Abusing “Accepted Risk” With 3rd Party Command and Control presented at Hackmiami 2017

by Jon Perez, Justin Warner,

Summary : In mature networks, defenders stand guard utilizing strong boundary defenses to protect users, detect adversaries, and prevent compromise. However, within these boundary walls exists gaping holes for seemingly innocent services - the unideal result of practical use. While some adversaries are stopped at the boundary, many threat actors have risen to the occasion bringing new capabilities that work to evade current defenses by utilizing innocent 3rd party services as an obfuscation layer. This layer, made up of services like Dropbox, Google Apps, Twitter and more, has allowed actors to blend in with the “accepted risk” that so many organizations rubber stamp. This talk will analyze the threat landscape surrounding 3rd party command and control vectors to show the tactics and techniques used in real world malware samples. Next, the talk will transition to demonstrate to the audience how simple it can be to implement these attacks while providing sample snippets of code and demos of the techniques as well as possible detections. Using the techniques in this talk, red team members will be armed to replicate these threats and expose their blue team counterparts to methods being actively used. Additionally, blue team members will be called to action and introduced to heuristic based analysis of these malicious 3rd party activities.