Get best of the week

How Traffic Analysis Systems Detect Hacker Tactics by MITER ATT & CK, Part 5



This is the final article from the cycle ( first , second , third and fourth parts), in which we consider hacker techniques and tactics in accordance with MITER ATT & CK, and also show how you can recognize suspicious activity in network traffic. In the final article, we will consider the techniques of command and control, exfiltration, and impact.

Management and control


The command and control techniques (C2 or C&C) are used to connect attackers with controlled systems in the victim’s network. Attackers typically mimic normal traffic behavior to avoid detection.

Traffic analysis using PT Network Attack Discovery (PT NAD) detects 18 common C&C techniques.

1. T1043 : commonly used port


Attackers communicate with the command server through ports, which are usually allowed to establish an outgoing connection. Examples of such ports are: TCP: 80 (HTTP), TCP: 443 (HTTPS), TCP: 25 (SMTP), TCP / UDP: 53 (DNS). This helps bypass firewall detection and pretend to be standard network activity. Moreover, violators can use both the corresponding application protocol assigned to a specific port number, and any other application-level protocol, up to the transfer of data over raw sockets.

What does PT NAD do?: Automatically detects a mismatch between the common application protocol and its standard port, for example, when sending HTTP requests to port 53. For more complex cases, an information security specialist can examine suspicious session cards in PT NAD, which stores information about ports and network connection protocols. This reveals the use of standard ports for communication with the command center.

2. T1090 : connection proxy


Attackers can use a proxy server as an intermediary to exchange data with a C & C server. So they avoid direct connections to their infrastructure and complicate their discovery.

What PT NAD does : for proxying traffic, attackers can use peer-to-peer, P2P networks. Popular P2P protocols PT NAD detects automatically. PT NAD also detects sessions with SOCKS5, HTTP, and SSH protocols in traffic through which attackers most often build proxy channels for outputting information. If connections using such protocols are associated with suspicious events, they may indicate a compromise.

3. T1094 : custom command and control protocol


Using proprietary control and monitoring protocols instead of encapsulating commands in an existing standard application-level protocol.

What PT NAD does : Automatically detects popular types of tunnels through application and network layer protocols, such as ICMP, DNS, POP3, SCTP, WebSocket tunnels, as well as SSH over HTTP, SOCKS5 and peer-to-peer activity.

4. T1024 : custom cryptographic protocol


A technique in which attackers use a protocol or encryption algorithm to conceal C&C traffic.

What PT NAD does : detects signs of malware activity in encrypted traffic. This is implemented by the method of cryptanalysis of side channels of information . This approach allows you to detect malicious traffic even when using self-written cryptographic protocols.

5. T1132 : data encoding


Attackers use standard data encryption algorithms when transmitting information over a C&C channel.

What PT NAD does : detects malicious scripts when its text is encoded as a string consisting of character codes, and decodes data encrypted with the Base64 algorithm. For example, it detects Cobalt Strike agent responses encoded in Base64.

6. T1001 : data obfuscation


Complicated detection of C & C communications. Data obfuscation methods include adding extra data to protocol traffic, applying steganography, mixing C&C traffic with legitimate ones, and using a non-standard encoding system.

What PT NAD does : it can detect the facts of data transmission encoded using the Base64 algorithm using a non-standard alphabet, the transmission of obfuscated scripts, shell codes and shell instructions.

7. T1483 : domain generation algorithms


A technique in which instead of listing static IP addresses or domains, attackers use the automatic domain generation (DGA) algorithm to direct C&C traffic there. This complicates the work of defenders: there may potentially be thousands of domains that malware can connect to.

What PT NAD does : Using a special algorithm, PT NAD detects automatically generated domain names in network sessions.



Examples of DGA Domains Discovered Using PT NAD

8. T1008 : fallback channels


Attackers use a backup or alternative communication channel to increase the reliability of communication with the C&C server and to avoid exceeding the threshold for the amount of transmitted data. Such channels are needed when the main C&C channel is compromised or inaccessible.

What PT NAD does : An information security specialist can detect the use of such a technique by analyzing malware connection data stored in session cards in PT NAD. If malware connects to different IP addresses (C&C servers) from one network node, this may indicate that the attackers are using a backup communication channel.

9. T1188 : multi-hop proxy


Attackers create chains from several proxy servers to mask the source of malicious traffic. Such multiproxing complicates the identification of the source source, requiring the defending party to monitor malicious traffic through several proxy servers.

What PT NAD does : if attackers build a chain of proxies inside the victim’s network, it can be traced in PT NAD by analyzing session data. Connections between nodes are visually displayed in the network link graph. This helps to track the sequence of proxies.

10. T1104 : multi-stage channels


Attackers use multi-stage C&C channels, which makes them difficult to detect. They realize this by dividing the attack into stages (or stages). Each stage uses its own management servers and its own tools (trojans, RATs). Such a separation of the functionality into stages with different management servers makes it difficult to detect attackers.

What PT NAD does : the use of multi-stage C&C channels PT NAD automatically detects by signs of activity of the corresponding malware. For example, it discovers the operation of the MuddyWater grouping modules. Detailed data on each identified C&C channel is stored in session cards - this data is useful during investigations and proactive threat searches.

11. T1026: multiband communication


Attackers share a communication channel between different protocols. For example, commands may be transmitted using one protocol, and the results of their execution may be different. This helps circumvent the limitations of firewalls and avoid notifications about exceeding threshold values ​​of transmitted data.

What PT NAD does : it automatically detects the use of separation of the communication channel according to the signs of the corresponding malware. For example, in this way, it detects the activity of Cobalt Strike agents, which can share the output channel to C&C servers between the HTTP, HTTPS, and DNS protocols. At the same time, PT NAD stores data on each C&C connection with information about the protocol used, which helps to detect the use of the T1026 technique during investigations or threat hunting.

12. T1079 : multilayer encryption


The use of several levels of encryption C & C-communications. A typical example is the transfer of encrypted data over secure protocols such as HTTPS or SMTPS.

What PT NAD does : despite several layers of encryption, by analyzing the side cryptographic channels, PT NAD detects a number of malware families using rules. Examples of detected threats: malware from the RTM and Ursnif (Gozi-ISFB) families that transmit already encrypted data via the HTTPS protocol.

13. T1219 : remote access tools


An attacker uses legitimate software to remotely access controlled systems. Such tools are commonly used by technical support services and can be whitelisted. Thus, his actions will be performed on behalf of the trustee and through the authorized communication channel. Among the popular utilities are TeamViewer, VNC, Go2Assist, LogMeIn, Ammyy Admin.

What PT NAD does: An example of

PT NAD detection determines the network operation of all common remote access utilities - this way you can analyze all remote access sessions established using RAT and verify their legitimacy.

For example, PT NAD detected malware activity that uses the VNC desktop remote access system to connect to an external IP address. VNC along with Ammyy and TeamViewer attackers use more often than other RATs.



Detecting Remote Access Tools

14. T1105 : remote file copy


Attackers copy files from one system to another to deploy their tools or steal information. Files can be copied from an external system controlled by an attacker, through a communication channel with a command center, or using other tools using alternative protocols, such as FTP.

What PT NAD does : it detects file transfers using the main application protocols and can extract them for further analysis, for example, in the sandbox.

15. T1071 : standard application layer protocol


Attackers use common application protocols such as HTTP, HTTPS, SMTP, DNS. Thus, their activity is mixed with standard legitimate traffic, which complicates the detection.

What PT NAD does : sees all sessions using popular application protocols. For each session, a detailed card is stored, which is available to users for manual analysis.

16. T1032 : standard cryptographic protocol


The use of well-known encryption algorithms to conceal C & C traffic.

What PT NAD does : Using compromise indicators or rules, PT NAD automatically detects connections to cybercriminals' servers. If the connections to them are protected by the TLS protocol, then the information security specialist will see this in the PT NAD interface (the system determines the TLS protocol) and thus discover the use of the standard cryptographic protocol technique.

17. T1095 : standard non-application layer protocol


Attackers use non-application-level protocols for communication between a network node and a C&C server or between compromised network nodes.

What PT NAD does : since PT NAD analyzes raw traffic, it automatically detects the activity of common malware families that transmit data through raw sockets, that is, via TCP or UDP protocols without using application layer protocols. Metasploit TCP shells are also detected.

18. T1065 : uncommonly used port


C&C communication through a non-standard port for bypassing proxy servers and firewalls that were not configured correctly.

What PT NAD does : it determines application protocols by the contents of packets, and not by port numbers, therefore it automatically detects the use of non-standard ports for standard protocols.

Exfiltration


Exfiltration tactics bring together techniques that cybercriminals use to steal data from a compromised network. To avoid detection, data is often packaged by combining it with compression and encryption. As a rule, attackers use C&C or an alternative channel for exfiltration.

PT NAD detects two data exfiltration techniques.

1. T1048 : exfiltration over alternative protocol


Attackers use protocols to steal data other than those that provide communication with command centers. Among the alternative protocols: FTP, SMTP, HTTP / S, DNS. External web services such as cloud storage can also be used for exfiltration.

What PT NAD does: detection example \

The DNSCAT2 tool is used by attackers to remotely control a network node and exfiltrate data to a command server using the T1059: command-line interface and T1048: exfiltration over alternative protocol techniques, respectively.

PT NAD detected DNSTCAT2 traffic activity. The tool allows you to tunnel network traffic through the DNS protocol to a C & C server. In traffic, it looks like a large stream of DNS queries and responses.



Detection of application of the T1048 technique: exfiltration over alternative protocol

DNS queries are visible in the session card. There was a request for a TXT record for an unreadable and very long third-level domain, a similar unreadable character set came in response. At the same time, the packet lifetime (TTL) is short. These are all indicators of a DNS tunnel.



DNS requests for resolving long and unreadable DNS names are visible in the session card

2. T1041 : exfiltration over command and control channel


Attackers use the C&C channel to steal data.

PT NAD sees 18 common techniques for communicating malware with an attacker command center. Signs of using each of these methods on the network indicates the presence of a C&C channel on the network through which stolen data can be transmitted.

Impact


At the last step, attackers try to control systems and data, interfere in their work or destroy them. To do this, they use techniques that allow you to disrupt the availability or integrity of systems by managing operational and business processes.

3. T1498 : network denial of service


Denial of service attack to reduce or block the availability of targeted resources for users.

What PT NAD does : detects the amplification (amplification) of an attack and the use of exploits that lead to a denial of service.

During amplification (from the English. Amplification - amplification), the attacker sends requests on behalf of the victim's server to the public DNS server. The attackers' goal is to fill the victim's server channel with volumetric responses from public DNS servers.

4. T1496 : resource hijacking


Unauthorized use of system resources to solve resource-intensive problems. This may affect the availability of the system or hosted service.

What does PT NAD do?

: sees the activity of crypto mining protocols and torrents in the network, which indicates an additional inappropriate load on the network and equipment.

5. T1489 : service stop


Attackers can stop or disable services in the system to make them inaccessible to legitimate users.

What PT NAD does is an example of detection : cybercriminals stopped the IIS web server service to block access to the customer service portal. PT NAD detected a call to the Service Control Manager (SCM) to stop the service. This is possible thanks to the inspection of SMB traffic.



Detection of an attack in which attackers sent a request to disconnect web server services

PT NAD automatically detects calls to SCM to create, modify, start and stop services.

We remind you that the full mapping of PT NAD to the MITER ATT & CK matrix is  published on Habré .

Instead of a conclusion: why else do we need an NTA system


Traffic is a useful data source for detecting attacks. In it, you can see the signs of all 12 tactics that use APT groups. By analyzing traffic using NTA systems, companies reduce the chances of attackers to successfully develop an attack and completely compromise the network. There are other scenarios for using NTA class systems.

  • Network Compliance Control

The success of a cyber attack on a company depends on the level of security of its corporate infrastructure. Analysis of the traffic of large Russian companies showed that in 94% of cases, employees do not comply with information security policies . Security policies of many organizations prohibit employees from visiting questionable resources, downloading torrents, installing instant messengers, or using various utilities for remote access.

When analyzing network protocols, the NTA-system sees the transmission of passwords in clear form, unencrypted mail messages, the use of software for remote access. This helps control the implementation of password policies, the use of RAT and insecure data transfer protocols.

To find out what violations of information security regulations are the most common, as they are detected by PT NAD and fix this problem, check the webinar or read an article Security Center expert PT Expert Security Center .

  • Attack Investigation

NTA systems that store session metadata and raw traffic help investigate incidents: localize a threat, restore attack history, identify vulnerabilities in the infrastructure, and work out compensatory measures.

See an example of an investigation into a case attack on a parent company of a large company.

  • Theat hunting

NTA tools can also be used for threat hunting. Threat hunting - the process of searching for threats that are not detected by traditional security tools. The specialist puts forward a hypothesis, for example, about the presence of a hacker group on the network, about the presence of an internal intruder or data leak, and checks it. This method allows you to identify compromise and vulnerabilities in the infrastructure, even when security systems do not give any signals.

Watch a webinar with three threat hunting case studies using PT NAD.

How are they attacking your company? In the network, 97% of companies have suspicious traffic activity . Check what is happening on your network - fill out an application for a free “pilot” of the PT NAD traffic analysis system .

Authors :

  • , (PT Expert Security Center) Positive Technologies
  • , Positive Technologies

More articles:


All Articles