, the majority (87%) of information security incidents occur within minutes, while 68% of companies take months to detect them. This is confirmed and , according to which it takes most organizations an average of 206 days to discover an incident. Based on our investigations, hackers can control a company's infrastructure for years without being detected. So, in one of the organizations where our experts conducted an investigation of an information security incident, it was revealed that hackers completely controlled the entire infrastructure of the organization and regularly stole important information .
Let's say you already have SIEM running, which collects logs and analyzes events, and antiviruses are installed on end nodes. Nevertheless, , just as it is impossible to implement EDR systems for the entire network, which means that βblindβ zones cannot be avoided. Network traffic analysis (NTA) systems help to cope with them. These solutions detect the activity of attackers at the earliest stages of penetration into the network, as well as during attempts to gain a foothold and develop an attack inside the network.
There are two types of NTAs: one works with NetFlow, the other analyzes raw traffic. The advantage of the second systems is that they can store raw traffic records. Thanks to this, an information security specialist can check the success of the attack, localize the threat, understand how the attack occurred and how to prevent a similar one in the future.
We will show how NTA can be used to identify, by direct or indirect signs, all known attack tactics described in the knowledge base. . We will talk about each of the 12 tactics, analyze the techniques that are detected by traffic, and demonstrate their detection using our NTA system.
About ATT&CK Knowledge Base
MITER ATT&CK is a public knowledge base developed and maintained by the MITER Corporation based on analysis of real APTs. It is a structured set of tactics and techniques used by attackers. This allows information security professionals from all over the world to speak the same language. The database is constantly expanding and supplemented with new knowledge.
The database identifies 12 tactics, which are divided into stages of a cyber attack:
- initial access (initial access);
- execution (execution);
- consolidation (persistence);
- privilege escalation;
- detection prevention (defense evasion);
- obtaining credentials (credential access);
- intelligence (discovery);
- movement within the perimeter (lateral movement);
- data collection (collection);
- command and control;
- data exfiltration;
- impact.
For each tactic, the ATT&CK Knowledge Base lists a list of techniques that help attackers achieve their goal at the current stage of the attack. Since the same technique can be used at different stages, it can refer to several tactics.
The description of each technique includes:
- identifier;
- a list of tactics in which it is used;
- examples of use by APT groups;
- measures to reduce damage from its use;
- detection recommendations.
Information security specialists can use knowledge from the database to structure information about current attack methods and, with this in mind, build an effective security system. Understanding how real APT groups operate can also become a source of hypotheses for the proactive search for threats within .
About PT Network Attack Discovery
We will identify the use of techniques from the ATT & CK matrix using the system - Positive Technologies NTA system designed to detect attacks on the perimeter and inside the network. PT NAD covers all 12 tactics of the MITER ATT&CK matrix to varying degrees. It is strongest in identifying initial access, lateral movement, and command and control techniques. In them, PT NAD covers more than half of the known techniques, detecting their use by direct or indirect signs.
The system detects attacks using ATT&CK techniques using detection rules created by the command (PT ESC), machine learning, indicators of compromise, deep analytics and retrospective analysis. Real-time traffic analysis, combined with retrospective, allows you to identify current hidden malicious activity and track development vectors and attack chronology.
full mapping of PT NAD to MITER ATT&CK matrix. The picture is large, so we suggest you consider it in a separate window.
Initial access
Initial access tactics include techniques to infiltrate a company's network. The goal of attackers at this stage is to deliver malicious code to the attacked system and ensure its further execution.
PT NAD traffic analysis reveals seven techniques for gaining initial access:
1. : drive-by compromise
A technique in which the victim opens a website that is used by attackers to exploit a web browser to obtain application access tokens.
What does PT NAD do?: If the web traffic is not encrypted, PT NAD inspects the content of HTTP server responses. It is in these answers that exploits are found that allow attackers to execute arbitrary code inside the browser. PT NAD automatically detects such exploits using detection rules.
Additionally, PT NAD detects the threat in the previous step. Rules and indicators of compromise are triggered if the user visited a site that redirected him to a site with a bunch of exploits.
2. : exploit public-facing application
Exploitation of vulnerabilities in services that are accessible from the Internet.
What does PT NAD do?: performs a deep inspection of the contents of network packets, revealing signs of anomalous activity in it. In particular, there are rules that allow you to detect attacks on the main content management systems (CMS), web interfaces of network equipment, attacks on mail and FTP servers.
3. : external remote services
Attackers use remote access services to connect to internal network resources from outside.
What does PT NAD do?: since the system recognizes protocols not by port numbers, but by the contents of packets, system users can filter traffic in such a way as to find all sessions of remote access protocols and check their legitimacy.
4. : spearphishing attachment
We are talking about the notorious sending of phishing attachments.
What does PT NAD do?: automatically extracts files from traffic and checks them against indicators of compromise. Executable files in attachments are detected by rules that analyze the content of mail traffic. In a corporate environment, such an investment is considered anomalous.
5. : spearphishing link
Use of phishing links. The technique involves the attackers sending a phishing email with a link that, when clicked, downloads a malicious program. As a rule, the link is accompanied by a text compiled according to all the rules of social engineering.
What does PT NAD do?: Detects phishing links using indicators of compromise. For example, in the PT NAD interface, we see a session in which there was an HTTP connection via a link included in the list of phishing addresses (phishing-urls).
Connection via a link from the list of indicators of compromise phishing-urls
6. : trust relationship
Access to the victim's network through third parties with whom the victim has a trusted relationship. Attackers can break into a trusted organization and connect through it to the target network. To do this, they use VPN connections or domain trust relationships, which can be revealed through traffic analysis.
What does PT NAD do?: parses application protocols and saves the parsed fields to the database, so that the information security analyst can use filters to find all suspicious VPN connections or cross-domain connections in the database.
7. : valid accounts
Using standard, local or domain credentials for authorization on external and internal services.
What does PT NAD do?: automatically retrieves credentials from HTTP, FTP, SMTP, POP3, IMAP, SMB, DCE/RPC, SOCKS5, LDAP, Kerberos protocols. In the general case, this is a login, password, and a sign of successful authentication. If they have been used, they are displayed in the corresponding session card.
Execution
Execution tactics include techniques that attackers use to execute code on compromised systems. Running malicious code helps attackers establish presence (persistence tactic) and expand access to remote systems on the network by moving inside the perimeter.
PT NAD allows you to identify the use of 14 techniques used by attackers to execute malicious code.
1. : CMSTP (Microsoft Connection Manager Profile Installer)
A tactic in which attackers prepare a specially crafted malicious .inf installation file for the built-in Windows CMSTP.exe utility (Connection Manager Profile Installer). CMSTP.exe takes a file as a parameter and installs a service profile for the remote connection. As a result, CMSTP.exe can be used to download and execute dynamic link libraries (*.dll) or scriptlets (*.sct) from remote servers.
What does PT NAD do?: Automatically detects the transmission of special form .inf files in HTTP traffic. In addition, it detects HTTP transfers of malicious scriptlets and dynamic link libraries from a remote server.
2. : command-line interface
Interaction with the command line interface. The command line interface can be interacted with locally or remotely, such as through remote access utilities.
What does PT NAD do?: automatically detects the presence of shells by responses to commands to launch various command line utilities, such as ping, ifconfig.
3. : component object model and distributed COM
Using COM or DCOM technologies to execute code on local or remote systems as it traverses the network.
What does PT NAD do?: Detects suspicious DCOM calls that attackers commonly use to launch programs.
4. : exploitation for client execution
Exploitation of vulnerabilities to execute arbitrary code on a workstation. The most useful exploits for attackers are those that allow code to be executed on a remote system, since they can be used by attackers to gain access to such a system. The technique can be implemented by the following methods: malicious mailing list, web site with exploits for browsers and remote exploitation of application vulnerabilities.
What does PT NAD do?: while parsing mail traffic, PT NAD checks it for the presence of executable files in the attachment. Automatically extracts office documents from emails that may contain exploits. Attempts to exploit vulnerabilities are visible in traffic, which PT NAD detects automatically.
5. : mshta
Using the mshta.exe utility, which executes Microsoft HTML Applications (HTA) with an .hta extension. Because mshta processes files bypassing browser security settings, attackers can use mshta.exe to execute malicious HTA, JavaScript, or VBScript files.
What does PT NAD do?: .hta files for execution through mshta are transmitted over the network as well - this can be seen in the traffic. PT NAD detects the transmission of such malicious files automatically. It captures files, and information about them can be viewed in the session card.
6. : powershell
Using PowerShell to search for information and execute malicious code.
What does PT NAD do?: When PowerShell is used by attackers remotely, PT NAD detects this using rules. It detects the PowerShell language keywords most commonly used in malicious scripts and the transmission of PowerShell scripts over SMB.
7. : scheduled task
Use the Windows Task Scheduler and other utilities to automatically run programs or scripts at specific times.
What does PT NAD do?: attackers create such tasks, usually remotely, which means that such sessions are visible in traffic. PT NAD automatically detects suspicious task creation and modification operations using the ATSVC and ITaskSchedulerService RPC interfaces.
8. : scripting
Execution of scripts to automate various actions of attackers.
What does PT NAD do?: detects the transmission of scripts over the network, that is, even before they are launched. It detects script content in raw traffic and detects network transmission of files with extensions corresponding to popular scripting languages.
9. : service execution
Run an executable file, CLI instructions, or script by interacting with Windows services, such as the Service Control Manager (SCM).
What does PT NAD do?: inspects SMB traffic and detects requests to SCM by rules for creating, modifying, and starting a service.
The technique for starting services can be implemented using the remote command execution utility PSExec. PT NAD parses the SMB protocol and detects the use of PSExec when it uses the PSEXESVC.exe file or the PSEXECSVC standard service name to execute code on a remote machine. The user needs to check the list of executed commands and the legitimacy of remote command execution from the host.
The attack card in PT NAD displays data on the tactics and techniques used by the ATT&CK matrix so that the user can understand at what stage of the attack the attackers are, what goals they pursue and what compensatory measures to take.
Activation of the rule about the use of the PSExec utility, which may indicate an attempt to execute commands on a remote machine
10. : third-party software
A technique in which attackers gain access to remote administration software or a corporate software deployment system and use them to run malicious code. Examples of such software: SCCM, VNC, TeamViewer, HBSS, Altiris.
By the way, the technique is especially relevant in connection with the massive transition to remote work and, as a result, the connection of numerous home unprotected devices via dubious remote access channels.
What does PT NAD do?: Automatically detects the operation of such software on the network. For example, the rules are triggered by the facts of connecting via the VNC protocol and the activity of the EvilVNC Trojan, which secretly installs a VNC server on the victim's host and automatically starts it. Also, PT NAD automatically detects the TeamViewer protocol, which helps the analyst to find all such sessions using a filter and check their legitimacy.
11. : user execution
A technique in which the user runs files that can cause code to be executed. This could be, for example, if it opens an executable file or runs an office document with a macro.
What does PT NAD do?: sees such files at the transfer stage, before they are launched. Information about them can be studied in the card of the sessions in which they were transmitted.
12. :Windows Management Instrumentation
Using the WMI tool, which provides local and remote access to Windows system components. Using WMI, attackers can interact with local and remote systems and perform a variety of tasks, such as collecting information for intelligence purposes and remotely launching processes during lateral movement.
What does PT NAD do?: Since interactions with remote systems via WMI are visible in traffic, PT NAD automatically detects network requests to establish WMI sessions and checks the traffic for the fact that scripts that use WMI are being transmitted.
13. : Windows Remote Management
Using a Windows service and protocol that allows the user to interact with remote systems.
What does PT NAD do?: Sees network connections established using Windows Remote Management. Such sessions are detected automatically by the rules.
14. : XSL (Extensible Stylesheet Language) script processing
The XSL style markup language is used to describe the processing and rendering of data in XML files. To support complex operations, the XSL standard includes support for inline scripts in multiple languages. These languages ββallow the execution of arbitrary code, which bypasses whitelisted security policies.
What does PT NAD do?: detects the transmission of such files over the network, that is, even before they are launched. It automatically detects the transmission of XSL files over the network and files with anomalous XSL markup.
In the following materials, we will look at how the PT Network Attack Discovery NTA system finds other tactics and techniques of attackers in accordance with MITER ATT & CK. Stay tuned!
Authors:
- Anton Kutepov, specialist of the expert security center (PT Expert Security Center) Positive Technologies
- Natalia Kazankova, product marketer at Positive Technologies
Source: habr.com