Part 1. Introduction. Getting the initial access

 
By this publication I would like to start a series of posts devoted to the description of the basic techniques used by attackers at various stages of hacker attacks.
 
The material presented will be a free retelling of the content of the matrices. Adversarial Tactics, Techniques & Common Knowledge (ATT @ CK ) from the company The Miter :
 
 
 
PRE-ATT & CK (techniques of preparatory stages of attack);
 
 
ATT & CK Matrix for Enterprise (attacks on corporate systems);
 
 
ATT & CK Mobile Profile (techniques of attacks on mobile devices).
 
 
ATT & CK Matrix for Enterprise , which describes the most active and dangerous phases of hacker attacks on the corporate segment:
 
 
- Getting initial access;
 
- Execution of code (Execution);
 
- Fixing in the attacked system (Persistence);
 
- Privilege Escalation;
 
- Defense Evasion;
 
- Obtaining credentials (Credential Access);
 
- Overview (Discovery);
 
- Horizontal advancement (Lateral Movement);
 
- Collection of data (Collection);
 
- Leakage (Exfiltration);
 
- Management and control (Command and Control).
 

Getting Initial Access

 
The purpose of the attacker at this stage of the attack is to deliver some malicious code to the attacked system and ensure the possibility of its further execution.
 
Shadow loading (
? Drive-by-Compromise
? ?
? drive-by-download.pdf "> Drive-by download . ) .
 
System: Windows, Linux, macOS
 
Rights: User
 
Description: The essence of the technique is the discovery by the victim in the browser of a WEB-resource, in which the attacker prepared in advance various exploits of browsers and plug-ins,
 
hidden frames or malicious Java files that will be loaded into the attacked system without the user's knowledge.
 
 
Recommendations for protection: Use the latest versions of browsers and plugins and
 
application of antivirus software. Microsoft suggests using Windows Defender Exploit Guard (WDEG) and Enhanced Mitigation Experience Toolkit (EMET) . It makes sense also to consider the feasibility of blocking execution in the jаvascript browser.
 
 
Use of exploits of public applications ( , Exploit Public-Facing
 
Application )
 
System: Windows, Linux, macOS
 
Description: The technique involves the use of known bugs, glitches and vulnerabilities in software that has open network ports (web servers, SSH network services, SMB? DBMS, etc.). Top 10 vulnerabilities in web applications is published by OWASP.
 
 
Recommendations for protection: Use firewalls, segment the network with DMZ, use recommendations for safe software development, avoid problems documented by OWASP and CWE. Scanning the external perimeter for vulnerabilities. Monitoring application and traffic logs for abnormal behavior.
 
 
Hardware bookmarks ( , Hardware Additions )
 
System: Windows, Linux, macOS
 
Description: In additional computer accessories, network equipment and computers, hardware additions can be built in to provide initial access to the attackers. In commercial and open source products, the possibility of a hidden network connection, the implementation of "man in the middle" attacks to crack encryption systems, implement keystroke injection, read kernel memory via DMA, add a new wireless network, and so on.
 
 
Recommendations for protection: Applying network access control policies such as using certificates for devices and the 802.1.x standard, restricting the use of DHCP to only registered devices, prohibiting network interaction with unregistered devices, blocking the installation of external devices by using host security (Endpoint Security agents to restrict device connections ).
 
 
Distribution with removable media devices ( , Replication Through Removable Media )
 
System: Windows
 
Description: The technique involves executing a malicious program using the autorun feature in Windows. To deceive a user, a "legitimate" file can be pre-modified or replaced, and then copied to a removable device by an attacker. Also, the payload of the removable device or the program of initial formatting of the media can be implemented.
 
 
Recommendations for protection: Disable autorun functions in Windows. Limit the use of removable devices at the level of the organization's security policy. Application of antivirus software.
 
 
Targeted phishing attachments ( Spearphishing Attachment )
 
Description: Use of malware attached to phishing e-mails. The text of the letter, as a rule, contains a plausible reason why the recipient should open the file in the attachment.
 
 
Recommendations for protection: Use of Intrusion Prevention (IDS) and antivirus systems designed to scan and remove malicious attachments in emails. Configuring a policy to block unused attachment formats. Training users for anti-phishing rules.
 
 
Targeted phishing links ( , Spearphishing Link )
 
Description: Using links to downloading malicious programs in emails.
 
 
Recommendations for protection: Verifying URLs in e-mail can help detect links to known malicious sites. Use of systems of prevention of network intrusions (IDS) and antiviruses. Training users for anti-phishing rules.
 
 
Targeted phishing services ( Spearphishing via Service )
 
Description: In this scenario, attackers send messages through various social networking services, personal mail and other services not controlled by the enterprise.
 
Attackers can use fake profiles in social. networks, for example, to send potential job offers. This allows you to ask the employee-victim questions about the policies and software in the company, to make the victim to open malicious links and attachments. Typically, an attacker establishes the initial contact, and then sends the malicious content to the mail that the employee of the attacked company uses in the workplace. If the victim does not manage to launch a malicious file, then they can give him instructions on how to proceed.
 
 
Recommendations for protection: Blocking access to social networks, personal email services, etc. Use of white lists of applications, systems of prevention of network intrusions (IDS) and antiviruses. Training users for anti-phishing rules.
 
 
Compromise of the supply chain (
? Supply Chain Compromise
)
 
Description: The scenario involves the introduction into the software and computer equipment of all sorts of exploits, backdoors and other hacking tools at the stage of deliveries to the attacked company of software and computer equipment. Possible attack vectors:
 
- Manipulation of tools and software development environments;
 
- Work with source code repositories;
 
- Manipulation with mechanisms for updating and distributing software;
 
- Compromise and infection of OS images;
 
- Modification of legal software;
 
- Sale of modified /counterfeit products by a legitimate distributor;
 
- Interception at the stage of shipment.
 
Typically, attackers focus on the introduction of malicious components in distribution channels and software updates.
 
 
Recommendations for protection: Application of the Risk Management System in Supply Chains (SCRM) and the Software Development Lifecycle Management System (SDLC). Use of integrity control procedures for binary software files, antivirus scanning of distributions, testing of software and upgrades before deployment, physical inspection of purchased equipment, media with software distributions and accompanying documentation to detect falsifications.
 
 
Trust relationship ( Trusted Relationship )
 
Description: Attackers can use organizations that have access to the infrastructure of the alleged victim. Often, to communicate with a trusted third party, companies use a less secure network connection than standard access to the company from outside. Examples of trusted third parties: IT service contractors, security service providers, infrastructure contractors. Also, accounts used by a trusted party to access the company's network can be compromised and used for initial access.
 
 
Recommendations for protection: Network segmentation and isolation of critical infrastructure components that do not require broad access from outside. Management of accounting
 
records and permissions used by the parties to the trust relationship. Review of security policies and procedures of organizations working under contract and requiring privileged access. Monitoring activities carried out by third-party suppliers and trusted persons.
 
 
Valid accounts ( ? Valid Accounts
)
 
Description: Attackers can steal the credentials of a particular user or service account using Technician of access to the registration data , capture credentials in the process of exploration through social engineering. Compromised credentials can be used to bypass access control systems and gain access to remote systems and external services, such as VPN, OWA, remote desktop, or gain elevated privileges in certain systems and network areas. In case of successful implementation of the scenario, attackers may refuse from
 
malware to make it difficult to detect. Similarly, attackers can create accounts using predefined names and passwords to maintain backup access in case of unsuccessful attempts to use other tools.
 
Recommendations for protection: Apply a password policy, follow the recommendations for designing and administering the corporate network to limit the use of privileged accounts at all administrative levels. Regular checks of domain, local accounts and their rights in order to identify those that can allow an attacker to gain wide access. Monitoring the activity of accounts using SIEM-systems.
 
 
The following publication will discuss the tactics used in the Execution phase.