Today’s adversaries go to great lengths to blend into the background and keep their attacks hidden for as long as possible. One of the common ways they try to prevent getting caught is through a tactic called defense evasion.
Defense evasion can be thought of as a broad church. Preached at this midnight mass are the techniques that threat actors deploy to stay under the security radar during their malicious campaigns. I also like MITRE ATT&CK’s straight-shooting definition of defense evasion: “The adversary is trying to avoid being detected.”
There is much to explore with defense evasion as an attack tactic (which we’ll dive into in future blogs). For the purposes of this quick introduction, we’ll focus on what defense evasion is and why it’s important to understand how it’s used among adversaries.
Defense Evasion as a Concept
Within our church of defense evasion, we can find the obvious attendees that sit on the front pews. These are the subtle forms of defense evasion, such as finding legitimate functionality that can be turned against itself. This could include the elegant methods of undermining the various user-land to kernel-land listeners that security solutions rely on, or deploying ‘file-less’ malware that operates in-memory and never touches disk, allowing a threat actor to go into ‘ghost mode’. As for the less subtle forms of defense evasion, we see the simple turning security solutions off when bad actors make it to an endpoint, or brute-forcing the security solution with mutations of malware until they eventually find a variation that can bypass the defenses.
But sitting at the back of this sermon, we find defense evasion techniques that are perhaps not usually categorized as such, as they are a hybrid of technical evasion and cognitive circumnavigation. By this I mean, there are threat actors who don’t just want to bypass your EDR, AV and SOC, they want to bypass the psychological safeguards you have internally. They find ingenious methods to masquerade their maliciously-controlled websites as sites you are familiar with and use often. They send messages about packages you were expecting, messages using syntax and language as though they were authentic services. Perhaps the adversary enrolls you in their cunning plan, assigning you the unwitting task of providing them initial access over the usual outer perimeter defenses.
And this kind of psychological evasion includes users, but it also includes security researchers too.
On occasion, hackers attempt to lower our guards by reaching out and pretending to be part of the information security community. In other instances, they author their adversarial software to behave innocently under forensic examination, or they frustrate the reverse engineering processes by including a ridiculous number of layers that we must unravel (a topic my colleague John Hammond enjoys discussing).
Techniques like timestomping (where attackers manually set a file date to blend in and manipulate technical defenses) for sure, but I also think we should call out that timestomping seeks to manipulate the investigator’s heuristic bias too. I’ll admit, I have offhandedly said “this file is from 2011 and is therefore not a present threat” and later delved in deeper to find that the file was in fact recently malicious!
The point here is that the evasion techniques that sit down for Sunday sermon are an eclectic bunch; a mixture of technical tradecraft and psychological manipulation. Adversaries do not attempt to subvert security controls alone, they also seek to subvert users and security personnel in their campaigns.
We can't help but feel a perception of asymmetry on the cyber battlefield today.
Some believe it is weighted in favor of the threat actor. If you think about it, there are a plethora of fantastic resources advising red teams on multiple techniques to bypass defenses, so it’s easy for blue teams to feel like that perception of asymmetry is true.
To paraphrase my dear colleague Matthew Brennan in his recent blog on evasion, the blue team controls the network; they have access to multiple layers of telemetry, nuanced detections and rules that can alert on behavior, and most importantly the blue team is more handsome (it’s true, I did the science). In later articles, we’ll take a more granular look at the layers of defense the blue team can deploy to catch and thwart adversarial evasion.
But for this introduction article, it’s worth justifying that the blue team should have an intimate understanding of their opponent's tradecraft. By understanding defense evasion techniques, defenders can better harden their arsenal of traps and detections against those who try to fly under the radar. And offensive security research propels defenders to be better, to match their creativity with our own creative rebuttals. Florian Roth embodies this best with his reactive Sigma rules to novel tradecraft.
What Does the Future Hold for Defense Evasion?
The future of defense evasion is fascinating to think about.
Personally, I’ve noticed a trend in offensive security research that is bringing defense evasion closer and closer to kernel-land. I find this intriguing, as it means defenders may have to dust off their CompSci 101 books and remind themselves about the kernel-land to user-land relationship that computers are all about. When I see threat actors deploying techniques that undermine Event Tracing for Windows (ETW), a staple source of telemetry for many security solutions, or when I see research on manipulating syscalls, I feel like year after year we are seeing research that skates tantalizingly close to the kernel of a computer.
I don’t know why I am so excited about this. After all, as a defender, I’ll be the one having to deal with and investigate these cases of defense evasion!
But as an infosec nerd, I am in awe of offensive security research that will break the staunch assumptions that the community have come to believe as referent objects; unshakeable truths.
I asked The Big Boss (Huntress co-founder John Ferrell) for his thoughts on the future of defense evasion:
"Based on what I have seen over the last six years in this SMB space, it seems that attackers use what works and until something really challenges them, they are not going to pivot to fancy techniques until they have to.
Attackers like to use what gets the job done. In recent years, we've seen an uptick in attackers living-off-the-land. Sometimes all it takes to slip past is to not stand out. Kernel-space tools can be difficult to develop and can crash the victim host, which will set off red flags if it happens too frequently. As such, these are often reserved for high-value targets that may warrant long-term access.
No need to use your “expensive” tools when you can get someone with admin creds to click your email."
• • •
Just in case you’ve enjoyed the philosophizing on defense evasion so far, I’d like to tease what’s coming up.
Defense evasion is a topic that deserves serious attention, so we’ll be serializing it with future blogs that will delve into some defense evasion techniques that we have investigated and we think are pretty cool. I’ll bring some friends along for the ride and get their insight and thoughts on the cases they worked on. And who knows, maybe by the end of it we’ll even try to sneak some offensive security research in.
Ready for part two? Read it here.