment when the attacks are again, more targeted. So I think you get a little of both, you know, no need if you're just spraying and pray and going after the average, you know, if you're going after my mother, you don't need to use the sophisticated techniques on her. You're going after something more sensitive, like maybe industrial control systems, you might want to hide a little bit lower and so you would tailor that to use some of the applications more commonly used. 

Vamosi: So are LolBins  better suited for espionage, or is there reason to use them for monetary gain? 

Hanslovan: I think it could be both a good example in espionage would be I don't want to get caught. I want to use an esoteric, maybe third party application to either load my application or maybe even just not get caught running or hiding however, we've seen like point of sale systems. You know, if you think about that, that's not really used by a nation state actor that's used by somebody is looking for monetary gain. And sometimes we'll see them use the actual point of sale system software, where it's, you know, processing the credit cards, though, use that own software to export the credit cards or dump the credit cards for them to be able to gain and use for financial value and financial gain. So good tactic it can be deployed both ways cybercrime and more traditional espionage. 

[MUSIC]

Vamosi: This is smart. If you're going to have a supply chain attack, how might you get your attack to spread quickly? Well, managed service providers have access to 1000s of computers worldwide. So if you attack the MSP, then you gain access and you can attack all their customers. Multiplying the number of systems infected just a few short hours

Hanslovan: Yeah, a good example of this like when hunters found the Kaseya incident vas, you know back in last July

Vamosi: Kaseya is one of the major MSPs and the company produces a product called VSA, a unified remote monitoring management tool. Here's the CEO Fred Voccola

Voccola:  On Friday July 2, around about two o'clock in the afternoon, Eastern Standard Time. We had received some reports of suspicious things happening. We didn't know if it was an attack. We weren't quite sure exactly what it was. But as third parties, the community, our own monitoring customers, we started noticing some strange behaviors. Within an hour, we immediately shut down VSA, our cyber defense playbook states very clearly. The first thing to do is to protect and make sure anything that's potentially dangerous. Doesn't have a chance to harm multiple parties. So within an hour of the first indication of a potential issue, we shut down VSV. That decision was easy to make because we were following a playbook but it was very painful for a lot of our customers. The results of this attack by these cyber criminals have yielded the following impact.  IT complete, the Kasaya platform, has 27 modules. It only reached approximately 50 of our RMM module customers. The attack was managed very well by several different areas. The modular nature of Kasaya security architecture will prevent the attack from hindering any modules other than VSA, the rapid response team of Kasaya as well as the tremendous and immediate support of Homeland Security. They have an incredibly sophisticated cyber capability, which they engage with immediately. The Federal Bureau of Investigation the FBI, so Homeland and the FBI, in conjunction with significant support from the White House and the direction of the White House to make sure that Kaseya because say as partners, both our customers, as well as a lot of our external partners that we engaged with immediately to address this issue, and all the resources that are available. 

Hunters notice the ransomware on about 30 of their MSPs that they manage and find the ransomware used in authentication bypass vulnerability and like the Kaseya SaaS system. It also dropped an unexpected file, an outdated and expired version of Microsoft's anti-malware service executable, into the affected systems. Here's Huntress John Hammond, again, discussing with Katie Nickels the discovery of Cassia in the summer of 2021. 

Nickles:I'm kind of curious, you know, Hunteress was on this really early on and had these awesome Reddit posts like what was this like at the beginning when you all first discovered this? What did you think was going on and how did you sort of figure out because I know when we first saw it we were like is because SEO popped like what's going on here?

Hammond: Yeah, absolutely. So we started to get reports around around 11 o'clock, I think on the Friday, July 2, so just before the holiday weekend, we worked in sort of the MSP channel and that vertical there and working with other partners with other folks in the community, and some had reached out I think there were two or three initially that said, we just got hit with ransomware across not only our organization from the MSP, but all of our downstream organizations and businesses that they support that they provide IT services for. We thought that was super weird because okay, if we're seeing multiple organizations be compromised with ransomware all within the span of like a half hour, something has to be up. And really the commonality that we saw between that handful and then as a number of zoom through all of these organizations were using the Casaya VSA software and VSA is a remote monitoring or managing programs RMM solution. That is what you use to push updates or support and maintenance and maintenance on those downstream organizations. That was really kind of the attack vector and a weird procedural supply chain attack. I think we've kind of correlated this with other supply chain, really normally talking about the technical stack, like a CI CD thing, an actual update. This was not an update. It was a legitimate vulnerability that could compromise that RMM utility and then hit down through VSA to MSP to SMD. And that end of the tree there.

Vamosi: So someone broke into Kaseya, a very large MSP and by virtue of it being an MSP, they were able to break into their customers, in this case, about 800 to 1500 of the companies out of the total 800,000 to a million total customers. Maybe it's a small number that were affected, but if you're affected, you're affected.

Hanslovan: We were that first phone call to Kaseya. And that's kind of a good example of living off the land. Notice that's not a third party software. And for those that don't know, Kaseya is a remote monitoring or endpoint management software. And if you think endpoint management can install software on all of the computers that a managed service provider manages. So Huntress is deployed to all their customers, all the endpoints, and we look and it can be any vendor. It doesn't have to be just us. And the whole goal is when we see something being used, like the RMM was abused, exploited and used to actually push ransomware. That's a perfect example. Of that supply chain where the MSP was used. They abused the legitimate living off the land software, the remote management software, and they use that built in functionality usually meant for pushing patches to install ransomware a perfect example of this case. And yeah, as a result, you could imagine we have to warn our MSPs when something like that happens. 

Vamosi: Fortunately, the US government leaned in on this investigation, and by November 6 2021, the Attorney General for the United States Merrick Garland had this to say.

Garland:  Today, we are announcing that we are bringing to justice an alleged perpetrator of a significant wide reaching ransomware attack. On July 2, the multinational information software company because SE and its customers were attacked by one of the most prolific strains of ransomware known as our evil or soda no QB today are evil ransomware has been deployed on approximately 175,000 computers worldwide, with at least $200 million paid in ransom as a result of the Kaseya attack, businesses that relied on Kaseya services across the United States and around the world were impacted. Six weeks later, on August 11. The Justice Department indicted Yaroslav Basinski, also known by the online moniker Robotnik. The indictment, which was previously under seal charges him with conspiring to commit intentional damage to protected computers and to extort in relation to that damage, causing intentional damage to protected computers and conspiring to commit money laundering. indictment charges that Basinski and co-conspirators authorized authored are evil software installed on victims computers, resulting in encryption of the victors victims data including in the July 2 attack, demand and ransomware payments from those victims and then laundered those payments. Two months after the indictment on October 8. Kaczynski cross the border from Ukraine into Poland. There upon our request, the Polish authorities arrested him pursuant to provisional arrest warrant. We have now requested that he be extradited from Poland to the United States pursuant to the extradition treaty between our countries.

Vamosi: The main takeaway I think, is that now small and medium sized businesses are being targeted, and they're being targeted perhaps as much as the larger enterprises. 

Hanslovan: I always think sometimes the most mundane is also sometimes the most fun. For instance, in hacking we tend to use the phrase everything you know, old is new again. And so the things that are really exciting is within the mid market and below. We're starting to see hackers using more sophisticated attacks. We're seeing them the Cybercrime groups ramped things up, and for the very first time ever, those SMBs aren't just saying I need antivirus and a firewall. They're actually starting to learn a little bit and say, You know what, maybe I do need somebody that looks for an incident after it happens and even better, we're starting to get you know, some phrases like identity, what happens if they steal my credentials, get into my mail, and then move into another third party SAS app and I know that sounds mundane, but coming from you know, the last time we talked where that wasn't even in vocabulary, the word sim the word sock, XDR. They couldn't even tell you what this is. So these are like monumental growth in two years. Unfortunately, it's been provoked by hackers targeting them so

[Music]

Vamosi: managed service providers are hunters and sweet-spot MSPs provide a full range of security services to organizations too small to have their own IT departments. It's outsourced security.

Hanslovan: We've got a couple 1000 managed service providers and it turns out these days everybody wants to be an MSP. So last time we talked about VARs right value added resellers. They wouldn't call themselves MSP, but now they've got an MSP component. MSSPs are kind of a form of this. And so there's a lot of different people that call this but you're dead right. MSPs is our primary

Vamosi: Huntress grew out of VC that was focused entirely on the Mid Atlantic. Region. kind of unusual given that most companies come out of Silicon Valley.

Hanslovan: There's Yeah, there was at one time there was a kind of a startup accelerator they have out here Y Combinator was in Silicon Valley. We were part of a group called mk 37 and Mach 37 was a big deal for in the mid Atlantic for a long time. Nowadays, I think we might be one of three companies still surviving. So but it is nice to know that we're holding it down for the Mid Atlantic.

Vamosi:In fact, I first learned about hunters through March 37, the VC that was focused on startups in and around the Washington DC area. Often someone from the government has a great idea for a commercial product. But they have no idea how the commercial world even works much the way I really don't understand how government procurement cycles happen. 

Hanslovan: Yeah, I mean, it's pretty hard transitioning from government sales cycles to SAS so you having somebody to take you under their wing, and they benefited I think their return their, like 250x valuation on their investment with us. So I hope it was mutually beneficial.

Vamosi: And lately, Kyle's business has been good.

Hanslovan:  Yeah, for us us. The company's continued to grow. You know, last time we talked, we were 70 employees. We're now 200 What's neat for us is our ability to grow as a team is directly proportional with how many companies we're protecting. We're very agile, very lean. We are venture capital backed but we still have control over our company. So it's been one of those situations that despite the private markets, kind of collapsing and valuation. Hunters has had phenomenal growth. without having to sacrifice and take some of those dangerous terms that a lot of venture capitalists are talking about this week.

Vamosi: So we've talked about small and medium sized businesses. What exactly do we mean by that?

Hanslovan: The easiest way to describe it, it's 2000 employee companies all the way down to 20 employee companies and we tend to call that the mid market and below are the small and midsize businesses of the world.

Vamosi: So bringing this technology bringing the security down to this level. This is the same thing that we saw with firewalls that are now in every home.

Hanslovan:  You're right, you're exactly right. So that adoption has been pushed by the cat and mouse game. And so yes, the same adoption of hackers found new opportunities and as a result, they have driven new technology adoption. So in an odd way, vendors should thank them. It's that's a peculiar comment, but there is truth to it.

Vamosi: Mitigation and subsequent arrest of individuals behind Cassia attack is an example of the recent emergence of public private partnerships in the information security world.

Hanslovan: Yeah, so the National Security Council has been really great about pulling in all kinds of different public and private partnerships. Some of those were ransomware focus that we got to participate on. Others were more like when the Microsoft Exchange incident went down and being able to help remediate 90,000 worldwide companies with on prem exchange when Huntress was working that project and was calling we did six weeks of incident response to this. And thankfully, it was collaboration with us and other private groups, with the DOJ who they said, You know what, we're never going to get the mid market and below to patch these. And that was some of the collaboration that enabled DOJ to authorize the FBI to do an operation and remove the web shells for those businesses. That's massive collaboration that hadn't happened, you know, ever before this, so we're really thankful for that public private partnership.

Vamosi: So what about the emergence of public and private partnerships? What is it that gets Kyle the most excited? 

Hanslovan:  So probably the biggest thing for me that gets me excited is more and more people are realizing that enterprise cybersecurity is important. They're the biggest businesses in the world. But more often than not, people have traditionally forgotten that the SMB is 99% of the businesses in the US, for instance. And so for the first time ever, we started seeing more of the White House focus on new regulations, new disclosures and trying to improve what we would call security hygiene before the mid market and below. And that doesn't sound very important until for instance, you have a Colonial Pipeline situation where they're not an enterprise player. They're a mid market company that impacted quite a bit of the East Coast when it came to gas prices. So I'm pretty excited to see that you know, renewed focus coming from the top down. Historically, we haven't seen great cybersecurity legislation truly making a difference. So for me, it's a little bit biased, but I tend to get really excited when I start seeing people realizing there is this 99% that can impact all of us, and we're finally given it some attention.

Vamosi: So I conducted this interview in the hallways of RSA see 2022 What is Kyle seen that's interesting.

Hanslovan: So, awareness on industrial control. Systems is definitely here. Finally, it seems like we're rehashing a little bit of 2021 with the supply chain, you know, everybody's talking about solar winds. Some people talking about Casaya log for j is kind of one that caught me off guard of how long you know, we all knew the S word solar winds was a bad word when that happened, but log for j, it seemed like it took people months to figure out their software was used and abused. So I like that renewed focus, because that's a lot harder to find those type of attacks. But maybe the part that I'm enjoying the most is just everyone back at it realizing that, hey, we can be better together. We got to be safe out here and that's some of the morale I needed over the last year and a half. So I'm just excited to be here.

Vamosi: When I think about ICS I often think of embedded systems. So how does living off the land play in embedded systems?

Hanslovan: Yeah, so there's a lot of companies that focus on industrial control systems proper. What I mean by that is they tend to call them OT or other technology. Hundreds traditionally doesn't live on those embedded systems, but OT is almost always surrounded by it. So you can imagine that's a bit of a better together scenario. What's neat about those industrial control systems, is most people forget yes, there's big power companies, big water companies, but for every big one of those companies, there are dozens of these small rural municipalities that are powering entire counties. And so, you know, although we don't have a primary focus on the OT technology, great companies like Dracos are a great example of somebody who's just killing it. In that space. We often sit side by side, especially in the rural environments where let's be real. They don't have anything beyond a basic IT team and so that's been very fulfilling for me.

Vamosi: I'd like to thank Kyle Hans Leuven for making the time during RSA C, to talk with me about living off the land attacks in particular talking about Kalina and essayer. As Kyle said, These attacks are fairly off the shelf, which means that organizations shouldn't think that they're too small to be attacked. Rather, it's the large enterprises that continue to better their defenses. And it's now the small and medium sized businesses that are next in line. If you enjoy this podcast, tell friends, I bet there are others who like commercial free narrative information security podcasts. I have so many stories about hackers who are making a positive difference in the world. I don't want you to miss out. Let's get this conversation going. DM me @RobertVamosi on Twitter, or join me on Discord. You can find the deets at The Hacker Mind.com 

The Hacker Mind is brought to you every two weeks commercial free by ForAllSecure. 

For the hacker mind, I'm just another off the shelf living off the land attack, Robert Vamosi