The Mitre Att&ck Matrix is a model used to describe the various tactics and techniques used by hackers, malware authors, and other potentially malicious actors. To do this, the model breaks the various actions into separate entries and then aligns these to categories representing the various stages within attacks. By examining an organization's security posture in relation to this matrix, one can identify gaps in the organization's detection capabilities.
One may also examine the capabilities of security products in relation to this matrix. Performing such analysis in relation to endpoint or SIEM applications demonstrates that although such software is vital, it is insufficient to adequately cover all facets of detection. This is where a network-based approach can help to plug the holes left by traditional approaches to security. In particular, certain categories such asExfiltration and C2 are intrinsically network-centric and, therefore, remediation of related threats is greatly assisted by a network-based security solution.
Today we'll look at a few entries from the Mitre Att&ck matrix, and see what network traffic these produce in a bid to detect these threats.
Initial Access - Drive-by CompromiseTo begin, let's look at detecting drive-by attacks. A drive-by attack involves the dissemination of malicious code to users who are browsing websites online. One of the simplest means by which one can detect a drive-by is by identifying known malicious websites being visited by users. Being able to identify connections between machines in an organization and remote machines which are known to be serving up malware can allow a security team to quickly mitigate a potential threat.
In order for this approach to work, a network-based security system needs to have up-to-date and accurate threat intelligence. Corvil appliances ingest numerous threat feeds and will flag use the information in these feeds to flag potentially dangerous traffic. We can see a screenshot of Corvil identifying traffic to/from a remote IP known to have disseminated executable files, based on an Emerging Threat reputation feed.
Lateral Movement - Pass the Ticket
A drive-by attack may grant a bad actor with an initial foothold, but thereafter they'll often wish to increase the scope of their attack by moving laterally within the network and taking control of additional devices. There are many mechanisms by which this may be done, e.g., SSH, RDP,PowerShell administration, pivoting an attack through the already compromised device, etc.. To select one example, we'll consider a Kerberos based approach, namely a Pass the Ticket attack. This type of attack involves harvesting Kerberos credentials from a compromised system and using these credentials to access services on other machines.
By monitoring Kerberos traffic on a network, one can identify unusual patterns of usage, such as the use of a TGT (Ticket Granting Ticket) without a corresponding AS-REP (Authentication Service Response) having been detected previously (Golden Ticket) or the use of a TGS (Ticket Granting Service) without a corresponding TGS-REP (Ticket Granting Service Response) having been hitherto detected.
Corvil has the ability to detect various forms of lateral movement. We can see a screenshot showing Corvil identifying a forged TGT, i.e., an instance where a TGT is being passed to request access to a service, in spite of this TGT never having been detected in previously analyzed traffic.
C2 - Standard Cryptographic Protocol
Once a machine has been infected, being able to remotely administer the machine and maintain control within a victim's network is key for an attacker. This will require that the attacker (who is usually physically remote) maintain a channel of communication that will allow them to Command & Control (hence, C2) a device on the victim's network.
If an attacker communicates instructions to the infected machine(s) in plain text, one can search the traffic for traces of such commands and subsequently read the instructions from the wire. However, attackers are increasingly not so accommodating; instead relying on encrypted lines of communication based on industry standard encryption protocols such as TLS, which can result in these communications being completely opaque with respect to that type of analysis.
However, just because one can't read the contents of the traffic, that doesn't mean he/she can't infer its intent. As with the discussion of initial access detection, one may again look to identify data flowing between an organization's network and external IPs/domains with known associations to malevolent entities.
Another approach, which we'll look at here in regards TLS, involves fingerprinting. Corvil supports the use of JA3 fingerprinting to identify TLS connections. This involves the enumeration of various configuration options specified in the TLS connection's Client Hello (the first TLS message sent from the client machine to the server in an attempt to instantiate an encrypted channel). These values are then concatenated, the resulting string of values is hashed, and this hash is compared against a list of known fingerprints. We can see the the JA3 analysis of a Meterpreter HTTPS-based reverse shell.
Summary
Mitre has provided the industry with a standard model against which security controls can be aligned to highlight gaps. When examining traditional approaches to security through the lens of this model, one can see that there is potentially a gap in detection which can be filled using a network-based approach.
Corvil Security Analytics provides network visibility, empowering security practitioners to detect numerous and varied forms of malicious activity. By working in conjunction with other forms of security software such as endpoint protection, firewalls, and SIEM applications, Corvil helps security practitioners form a complete picture of their environment. If you would like to learn how we can help you secure your network, pleaseSchedule a Demo orContact Us.