• Guest
HabraHabr
  • Main
  • Users

  • Development
    • Programming
    • Information Security
    • Website development
    • JavaScript
    • Game development
    • Open source
    • Developed for Android
    • Machine learning
    • Abnormal programming
    • Java
    • Python
    • Development of mobile applications
    • Analysis and design of systems
    • .NET
    • Mathematics
    • Algorithms
    • C#
    • System Programming
    • C++
    • C
    • Go
    • PHP
    • Reverse engineering
    • Assembler
    • Development under Linux
    • Big Data
    • Rust
    • Cryptography
    • Entertaining problems
    • Testing of IT systems
    • Testing Web Services
    • HTML
    • Programming microcontrollers
    • API
    • High performance
    • Developed for iOS
    • CSS
    • Industrial Programming
    • Development under Windows
    • Image processing
    • Compilers
    • FPGA
    • Professional literature
    • OpenStreetMap
    • Google Chrome
    • Data Mining
    • PostgreSQL
    • Development of robotics
    • Visualization of data
    • Angular
    • ReactJS
    • Search technologies
    • Debugging
    • Test mobile applications
    • Browsers
    • Designing and refactoring
    • IT Standards
    • Solidity
    • Node.JS
    • Git
    • LaTeX
    • SQL
    • Haskell
    • Unreal Engine
    • Unity3D
    • Development for the Internet of things
    • Functional Programming
    • Amazon Web Services
    • Google Cloud Platform
    • Development under AR and VR
    • Assembly systems
    • Version control systems
    • Kotlin
    • R
    • CAD/CAM
    • Customer Optimization
    • Development of communication systems
    • Microsoft Azure
    • Perfect code
    • Atlassian
    • Visual Studio
    • NoSQL
    • Yii
    • Mono и Moonlight
    • Parallel Programming
    • Asterisk
    • Yandex API
    • WordPress
    • Sports programming
    • Lua
    • Microsoft SQL Server
    • Payment systems
    • TypeScript
    • Scala
    • Google API
    • Development of data transmission systems
    • XML
    • Regular expressions
    • Development under Tizen
    • Swift
    • MySQL
    • Geoinformation services
    • Global Positioning Systems
    • Qt
    • Dart
    • Django
    • Development for Office 365
    • Erlang/OTP
    • GPGPU
    • Eclipse
    • Maps API
    • Testing games
    • Browser Extensions
    • 1C-Bitrix
    • Development under e-commerce
    • Xamarin
    • Xcode
    • Development under Windows Phone
    • Semantics
    • CMS
    • VueJS
    • GitHub
    • Open data
    • Sphinx
    • Ruby on Rails
    • Ruby
    • Symfony
    • Drupal
    • Messaging Systems
    • CTF
    • SaaS / S+S
    • SharePoint
    • jQuery
    • Puppet
    • Firefox
    • Elm
    • MODX
    • Billing systems
    • Graphical shells
    • Kodobred
    • MongoDB
    • SCADA
    • Hadoop
    • Gradle
    • Clojure
    • F#
    • CoffeeScript
    • Matlab
    • Phalcon
    • Development under Sailfish OS
    • Magento
    • Elixir/Phoenix
    • Microsoft Edge
    • Layout of letters
    • Development for OS X
    • Forth
    • Smalltalk
    • Julia
    • Laravel
    • WebGL
    • Meteor.JS
    • Firebird/Interbase
    • SQLite
    • D
    • Mesh-networks
    • I2P
    • Derby.js
    • Emacs
    • Development under Bada
    • Mercurial
    • UML Design
    • Objective C
    • Fortran
    • Cocoa
    • Cobol
    • Apache Flex
    • Action Script
    • Joomla
    • IIS
    • Twitter API
    • Vkontakte API
    • Facebook API
    • Microsoft Access
    • PDF
    • Prolog
    • GTK+
    • LabVIEW
    • Brainfuck
    • Cubrid
    • Canvas
    • Doctrine ORM
    • Google App Engine
    • Twisted
    • XSLT
    • TDD
    • Small Basic
    • Kohana
    • Development for Java ME
    • LiveStreet
    • MooTools
    • Adobe Flash
    • GreaseMonkey
    • INFOLUST
    • Groovy & Grails
    • Lisp
    • Delphi
    • Zend Framework
    • ExtJS / Sencha Library
    • Internet Explorer
    • CodeIgniter
    • Silverlight
    • Google Web Toolkit
    • CakePHP
    • Safari
    • Opera
    • Microformats
    • Ajax
    • VIM
  • Administration
    • System administration
    • IT Infrastructure
    • *nix
    • Network technologies
    • DevOps
    • Server Administration
    • Cloud computing
    • Configuring Linux
    • Wireless technologies
    • Virtualization
    • Hosting
    • Data storage
    • Decentralized networks
    • Database Administration
    • Data Warehousing
    • Communication standards
    • PowerShell
    • Backup
    • Cisco
    • Nginx
    • Antivirus protection
    • DNS
    • Server Optimization
    • Data recovery
    • Apache
    • Spam and antispam
    • Data Compression
    • SAN
    • IPv6
    • Fidonet
    • IPTV
    • Shells
    • Administering domain names
  • Design
    • Interfaces
    • Web design
    • Working with sound
    • Usability
    • Graphic design
    • Design Games
    • Mobile App Design
    • Working with 3D-graphics
    • Typography
    • Working with video
    • Work with vector graphics
    • Accessibility
    • Prototyping
    • CGI (graphics)
    • Computer Animation
    • Working with icons
  • Control
    • Careers in the IT industry
    • Project management
    • Development Management
    • Personnel Management
    • Product Management
    • Start-up development
    • Managing the community
    • Service Desk
    • GTD
    • IT Terminology
    • Agile
    • Business Models
    • Legislation and IT-business
    • Sales management
    • CRM-systems
    • Product localization
    • ECM / EDS
    • Freelance
    • Venture investments
    • ERP-systems
    • Help Desk Software
    • Media management
    • Patenting
    • E-commerce management
    • Creative Commons
  • Marketing
    • Conferences
    • Promotion of games
    • Internet Marketing
    • Search Engine Optimization
    • Web Analytics
    • Monetize Web services
    • Content marketing
    • Monetization of IT systems
    • Monetize mobile apps
    • Mobile App Analytics
    • Growth Hacking
    • Branding
    • Monetize Games
    • Display ads
    • Contextual advertising
    • Increase Conversion Rate
  • Sundry
    • Reading room
    • Educational process in IT
    • Research and forecasts in IT
    • Finance in IT
    • Hakatonas
    • IT emigration
    • Education abroad
    • Lumber room
    • I'm on my way

We study Adversarial Tactics, Techniques & Common Knowledge (ATT @ CK). Part 1

Part 1. Introduction. Getting the initial access


 
By this publication I would like to start a series of posts devoted to the description of the basic techniques used by attackers at various stages of hacker attacks.
 
The material presented will be a free retelling of the content of the matrices. Adversarial Tactics, Techniques & Common Knowledge (ATT @ CK ) from the company The Miter :
 
 
 
PRE-ATT & CK (techniques of preparatory stages of attack);
 
 
ATT & CK Matrix for Enterprise (attacks on corporate systems);
 
 
ATT & CK Mobile Profile (techniques of attacks on mobile devices).
 
 
ATT & CK Matrix for Enterprise , which describes the most active and dangerous phases of hacker attacks on the corporate segment:
 
 
- Getting initial access;
 
- Execution of code (Execution);
 
- Fixing in the attacked system (Persistence);
 
- Privilege Escalation;
 
- Defense Evasion;
 
- Obtaining credentials (Credential Access);
 
- Overview (Discovery);
 
- Horizontal advancement (Lateral Movement);
 
- Collection of data (Collection);
 
- Leakage (Exfiltration);
 
- Management and control (Command and Control).
 

Getting Initial Access


 
The purpose of the attacker at this stage of the attack is to deliver some malicious code to the attacked system and ensure the possibility of its further execution.
 
Shadow loading (
? Drive-by-Compromise
?
?
? drive-by-download.pdf "> Drive-by download . )
.
 
System: Windows, Linux, macOS
 
Rights: User
 
Description: The essence of the technique is the discovery by the victim in the browser of a WEB-resource, in which the attacker prepared in advance various exploits of browsers and plug-ins,
 
hidden frames or malicious Java files that will be loaded into the attacked system without the user's knowledge.
 
 
Recommendations for protection: Use the latest versions of browsers and plugins and
 
application of antivirus software. Microsoft suggests using Windows Defender Exploit Guard (WDEG) and Enhanced Mitigation Experience Toolkit (EMET) . It makes sense also to consider the feasibility of blocking execution in the jаvascript browser.
 
 
Use of exploits of public applications ( , Exploit Public-Facing
 
Application
)

 
System: Windows, Linux, macOS
 
Description: The technique involves the use of known bugs, glitches and vulnerabilities in software that has open network ports (web servers, SSH network services, SMB? DBMS, etc.). Top 10 vulnerabilities in web applications is published by OWASP.
 
 
Recommendations for protection: Use firewalls, segment the network with DMZ, use recommendations for safe software development, avoid problems documented by OWASP and CWE. Scanning the external perimeter for vulnerabilities. Monitoring application and traffic logs for abnormal behavior.
 
 
Hardware bookmarks ( , Hardware Additions )
 
System: Windows, Linux, macOS
 
Description: In additional computer accessories, network equipment and computers, hardware additions can be built in to provide initial access to the attackers. In commercial and open source products, the possibility of a hidden network connection, the implementation of "man in the middle" attacks to crack encryption systems, implement keystroke injection, read kernel memory via DMA, add a new wireless network, and so on.
 
 
Recommendations for protection: Applying network access control policies such as using certificates for devices and the 802.1.x standard, restricting the use of DHCP to only registered devices, prohibiting network interaction with unregistered devices, blocking the installation of external devices by using host security (Endpoint Security agents to restrict device connections ).
 
 
Distribution with removable media devices ( , Replication Through Removable Media )
 
System: Windows
 
Description: The technique involves executing a malicious program using the autorun feature in Windows. To deceive a user, a "legitimate" file can be pre-modified or replaced, and then copied to a removable device by an attacker. Also, the payload of the removable device or the program of initial formatting of the media can be implemented.
 
 
Recommendations for protection: Disable autorun functions in Windows. Limit the use of removable devices at the level of the organization's security policy. Application of antivirus software.
 
 
Targeted phishing attachments ( Spearphishing Attachment )
 
Description: Use of malware attached to phishing e-mails. The text of the letter, as a rule, contains a plausible reason why the recipient should open the file in the attachment.
 
 
Recommendations for protection: Use of Intrusion Prevention (IDS) and antivirus systems designed to scan and remove malicious attachments in emails. Configuring a policy to block unused attachment formats. Training users for anti-phishing rules.
 
 
Targeted phishing links ( , Spearphishing Link )
 
Description: Using links to downloading malicious programs in emails.
 
 
Recommendations for protection: Verifying URLs in e-mail can help detect links to known malicious sites. Use of systems of prevention of network intrusions (IDS) and antiviruses. Training users for anti-phishing rules.
 
 
Targeted phishing services ( Spearphishing via Service )
 
Description: In this scenario, attackers send messages through various social networking services, personal mail and other services not controlled by the enterprise.
 
Attackers can use fake profiles in social. networks, for example, to send potential job offers. This allows you to ask the employee-victim questions about the policies and software in the company, to make the victim to open malicious links and attachments. Typically, an attacker establishes the initial contact, and then sends the malicious content to the mail that the employee of the attacked company uses in the workplace. If the victim does not manage to launch a malicious file, then they can give him instructions on how to proceed.
 
 
Recommendations for protection: Blocking access to social networks, personal email services, etc. Use of white lists of applications, systems of prevention of network intrusions (IDS) and antiviruses. Training users for anti-phishing rules.
 
 
Compromise of the supply chain (
? Supply Chain Compromise
)

 
Description: The scenario involves the introduction into the software and computer equipment of all sorts of exploits, backdoors and other hacking tools at the stage of deliveries to the attacked company of software and computer equipment. Possible attack vectors:
 
- Manipulation of tools and software development environments;
 
- Work with source code repositories;
 
- Manipulation with mechanisms for updating and distributing software;
 
- Compromise and infection of OS images;
 
- Modification of legal software;
 
- Sale of modified /counterfeit products by a legitimate distributor;
 
- Interception at the stage of shipment.
 
Typically, attackers focus on the introduction of malicious components in distribution channels and software updates.
 
 
Recommendations for protection: Application of the Risk Management System in Supply Chains (SCRM) and the Software Development Lifecycle Management System (SDLC). Use of integrity control procedures for binary software files, antivirus scanning of distributions, testing of software and upgrades before deployment, physical inspection of purchased equipment, media with software distributions and accompanying documentation to detect falsifications.
 
 
Trust relationship ( Trusted Relationship )
 
Description: Attackers can use organizations that have access to the infrastructure of the alleged victim. Often, to communicate with a trusted third party, companies use a less secure network connection than standard access to the company from outside. Examples of trusted third parties: IT service contractors, security service providers, infrastructure contractors. Also, accounts used by a trusted party to access the company's network can be compromised and used for initial access.
 
 
Recommendations for protection: Network segmentation and isolation of critical infrastructure components that do not require broad access from outside. Management of accounting
 
records and permissions used by the parties to the trust relationship. Review of security policies and procedures of organizations working under contract and requiring privileged access. Monitoring activities carried out by third-party suppliers and trusted persons.
 
 
Valid accounts ( ? Valid Accounts
)

 
Description: Attackers can steal the credentials of a particular user or service account using Technician of access to the registration data , capture credentials in the process of exploration through social engineering. Compromised credentials can be used to bypass access control systems and gain access to remote systems and external services, such as VPN, OWA, remote desktop, or gain elevated privileges in certain systems and network areas. In case of successful implementation of the scenario, attackers may refuse from
 
malware to make it difficult to detect. Similarly, attackers can create accounts using predefined names and passwords to maintain backup access in case of unsuccessful attempts to use other tools.
 
Recommendations for protection: Apply a password policy, follow the recommendations for designing and administering the corporate network to limit the use of privileged accounts at all administrative levels. Regular checks of domain, local accounts and their rights in order to identify those that can allow an attacker to gain wide access. Monitoring the activity of accounts using SIEM-systems.
 
 
The following publication will discuss the tactics used in the Execution phase.

It may be interesting

  • Comments
  • About article
  • Similar news
This publication has no comments.

weber

Author

15-09-2018, 23:34

Publication Date

Development / Programming

Category
  • Comments: 0
  • Views: 314
Threat Intelligence - a modern approach
Course MIT "Security of computer
Course MIT "Security of computer
Course MIT "Security of computer
Course MIT "Security of computer
The leader of the cyber group, who has
Write a comment
Name:*
E-Mail:


Comments
The Daily Reports is the reliable and authentic news and blog publisher. Visit The Daily Reports for up-to-date US news, international news and policy analysis. Check out: International Politics News
Today, 17:28

saifwordpress

nice post, keep up with this interesting work. It really is good to know that this topic is being covered also on this web site so cheers for taking time to discuss this!  https://l23movies.club/
Today, 15:35

Legend SEO

Extremely helpful post. This is my first time i visit here. I discovered such a large number of intriguing stuff in your blog particularly its exchange. Truly its extraordinary article. Keep it up.먹튀검증사이트

Today, 14:34

raymond weber

Thanks for taking the time to discuss this, I feel strongly about it and love learning more on this topic. If possible, as you gain expertise, would you mind updating your blog with extra information? It is extremely helpful for me.  pigmentvlekken verwijderen - dermasensation.nl
Today, 14:25

jacksonseo

Bangalore Escorts provides escort call girls by the escort agency in Bangalore. We have selected the best high profile call girls in Bangalore. Visit us www.piyagupta.com/
South Bangalore  Escorts || Marathahalli Escorts || Electronic City Escorts || Hebbal Escorts || Mg road Escorts || Ulsoor Escorts || Ub city Escorts || Nandi hills Escorts || Malleswaram Escorts || Commercial street  Escorts || Indira nagar Escorts || Hsr layout Escorts

Today, 12:24

piyagupta01

Adv
Website for web developers. New scripts, best ideas, programming tips. How to write a script for you here, we have a lot of information about various programming languages. You are a webmaster or a beginner programmer, it does not matter, useful articles will help to make your favorite business faster.

Login

Registration Forgot password