Security Tools: First, They’re Good, Then They’re Bad
Having explored the dual life of AI and its growing prowess in social engineering in a previous post, I was intrigued by a blog penned by Lawrence Pingree that more broadly discusses the duality of cybersecurity tools.
In “When Good Tools Go Bad: Dual-Use in Cybersecurity,” Pingree, a vice president at Dispersive, writes that it is imperative that cyber-defenders understand how the tools intended to protect digital goings-on can be pressed into action by malicious actors to execute cyberattacks. “In the right hands, it defends; in the wrong hands, it attacks,” he says, explaining that some security tools are particularly vulnerable to living a double life because they are inherently versatile.
Often, at the heart of the problem is an organization’s failure to properly secure the consoles to tools. “Since many of the tools are cloud administered and largely all companies have not focused on properly guarding their sensitive, critical IT consoles from production Active Directory (and other identity planes) and restricted access to specific networks and devices, these consoles are commonly accessed and leveraged to orchestrate legitimate security,” says John Anthony Smith, Founder and CISO at Fenix24. “Tooling for malicious and destructive acts — EDR, for example, has intensive, deep access to the machines on which it is deployed. Similarly, penetration tooling downloads, execution and usage are not prevented, monitored and/or blocked in most organizations.”
When I asked Pingree which tools were the most vulnerable to crossing over to the dark side, he pointed out that “a lot of the priority of the tool on the threat actor side, is based on the stage of attack they are in.” The most critical stages are reconnaissance and exploitation, though “all could be argued almost to be equal,” he says. “But tools that do enumeration/discovery/scanning and penetration testing are often the most valuable to attackers” since they “instrument exploits, and make it easier to execute attacks.”
Tools That Create a Big Impact
Putting those categories into phases leads to greater success for defenders and attackers alike. “Combining AI, for example, with penetration testing enables the tool to self-diagnose, plan, step through stages,and select and execute the right exploits. So those tools tend to create a big impact,” Pingree says. AI is an accelerant for both sides.
A close second in his view is combining encryption and obfuscation, “since these are easily re-usable to defend as well as do offense,” he adds. “But the difference is on the defense, these capabilities can serve as stronger preventative measures — introducing randomization against the backdrop of automated predictive modeling and generative AI modeling will become mandatory.”
Pingree sees “a race condition between AI and defender coming. AI tools will hyper-power exploitation because you can just execute commands with only a cursory knowledge of attack stages.” Defenders, then, must focus on prevention.
To curb security tools’ darker tendencies, he suggests security teams do the following:
- Refocus on best of breed again, stop chasing shiny platforms that promise all. Focus on uplifting prevention measures, trying new concepts here will net significant long-term breach benefits. Detection and response is a fallback position.
- Strongly consider zero-trust enclaves to protect data sovereignty and compliance, particularly for sensitive data pools. Dispersing payloads via splitting and deflection, and cloud geo-fencing can create a zero-trust network enclave that’s sovereign. It’s accomplished by distributing and delivering data across geographically bound locations in the cloud, which isolates sensitive data and enforces access controls.
- The same can be done for cloud native applications – micro-segmenting enclaves by adjusting network paths and routing in real-time, which enables adaptable security for microservices and containers. This also works for edge, IOT and OT workloads.
Organizations shouldn’t forget about thwarting duality when it comes to physical security often included in cybersecurity assessments. “Businesses should ensure that their electronic badge systems are not susceptible to such attacks,” says Venky Raju, Field CTO at ColorTokens, Inc.
He also points to SPAN ports that “were designed to allow network administrators to monitor traffic by plugging a monitoring device into a single switch port and receiving a copy of the traffic on other ports.” Malicious insiders, though, can “abuse unused SPAN ports by connecting a rogue device that filters and sends traffic to the adversary over a cellular link” or “exploit a vulnerability and hack the switch,” Raju says. “Network and security administrators should consider alternative technologies like network taps immune to these attacks.”
Still, he says, security teams should place the highest priority on “Living Off The Land (LOTL) attack vectors,” noting that “adversaries have abused several essential system utilities and application binaries to conduct reconnaissance, privilege escalation, command-and-control and other attacks.”
Ultimately, though, security teams cannot afford to assume a lackadaisical posture when it comes to tool duality. They must put a premium on ensuring tools are used as intended for defense.
“The strategic significance of recognizing dual-use capabilities in cybersecurity cannot be overstated,” writes Pingree. “It requires a nuanced understanding of both offensive and defensive perspectives to effectively protect digital assets and mitigate the risks posed by increasingly sophisticated cyber threats.”
