IBM Security QRadar

 View Only

Dual-intent tools commonly used by hackers and how to defend against them

By Albert Puah posted Thu April 06, 2023 05:30 AM


In the world of cybersecurity, tools that serve legitimate purposes can often be co-opted by malicious actors to facilitate their attacks. These tools, known as dual-intent tools, can pose significant security risks if not properly managed and secured. Dual-intent tools are programs or software that can be used for both legitimate and malicious purposes. While such tools are often used by cybersecurity professionals for legitimate purposes such as vulnerability assessments and penetration testing, they can also be used by attackers to gain unauthorized access to networks, steal data, or launch cyber-attacks. We’ll explore some dual-intent tools commonly used by hackers and discuss strategies for defending against them.

  •        Remote Access Tools (RATs): RATs are software applications that allow IT administrators to remotely manage computers and provide technical support to users. However, they can also be used by attackers to gain unauthorized access to a victim's computer and steal sensitive information or install malware. One example of a RAT is the popular software called TeamViewer. 

  •        Password Cracking Tools: Password cracking tools are software applications that can be used to test the strength of passwords and improve the security of systems. However, they can also be used by attackers to crack weak passwords and gain unauthorized access to systems. One example of a password cracking tool is John the Ripper. 

  •        Network Scanning Tools: Network scanning tools are software applications that can be used to identify devices and services on a network. They are primarily used by IT administrators to manage network devices and identify potential security vulnerabilities. However, these tools can also be used by attackers to scan networks for vulnerable devices and services to exploit. One example of such a tool is Nmap. 

  •        Vulnerability Scanners: Vulnerability scanners are an essential tool for security professionals to identify potential vulnerabilities in their systems, networks, and applications. However, these tools can identify weaknesses in target systems that can be exploited for nefarious purposes, exploited to gain unauthorized access to sensitive data or to execute malicious code. One example of a vulnerability is called OpenVAS. 

Some tools are available by-default in a Modern Operating System

Take “Psexec” for example, a remote execution tool that allows system administrators to execute processes on remote machines. While used by IT administrators to remotely run scripts, applications, commands etc, in the hands of a cyber adversary, can also be used to gain unauthorized access to a victim's machine to steal sensitive information, install malware or move laterally across a network. Attackers can avoid detection by taking advantage of security solutions that only detect known malicious tools or techniques. Dual-intent tools are able to blend into an organization’s digital environments, making them a popular choice for living off the land attacks.

Here are some recommendations for dual-intent tools:

  1. Limit access: Dual-intent tools should only be accessible to authorized personnel who have a legitimate need for them. Implement strict access controls and permissions to prevent unauthorized access.
  2. Monitor usage: Keep track of when and how dual-intent tools are being used to ensure they are being used for legitimate purposes. This can also help detect any unauthorized use or suspicious activity.
  3. Disable when not in use: Dual-intent tools should be disabled when they are not needed. This can help reduce the risk of such tools being exploited for malicious purposes if they are compromised or fall into the wrong hands

IBM Security ReaQta’s Detection Strategies (Destra) for Dual-Intent Tools

IBM Security ReaQta provides a unique feature called Detection Strategies (DeStra) that allows security operators to write custom detections, response rules and use cases to defend against advanced persistent threats (APTs), and to create highly-customized detection scenarios, tailor-fitted to any organization’s security needs that are aligned with the Zero-Trust Framework. All DeStra detection rules are executed directly on the endpoint and run in real-time. They are also capable of identifying and responding to new defined behavior as-it-happens.

Once a DeStra is created, it can be immediately activated across the organization, or limited to just a subset or group of devices, all within minutes, without any intervention or endpoint reboot/restart. As opposed to traditional post-processing rules, DeStra playbooks react immediately to any threat, leaving little to no room for an attacker to move. 

In the above example, the DeStra is configured to trigger an alert with a severity score of 90 and terminates the offending process “psexec.c” event as it occurs. Elements within the Destra can fully be customized to achieve the desired outcomes of the user, such as to limit, monitor or disable. 

Disabling Dual-Intent Tools may impact system functionality 

It is important to note that disabling or removing dual-intent tools should be done with caution and only after careful consideration. Some of these tools may be required for legitimate system or network administration purposes and removing them could cause unintended consequences or negatively impact system functionality. Before disabling or removing any tools, it is recommended to consult with system administrators or security professionals to assess the potential impact and determine the best course of action.

As dual-intent tools are a potential threat to cybersecurity, it is important to take steps to defend against them. To mitigate these risks, organizations must take steps to limit access to dual-intent tools, monitor their usage or disable when not in use. By following these recommendations, organizations can ensure that their dual-intent tools are being used for legitimate purposes only, and that they are not introducing unnecessary risk into their networks.

Find out how IBM Security ReaQta helps organizations reduce security risks by securing endpoints against cyberattacks, detect anomalous behaviors, and remediate threats in near real-time. Request a demo or find out more here.