top of page
brencronin

Cyber Defense/Game Strategy Analogy

Updated: Jun 9

If you are playing a team sport you can be fantastic at a single area, but still lose. For example, if you have great goal scorers and a lousy defense you might win some games, but you will lose a lot. Likewise, in cyber security you can have great firewalls or endpoint protection, but if you are missing other key cyber security functions you will also lose. Having a strong cyber security program is like having a balanced team that can perform well in all aspects of cyber security.


[[image]]


If you want to know what the key areas for a strong cyber security program are see [[CIS v8]]


Having a strong security program in multiple key areas is only half of the battle. The other aspect is executing well in real live hacking situations. This is just like a team that has all the right skills but doesn't execute a successful game plan to win.


[[sport strategy image]]


To have a good game plan yourself you need to understand the attackers game plan. Various cyber reseearchers modeled out hacker game plans.


[[kill chain]]]


[[mitre attack]]


[[online kill chain]]


Breaking down frame works.



Breaking Down Attacks


The first part of the attack happens before the actual attack. It is the attacker planning their attack to make it more effective. Mitre ATT&CK outlines two key tactics which each have techniques and sub-techniques.

  • Reconnaissance

  • Resource Development


Reconnaissance


Reconnaissance involves the attackers learning as much about the organization as possible to make their attack more effective. There are several ways that attackers do reconnaissance. To make it easier to understand I am dividing Mitre ATT&CK reconnaissance tactic techniques into three sub-categories:

  • Learning about the company through publicly available information the company has divulged

  • Learning details about the company that can be exploited through specialized sources, including paid for sources, like databases and other tools

  • Interacting with the targeted organization's IT systems

When attackers use these reconnaissance techniques, they often use something called OSINT "Open-Source Intelligence" techniques and specialized tools that support OSINT research. The definition of OSINT is:


"Open-source intelligence (OSINT) is intelligence that is produced from publicly available information and is collected, exploited, and disseminated in a timely manner to an appropriate audience for the purpose of addressing a specific intelligence requirement."



Learning about the company through publicly available information the company has divulged


Here are just a few examples of this type of information collection.

  • Gather Victim Host Information

If the attackers know the technology stack of the company, they are attacking; they can plan their attacks to that technology stack. This can be as simple as seeing the company technology job postings and see what types of technologies they are hiring for.

  • Gather Victim Identity Information

Determining the target (i.e., victim) identities is one of the most important steps, because attackers will use those identities to craft phishing emails to. Knowing identities also helps attackers target specific places in the organization.


  • Gather Victim Org Information

This includes other business-related information. One of the most important sub-techniques here is "Business relationships". Through business relationships 3rd parties often have sensitive information about the company and can also have access into the organization. To gain access to the organization the attacker could exploit the 3rd party first. An example, of this was the initial attack vector for the 2013 Target Data breach. A company called Fazio mechanical had a contract with Target to maintain Target store HVAC systems. Fazio mechanical had remote access to Target HVAC systems, and when Fazio mechanical was compromised the hackers had a backdoor into the Target network through the remote HVAC system access.


  • Search Open-Source Technical Databases

  • Gather Victim Network Information

There are certain aspects of a business that are needed in order for the business to have an online presence. This includes the companies public IP address and DNS information. Because this information needs to be public on the information for it to run, it is also searchable. There are several web sites like, https://www.whois.com/ , that offer free searches for this information.



Learning details about the company that can be exploited through specialized sources, including paid for sources, like databases and other tools

  • Search Closed Sources

  • Search Open Websites/Domains

One of the sites that publishes exploitable systems on the Internet is called Shodan https://www.shodan.io/ Defenders use Shodan to determine if they have any systems exposed to the Internet, but attackers also use tools like Shodan to quickly find exposed systems.


Many organizations also develop software and tools and post that software and tools to the Internet on systems like https://github.com/ which is an open-source software for managing software code and releases. In some cases, this information on sites like Github includes authentication information like usernames/passwords and API keys. This is how Solarwinds was compromised by the Russians.


"Last week, SolarWinds’ CEO testified in front of Congress on the hack that is largely considered the most damaging in US history. Representatives chastised the company over how the now infamous password “solarwinds123” was used for a file server. Even more damaging, that password was found in publicly available repos on GitHub." ( https://securityboulevard.com/2021/03/solarwinds-intern-leaked-passwords-on-github/ )


An example of a tool that searches GitHub repos for exploitable information is BishopFox GitGot. https://github.com/BishopFox/GitGot and a tool called TruffleHog https://github.com/trufflesecurity/trufflehog


Interacting with the targeted organization's IT systems


Interacting with the organization is the attacker probing the targets systems to gather information and find weaknesses. The danger for an attacker interacting with a system is that they can get caught interacting with the system which gives the target a tipoff of a possible attack.


One of the main ways to probe systems for weaknesses and vulnerabilities is scanning.


Sending emails into the organization (i.e., Spearphishing) is used to execute attacks but is often commonly used to gather information.



Attackers will often search victims web sites with specialized web site crawling tools. This is also called 'scraping' and is a common occurrence on the Internet for all sorts of reasons https://www.octoparse.com/blog/top-20-web-crawling-tools-for-extracting-web-data

Before moving onto the nest Mitre Tactic its worth mentioning a purpose built too called https://www.maltego.com/ that is designed to help organize all the open-source information collected.


Resource Development


After the attacker's scope recon their target the next step for them is to develop the applicable tools and capabilities to compromise that victim. You can see how reconnaissance and resource development work hand-in-hand. for attackers there is no sense in developing a hacking capability that they cannot use against their intended victim.


For attackers the simplest form of resource development is simply Acquiring Access to their target through black market purchase. Gaining remote access to a victim is one thing but using that remote access to exploit the target takes another level of effort. Additionally, attacker goals against victims vary by attacker. For example, a hacker that is strictly interested in money may get remote access to a government network but there is no way for them to monetize that access. A foreign government may want to steal information from the targeted government victim. Now the initial hacker has a way to monetize their hacked access to the victim government network. They can sell that access to an attacker who is willing to pay for it to meet their goals. As you can guess there, are all sorts of dynamics that can occur in these types of relationships where a hacker has gotten access to a network and desire to monetize their hacked access. Here are a few drivers to these dynamics:

  • The hacked access is a little like those random prize boxes where you don't know what is inside. The hacker who initially got the access doesn't want to take the time to dig around the victim to see if they can monetize the hacked access. They decide to sell it to someone else who then tries to monetize it for themselves.

  • In these dark web type dealings, you can imagine that there is a lot of hacked access being sold that is bogus and really doesn't work to provide access to a victim network.

  • The attackers that got the initial hacked access don't have the capability to exploit and monetize the hacked access. This is where Ransomware as a Service (RaaS) really started to become a big deal. In the RaaS model large Ransomware operators resold their software and skills to affiliates in areas like, Coding Ransomware, setting up C&C to victim networks, bitcoin payment systems, ransomware negotiations, and leak sites. The affiliates who developed the initial hacked access to a victim, like a school system, could now monetize the hacked access for themselves by paying the RaaS provider a service fee to reuse their capabilities.

The resources necessary to manage the hack are really:

  • The infrastructure to run the hack

  • The malware to run the hack

Infrastructure to run the hack


Think of these as the servers the hackers run to communicate to the environment and the communications channels to those servers. Servers can be physical or virtual. The two most common C&C protocols to run the hack are web services and DNS.


Accounts used for the hack can be compromised or developed depending upon their intended usage.

Malware to run the hack


The infrastructure to run the hack is one thing, but the actual malware, certificates and exploits are different capabilities the hackers need that require different skills sets to develop. Just like infrastructure access there are two primary means for obtaining malware capabilities.


  • Develop - More difficult because it can require specialized skill sets.

  • Purchase


  • Malware -

  • Tool - Tools can be purpose built hacking tools like Cobalt Strike, or other legitimate tools that will be misused for the hack (i.e., psexec).

  • Code Signing Certificates - Much of software code has a security mechanism that it is digitally signed by trusted 3rd parties. Therefore, operating systems can refuse to run code not properly signed and/or detection mechanisms can trigger off of unsigned code. By digitally signing malicious code attackers are attempting to make their bad code look more legitimate.

  • Digital Certificates - Digital certificates are necessary to encrypt communications. hackers attempt will attempt to encrypt their communications. In order to do this the hackers, need to build valid digital certificates.

  • Exploits - Exploits are capabilities to take advantage of vulnerabilities. For example, getting shell access on a targeted system. Exploits are often posted on free sites like https://www.exploit-db.com/ or bought and sold https://zerodium.com/program.html

  • Vulnerabilities - Monitoring vulnerability disclosure databases

Finally, there is staging the attack capability.

Initial Access & Execution


Initial Access is different than Execution but the two work closely together so I am grouping them here for explanation. Think of initial access as getting to the system and Execution as the moment the system is exploited.



Initial Access


To make this understandable attackers have four main ways of hacking into an organization listed below by order of commonality:

  1. Phishing

  2. Web application exploits

  3. External remote services (i.e., RDP)

  4. Supply Chain and Trust Relationships

Phishing


Phishing is an initial access technique in itself, but the 'Drive-by compromise' also most often occurs through phishing but doesn't need phishing to occur. Because browsers can execute code, drive-by compromise is when a web site is setup so that when a user visits it, malicious code is executed on the user's computer.



Phishing is a perfect example of the non-linearity of the tactics/techniques displayed in the Mitre ATTACK framework.




Web application exploits


Mitre refers to this as 'Exploit Public-facing application'. It doesn't have to be a web application, but it is most commonly a web application that is open to the Internet and is exploitable. There is an entire industry around securing and exploiting these Internet facing applications. More information about this topic can be found at www.owasp.org



External remote services (i.e., RDP, SSH)


External remote services mechanisms the organization has setup for remote access into its systems. This includes VPNs and remote access protocols like SSH and RDP. Most often 'Valid Accounts' also falls under this area because the attackers will be remote. if they have a valid account they then use the same remote access protocols available to the organization to successfully interact with the system remotely. Ways attackers gain this remote access through a valid account include:

  • Victim sets no auth on their remote access

  • Victim sets default auth on their remote access

  • Victim sets extremely weak auth on their remote access

  • Attacker steals auth credentials through

    • Phishing

    • Exposure (i.e., github, etc)

    • Social engineering


RDP Spray password guessing tool https://github.com/xFreed0m/RDPassSpray


Supply Chain and Trust Relationships


Supply chain compromise can be vast. Some people consider "Trusted Relationships" as part of the organizations supply chain. Supply Chain and trusted relationships are two distinct techniques but they both involve the attackers hacking someone else that you trust whether it is a server/software that you purchase (supply chain compromise) or another type of trusted relationship (i.e., HVAC vendor in Target case). The difference in the Mitre ATTACK techniques is that Supply Chain is an actual compromise of a 3rd party product (hardware or software) that you use. Where Trusted relationship could be just a hack into a 3rd party that has less restricted access to the target.


Valid Accounts


Valid accounts are a major way hackers get into organizations, but they are mainly gathered through phishing or exploitable by defaults or weak passwords set on external remote services.


Drive-by Compromise


Drive-by compromise is also referred to as a watering hole attack. The analogy is that the animals in the safari would go to the watering hole for water and then be attacked. In drive-by compromise the hackers set up a malicious site (i.e., the watering hole), and when users go to that site their machines are compromised. drive-by compromise is still valid but advances in web browser protections has made them less prolific.


Hardware Additions and Replication Through Removable Media


The last two compromise mechanisms are definitely valid but require someone to have local access to connect to systems. They are of greater concern where you cannot secure and control the physical access to the system and for insider threat cases. By their nature, insider threats often have physical access to systems.

  • Hardware Additions

  • Replication through removable media

Execution


Before diving into Mitre ATT&CK execution tactic techniques its worth diving into a little more details of the attack and to do this we will start the discussion on hacking software. Ralph Mudge developer of Cobalt Strike Red Team hacking software. From the attacker's perspective he outlines 4 key processes that need to happen in sequential order: Artifact on Target; Code Execution; Positive C&C; Post Exploitation.


Mudge then outlines key defenses the attackers have to detect and stop his attack at each state. "Artifact on Target" is Mitre ATT&CK "Initial Access". Not surprisingly, the main Initial Access vector is through email phishing and the defenders protection and detection systems are email security protocols DMARC, DKIM and SPF and specialized Email security Gateway's. See this link https://www.croninity.com/post/email-analysis for more details on email phishing analysis.



Next is code execution. To get successful code execution (i.e., malware execution on the system) you need to get past Endpoint Security, Application Whitelisting and Instrumentation/Telemetry that something bad is executing on the system.



Endpoint Security

Endpoint security products are often referred to as EDR "Endpoint Detection & Response products. Some common endpoint Security products are:

  • Windows Defender

  • Sentinel One

  • Carbon Black

  • CrowdStrike

Attackers will often try to test their malware and activity against these products to ensure they go undetected. This is one of the main reasons they try to determine what endpoint detection product is used by their victims. The following link https://www.mdpi.com/2624-800X/1/3/21/htm links to a research article where researchers tested various EDR products.


Application Whitelisting

Application whitelisting is the highly secure practice of only allowing applications to run that are approved (i.e., whitelisted). Many organizations choose not to implement application whitelisting because of the availability loss of legitimate software programs being able to run and the burden of tracking approved whitelist programs.


Instrumentation and Telemetry

Instrumentation and Telemetry info is EDR and other network systems detecting and reporting on malicious activity.



Code Execution

Now we are at Code Execution which in Mitre ATT&CK is Execution. The two techniques and their sub-techniques we will focus on for this article are:

  • User Execution technique

    • Malicious Link

    • Malicious File

    • Malicious Image

  • Command and Scripting Interpreter technique

    • PowerShell

    • AppleScript

    • Windows Command Shell

    • Unix Shell

    • Visual Basic

    • Python

    • Java Script

    • Network device CLI


Simply put this is getting the bad stuff to run on the targeted system. The easiest way to get the bad stuff to run is have the user click and run it themselves.


In the Mitre ATT&CK tactics moving from left to right shows several tactics after the Execution tactic but before the Command and Control tactic. These include the tactics of Persistence, Privilege Escalation, Defense Evasion, Credential Access, discovery, Lateral Movement, and Collection. This is because the Mitre ATT&CK model is not a linear model. each of those tactics can happen in any order after the initial access/execution compromise.


The malware has to be controlled and one of the 1st things it does is call back home to the attacker to check in and say to the attacker, "..I'm successfully running on a target/victim machine now tell me what you want to do next..." Before diving into Command & Control you will get a better understanding of it by understanding Red Team software that is used by attackers and red teamers to control malware on victim systems.


Red Team Software






tt


Cobalt Strike training.



Command & Control


ff



C2 matrix, etc




Cloud Flare



Persistence


ff

ff


Privilege Escalation


ff


[[red team wimi]]


Defense Evasion


ff


Credential Access


ff


Discovery


ff



lol bins


Lateral Movement


ff


Collection


ff



ff


Exfiltration


ff


Impact


ff


MS attack lots of good windows attack examples











9 views0 comments

Recent Posts

See All

Comments


Post: Blog2_Post
bottom of page