Managing the Threat from the Other Kind of ‘Dual-Use’ Technology

Phil Muncaster investigates how CISOs can manage the risk of in-house tooling being turned against their organisation

For individuals working in certain parts of the government, ‘dual use’ has a very specific meaning: technology with both civilian and military applications. It has also been used in the past to denote the type of spyware employed and abused by autocratic regimes to spy on their citizens. However, in a cybersecurity context, there’s an arguably more straightforward connotation: technologies and approaches used by both threat actors and network defenders.

Understanding how adversaries can abuse legitimate tools and infrastructure is an increasingly important part of the CISO’s role. It reveals much about the ingenuity of attackers and the defensive strategies needed to defeat them.

Two sides of the same coin

Threat actors are skilled at leveraging legitimate tools and techniques against their victims. It’s often cheaper and more effective to do so than trying to reinvent the wheel by designing something from scratch. In some cases, it’s also a great way to stay under the radar. Witness how Microsoft tools, such as PowerShell, PsExec, and WMI, are routinely used in post-exploitation activities for remotely executing commands and malicious scripts and achieving lateral movement.

“Behavioural controls tend to be noisy and generate false positives on authorised use of the tools” Lawrence Pingree

Dispersive VP Lawrence Pingree is a former CTO and Gartner VP. He argues that every tool has a core function or set of functions that threat actors could take advantage of.

“Behavioural controls tend to be noisy and generate false positives on authorised use of the tools,” he tells Assured Intelligence. “The story is similar to having a gun next to your bedside…it might be a great way to defend yourself if you have the opportunity, but the gun sitting there can make for a bad day if the threat actor uses it.”

Aside from Windows tools, there are countless other examples of ‘dual-use’ tech. Some of the most common are:

Network scanning: Tools like Nmap and Advanced IP Scanner help security teams to identify and inventory their digital assets, scan for exposed ports/services and outdated software, and test the efficacy of firewall rules and network segmentation.

However, they can also be deployed by threat actors for reconnaissance and information gathering, allowing them to map potential attack paths and identify vulnerabilities and opportunities for exploitation.

Penetration testing: Frameworks like Metasploit simulate real-world attacks to help security teams proactively identify vulnerabilities in their systems and the effectiveness of security controls protecting them.

However, the same tools empower threat actors to seamlessly simulate entire attack scenarios, from start to finish. And they offer an extensive library of pre-built exploits and payloads for use.

Encryption: Security best practices don’t come more foundational than encrypting data at rest and in transit. It’s a key component in Zero Trust approaches and a requirement of PCI DSS 4.0.

However, attackers also use encryption to hide malicious behaviour. Malware payloads can be encrypted to bypass signature-based AV, while encrypted communications channels ensure many network monitoring tools can’t detect command and control (C2) traffic and signs of exfiltrated data.

Automation and scripting: These techniques are extensively deployed for threat detection and response, log analysis, and in security orchestration, automation, and response (SOAR) platforms. They also streamline and accelerate vulnerability scanning and patch management.

However, adversaries are not far behind, using them to expedite reconnaissance, vulnerability exploitation, and payload deployment. Automated scripts are also the key ingredient in credential stuffing.

Artificial intelligence (AI) and machine learning (ML): Network defenders increasingly use AI/ML for network detection and response (NDR) to trawl through large datasets and surface suspicious behaviour that human eyes might miss. AI can also automate continuous monitoring and response, including identification and remediation of vulnerabilities and misconfigurations, to build resilience. The technology is even being used to predict future attacks based on historical data.

However, threat actors are also harnessing the power of AI/ML to automate large-scale attacks such as vulnerability scanning/exploitation, brute-force password guessing, and social engineering.

Reverse engineering: This involves analysing software to understand how it works. So it’s a great tool for proactively detecting vulnerabilities that need patching, as well as dissecting malware to see how it can be mitigated. Of course, threat actors use it in a similar way to identify vulnerabilities and other weaknesses that can be exploited.

Vulnerability databases: Databases like the MITRE-run CVE and the US National Vulnerability Database (NVD) help network defenders stay informed about the latest bugs and proactively prioritise patching based on severity. They are also used to power various security tools. However, they can be abused in the same way to identify known vulnerabilities, source exploits, and prioritise targets.

“At this point, AI is probably the biggest risk precisely because of the efficiency and effectiveness it provides – and the risk is even bigger when AI is used in security,” Hidden Layer CISO, Malcolm Harkins, tells Assured Intelligence. “Attackers will always game the system, so whatever you trust the most is really what you should trust least – that’s where the risk lies.”

Why does it matter?

Understanding how these tools can be abused is strategically vital for CISOs, argues Dispersive’s Pingree. “It ensures that detection logic, or scenarios involving tools, can be pre-planned in a pre-emptive manner,” he explains. “In some cases, measures can also be taken within some tools to help mitigate their dual use or distribution.”

“We have to consider that trust is now an attack surface” Malcolm Harkins

Hidden Layer’s Harkins adds that there are three “irrefutable truths” regarding technology: “that code wants to be wrong, services want to be on, and users want to click.”

He adds: “We have to consider that trust is now an attack surface, so if I trust a capability, an attacker will want to subvert that trust.”

Next steps for CISOs

With the knowledge that legitimate tools could be turned against the organisation, how can CISOs continue to use them while guarding against their abuse? For Desired Effect CISO advisor, Alex Janas, understanding the adversary is a good start.

“Often, the risk/cost/reward calculation of cybersecurity has a bias on the cost to the organisation or me. How much pain will it cost the organisation to perform tasks?” he tells Assured Intelligence. “Remember to consider how valuable it is to an adversary when you remove the need for them as well. Least privilege, privilege time-outs, auditing accesses and task execution are some techniques to help.”

Upwind chief security officer, Rinki Sethi, agrees, telling Assured Intelligence: “If you want to stay ahead of adversaries, you must stop thinking like a defender and start thinking like an attacker.”

She adds: “That means designing your systems with the assumption that anything, any tool, any API, any automation, can and will be turned against you. Not just misused but actively subverted.”

Runtime visibility into systems is also key, as is building dual-use risk into corporate security culture, she says. “That means regular pressure-testing, such as red teaming and threat-informed exercises, namely doing whatever it takes to move from theory to muscle memory. The more you rehearse, the better you react.”

Cyvatar virtual CISO, Darryl Taylor, also cites visibility and behaviour-changing as key.

“It’s not just about what tool is used, but how, when, and by whom,” he tells Assured Intelligence. “Implementing stricter controls, logging, and anomaly detection is crucial – but so is building a security culture that understands these nuances. If you wait until a tool ‘looks bad,’ it’s already too late.”