If you are playing a team sport you can be fantastic at a single area, but still lose. For example, if you have great goal scorers and a lousy defense you might win some games, but you will lose a lot. Likewise, in cyber security you can have great firewalls or endpoint protection, but if you are missing other key cyber security functions you will also lose. Having a strong cyber security program is like having a balanced team that can perform well in all aspects of cyber security.
[[image]]
If you want to know what the key areas for a strong cyber security program are see [[CIS v8]]
Having a strong security program in multiple key areas is only half of the battle. The other aspect is executing well in real live hacking situations. This is just like a team that has all the right skills but doesn't execute a successful game plan to win.
[[sport strategy image]]
To have a good game plan yourself you need to understand the attackers game plan. Various cyber reseearchers modeled out hacker game plans.
[[kill chain]]]
[[mitre attack]]
[[online kill chain]]
Breaking down frame works.
Breaking Down Attacks
The first part of the attack happens before the actual attack. It is the attacker planning their attack to make it more effective. Mitre ATT&CK outlines two key tactics which each have techniques and sub-techniques.
Reconnaissance
Resource Development
Reconnaissance
Reconnaissance involves the attackers learning as much about the organization as possible to make their attack more effective. There are several ways that attackers do reconnaissance. To make it easier to understand I am dividing Mitre ATT&CK reconnaissance tactic techniques into three sub-categories:
Learning about the company through publicly available information the company has divulged
Learning details about the company that can be exploited through specialized sources, including paid for sources, like databases and other tools
Interacting with the targeted organization's IT systems
When attackers use these reconnaissance techniques, they often use something called OSINT "Open-Source Intelligence" techniques and specialized tools that support OSINT research. The definition of OSINT is:
"Open-source intelligence (OSINT) is intelligence that is produced from publicly available information and is collected, exploited, and disseminated in a timely manner to an appropriate audience for the purpose of addressing a specific intelligence requirement."
Learning about the company through publicly available information the company has divulged
Here are just a few examples of this type of information collection.
Gather Victim Host Information
If the attackers know the technology stack of the company, they are attacking; they can plan their attacks to that technology stack. This can be as simple as seeing the company technology job postings and see what types of technologies they are hiring for.
Gather Victim Identity Information
Determining the target (i.e., victim) identities is one of the most important steps, because attackers will use those identities to craft phishing emails to. Knowing identities also helps attackers target specific places in the organization.
Gather Victim Org Information
This includes other business-related information. One of the most important sub-techniques here is "Business relationships". Through business relationships 3rd parties often have sensitive information about the company and can also have access into the organization. To gain access to the organization the attacker could exploit the 3rd party first. An example, of this was the initial attack vector for the 2013 Target Data breach. A company called Fazio mechanical had a contract with Target to maintain Target store HVAC systems. Fazio mechanical had remote access to Target HVAC systems, and when Fazio mechanical was compromised the hackers had a backdoor into the Target network through the remote HVAC system access.
Search Open-Source Technical Databases
Gather Victim Network Information
There are certain aspects of a business that are needed in order for the business to have an online presence. This includes the companies public IP address and DNS information. Because this information needs to be public on the information for it to run, it is also searchable. There are several web sites like, https://www.whois.com/ , that offer free searches for this information.
Learning details about the company that can be exploited through specialized sources, including paid for sources, like databases and other tools
Search Closed Sources
Search Open Websites/Domains
One of the sites that publishes exploitable systems on the Internet is called Shodan https://www.shodan.io/ Defenders use Shodan to determine if they have any systems exposed to the Internet, but attackers also use tools like Shodan to quickly find exposed systems.
Many organizations also develop software and tools and post that software and tools to the Internet on systems like https://github.com/ which is an open-source software for managing software code and releases. In some cases, this information on sites like Github includes authentication information like usernames/passwords and API keys. This is how Solarwinds was compromised by the Russians.
"Last week, SolarWinds’ CEO testified in front of Congress on the hack that is largely considered the most damaging in US history. Representatives chastised the company over how the now infamous password “solarwinds123” was used for a file server. Even more damaging, that password was found in publicly available repos on GitHub." ( https://securityboulevard.com/2021/03/solarwinds-intern-leaked-passwords-on-github/ )
An example of a tool that searches GitHub repos for exploitable information is BishopFox GitGot. https://github.com/BishopFox/GitGot and a tool called TruffleHog https://github.com/trufflesecurity/trufflehog
Interacting with the targeted organization's IT systems
Interacting with the organization is the attacker probing the targets systems to gather information and find weaknesses. The danger for an attacker interacting with a system is that they can get caught interacting with the system which gives the target a tipoff of a possible attack.
One of the main ways to probe systems for weaknesses and vulnerabilities is scanning.
Sending emails into the organization (i.e., Spearphishing) is used to execute attacks but is often commonly used to gather information.
Attackers will often search victims web sites with specialized web site crawling tools. This is also called 'scraping' and is a common occurrence on the Internet for all sorts of reasons https://www.octoparse.com/blog/top-20-web-crawling-tools-for-extracting-web-data
Before moving onto the nest Mitre Tactic its worth mentioning a purpose built too called https://www.maltego.com/ that is designed to help organize all the open-source information collected.
Resource Development
After the attacker's scope recon their target the next step for them is to develop the applicable tools and capabilities to compromise that victim. You can see how reconnaissance and resource development work hand-in-hand. for attackers there is no sense in developing a hacking capability that they cannot use against their intended victim.
For attackers the simplest form of resource development is simply Acquiring Access to their target through black market purchase. Gaining remote access to a victim is one thing but using that remote access to exploit the target takes another level of effort. Additionally, attacker goals against victims vary by attacker. For example, a hacker that is strictly interested in money may get remote access to a government network but there is no way for them to monetize that access. A foreign government may want to steal information from the targeted government victim. Now the initial hacker has a way to monetize their hacked access to the victim government network. They can sell that access to an attacker who is willing to pay for it to meet their goals. As you can guess there, are all sorts of dynamics that can occur in these types of relationships where a hacker has gotten access to a network and desire to monetize their hacked access. Here are a few drivers to these dynamics:
The hacked access is a little like those random prize boxes where you don't know what is inside. The hacker who initially got the access doesn't want to take the time to dig around the victim to see if they can monetize the hacked access. They decide to sell it to someone else who then tries to monetize it for themselves.
In these dark web type dealings, you can imagine that there is a lot of hacked access being sold that is bogus and really doesn't work to provide access to a victim network.
The attackers that got the initial hacked access don't have the capability to exploit and monetize the hacked access. This is where Ransomware as a Service (RaaS) really started to become a big deal. In the RaaS model large Ransomware operators resold their software and skills to affiliates in areas like, Coding Ransomware, setting up C&C to victim networks, bitcoin payment systems, ransomware negotiations, and leak sites. The affiliates who developed the initial hacked access to a victim, like a school system, could now monetize the hacked access for themselves by paying the RaaS provider a service fee to reuse their capabilities.
The resources necessary to manage the hack are really:
The infrastructure to run the hack
The malware to run the hack
Infrastructure to run the hack
Think of these as the servers the hackers run to communicate to the environment and the communications channels to those servers. Servers can be physical or virtual. The two most common C&C protocols to run the hack are web services and DNS.
Accounts used for the hack can be compromised or developed depending upon their intended usage.
Malware to run the hack
The infrastructure to run the hack is one thing, but the actual malware, certificates and exploits are different capabilities the hackers need that require different skills sets to develop. Just like infrastructure access there are two primary means for obtaining malware capabilities.
Develop - More difficult because it can require specialized skill sets.
Purchase
Malware -
Tool - Tools can be purpose built hacking tools like Cobalt Strike, or other legitimate tools that will be misused for the hack (i.e., psexec).
Code Signing Certificates - Much of software code has a security mechanism that it is digitally signed by trusted 3rd parties. Therefore, operating systems can refuse to run code not properly signed and/or detection mechanisms can trigger off of unsigned code. By digitally signing malicious code attackers are attempting to make their bad code look more legitimate.
Digital Certificates - Digital certificates are necessary to encrypt communications. hackers attempt will attempt to encrypt their communications. In order to do this the hackers, need to build valid digital certificates.
Exploits - Exploits are capabilities to take advantage of vulnerabilities. For example, getting shell access on a targeted system. Exploits are often posted on free sites like https://www.exploit-db.com/ or bought and sold https://zerodium.com/program.html
Interesting article on government market for zero day exploits https://www.wired.com/story/untold-history-americas-zero-day-market/
Vulnerabilities - Monitoring vulnerability disclosure databases
Finally, there is staging the attack capability.
Initial Access & Execution
Initial Access is different than Execution but the two work closely together so I am grouping them here for explanation. Think of initial access as getting to the system and Execution as the moment the system is exploited.
Initial Access
To make this understandable attackers have four main ways of hacking into an organization listed below by order of commonality:
Phishing
Web application exploits
External remote services (i.e., RDP)
Supply Chain and Trust Relationships
Phishing
Phishing is an initial access technique in itself, but the 'Drive-by compromise' also most often occurs through phishing but doesn't need phishing to occur. Because browsers can execute code, drive-by compromise is when a web site is setup so that when a user visits it, malicious code is executed on the user's computer.
Phishing is a perfect example of the non-linearity of the tactics/techniques displayed in the Mitre ATTACK framework.
Web application exploits
Mitre refers to this as 'Exploit Public-facing application'. It doesn't have to be a web application, but it is most commonly a web application that is open to the Internet and is exploitable. There is an entire industry around securing and exploiting these Internet facing applications. More information about this topic can be found at www.owasp.org
External remote services (i.e., RDP, SSH)
External remote services mechanisms the organization has setup for remote access into its systems. This includes VPNs and remote access protocols like SSH and RDP. Most often 'Valid Accounts' also falls under this area because the attackers will be remote. if they have a valid account they then use the same remote access protocols available to the organization to successfully interact with the system remotely. Ways attackers gain this remote access through a valid account include:
Victim sets no auth on their remote access
Victim sets default auth on their remote access
Victim sets extremely weak auth on their remote access
Attacker steals auth credentials through
Phishing
Exposure (i.e., github, etc)
Social engineering
RDP Spray password guessing tool https://github.com/xFreed0m/RDPassSpray
Supply Chain and Trust Relationships
Supply chain compromise can be vast. Some people consider "Trusted Relationships" as part of the organizations supply chain. Supply Chain and trusted relationships are two distinct techniques but they both involve the attackers hacking someone else that you trust whether it is a server/software that you purchase (supply chain compromise) or another type of trusted relationship (i.e., HVAC vendor in Target case). The difference in the Mitre ATTACK techniques is that Supply Chain is an actual compromise of a 3rd party product (hardware or software) that you use. Where Trusted relationship could be just a hack into a 3rd party that has less restricted access to the target.
Valid Accounts
Valid accounts are a major way hackers get into organizations, but they are mainly gathered through phishing or exploitable by defaults or weak passwords set on external remote services.
Drive-by Compromise
Drive-by compromise is also referred to as a watering hole attack. The analogy is that the animals in the safari would go to the watering hole for water and then be attacked. In drive-by compromise the hackers set up a malicious site (i.e., the watering hole), and when users go to that site their machines are compromised. drive-by compromise is still valid but advances in web browser protections has made them less prolific.
Hardware Additions and Replication Through Removable Media
The last two compromise mechanisms are definitely valid but require someone to have local access to connect to systems. They are of greater concern where you cannot secure and control the physical access to the system and for insider threat cases. By their nature, insider threats often have physical access to systems.
Hardware Additions
Replication through removable media
Execution
Before diving into Mitre ATT&CK execution tactic techniques its worth diving into a little more details of the attack and to do this we will start the discussion on hacking software. Ralph Mudge developer of Cobalt Strike Red Team hacking software. From the attacker's perspective he outlines 4 key processes that need to happen in sequential order: Artifact on Target; Code Execution; Positive C&C; Post Exploitation.
Mudge then outlines key defenses the attackers have to detect and stop his attack at each state. "Artifact on Target" is Mitre ATT&CK "Initial Access". Not surprisingly, the main Initial Access vector is through email phishing and the defenders protection and detection systems are email security protocols DMARC, DKIM and SPF and specialized Email security Gateway's. See this link https://www.croninity.com/post/email-analysis for more details on email phishing analysis.
Next is code execution. To get successful code execution (i.e., malware execution on the system) you need to get past Endpoint Security, Application Whitelisting and Instrumentation/Telemetry that something bad is executing on the system.
Endpoint Security
Endpoint security products are often referred to as EDR "Endpoint Detection & Response products. Some common endpoint Security products are:
Windows Defender
Sentinel One
Carbon Black
CrowdStrike
Attackers will often try to test their malware and activity against these products to ensure they go undetected. This is one of the main reasons they try to determine what endpoint detection product is used by their victims. The following link https://www.mdpi.com/2624-800X/1/3/21/htm links to a research article where researchers tested various EDR products.
Application Whitelisting
Application whitelisting is the highly secure practice of only allowing applications to run that are approved (i.e., whitelisted). Many organizations choose not to implement application whitelisting because of the availability loss of legitimate software programs being able to run and the burden of tracking approved whitelist programs.
Instrumentation and Telemetry
Instrumentation and Telemetry info is EDR and other network systems detecting and reporting on malicious activity.
Code Execution
Now we are at Code Execution which in Mitre ATT&CK is Execution. The two techniques and their sub-techniques we will focus on for this article are:
User Execution technique
Malicious Link
Malicious File
Malicious Image
Command and Scripting Interpreter technique
PowerShell
AppleScript
Windows Command Shell
Unix Shell
Visual Basic
Python
Java Script
Network device CLI
Simply put this is getting the bad stuff to run on the targeted system. The easiest way to get the bad stuff to run is have the user click and run it themselves.
In the Mitre ATT&CK tactics moving from left to right shows several tactics after the Execution tactic but before the Command and Control tactic. These include the tactics of Persistence, Privilege Escalation, Defense Evasion, Credential Access, discovery, Lateral Movement, and Collection. This is because the Mitre ATT&CK model is not a linear model. each of those tactics can happen in any order after the initial access/execution compromise.
The malware has to be controlled and one of the 1st things it does is call back home to the attacker to check in and say to the attacker, "..I'm successfully running on a target/victim machine now tell me what you want to do next..." Before diving into Command & Control you will get a better understanding of it by understanding Red Team software that is used by attackers and red teamers to control malware on victim systems.
Red Team Software
tt
Cobalt Strike training.
Command & Control
ff
C2 matrix, etc
Cloud Flare
Persistence
ff
ff
Privilege Escalation
ff
[[red team wimi]]
Defense Evasion
ff
Credential Access
ff
Discovery
ff
Good link on Conti tools used for discovery - https://www.picussecurity.com/resource/leaked-tools-ttps-and-iocs-used-by-conti-ransomware-group
lol bins
Lateral Movement
ff
Collection
ff
ff
Exfiltration
ff
Impact
ff
MS attack lots of good windows attack examples
Comments