←back to thread

An attacker’s blunder gave us a look into their operations

(www.huntress.com)
154 points mellosouls | 2 comments | 09 Sep 25 15:42 UTC | HN request time: 0s | source
Show context
viccis ◴[09 Sep 25 17:11 UTC] No.45185082[source]
Having worked in the computer security world for many years and been completely on board with the "it's good to open source attack tools so that everyone knows what can be done", it's still sometimes hard not to feel like a useful idiot when I see attackers operating with big stacks of almost all open source tooling that are now mature and full featured enough to make almost any skid into a decently effective procurer and vendor of stolen information with a bit of effort.
replies(1): >>45187356 #
1. neodymiumphish ◴[09 Sep 25 19:22 UTC] No.45187356[source]
I've been through 2 offensive courses (SANS GPEN and Parrot Labs Offensive Methodology and Analysis) and yeah, that was the take I got even back then (5+ years ago). Everything we used was open source and near-fully functional. There was a lot of knowledge needed on the syntax for some tools, but otherwise it was insane to think how easily these could be used by a motivated person.
replies(1): >>45187994 #
2. viccis ◴[09 Sep 25 20:03 UTC] No.45187994[source]
For some of them, it makes sense. Metasploit, Cobalt Strike, and similar tools are good because they can be used to give people a good idea of the impact of the vulnerabilities in their system as well as giving them knowledge of the TTPs that attackers use.

But some of these, like Bloodhound are not really telling you much you didn't know. They are tools to make exploiting access, whether authorized or otherwise, easier and more automated. Hell, even in the case of Cobalt Strike, they are doing their best to limit who can obtain it and chasing down rogue copies because used for real attack purposes.

I'm not really saying anything should (or can) be done about this. Just ruminating about it, as after many years in the industry, seeing a list of a mostly open source stack used for every aspect of cybercrime sometimes surprises me at just how good a job we've done of equipping malicious actors. For all the high minded talk of making everyone more secure, a lot of things just seem to be done for a mixture of bragging rights ego and sharing things with each other to make our offensive sec job a bit easier.