MITRE ATT&CK and 2017 FSB Indictment
•
0 j'aime•827 vues
On February 28th, 2017 the US Department of Justice indicted a notorious hacker, Alexsey Belan, and his FSB (Russia’s internal security service) handlers for a massive hacking spree that compromised Yahoo and used that access to attack many additional targets. We’ve used the Mitre ATT&CK™ framework to play back the findings from the indictment
Recommandé
Recommandé
Contenu connexe
Tendances
Tendances (20)
Similaire à MITRE ATT&CK and 2017 FSB Indictment
Similaire à MITRE ATT&CK and 2017 FSB Indictment (20)
Plus de Digital Shadows
Plus de Digital Shadows (20)
Dernier
Dernier (20)
MITRE ATT&CK and 2017 FSB Indictment
- 1. 0. PRE-ATT&CK 3. Persistence 7. Discovery 9. Collection MITRE ATT&CK and the 2017 FSB Indictment Mitre ATT&CK Stage 2017 FSB Tactics, Techniques and Procedures Mitigation Advice • Awareness of an organization’s security pos- ture at the perimeter and beyond is critical for understanding where attackers might begin targeting an organization. • Employees need to be informed that their personal assets such as email accounts or Internet-connected devices may well be targets for attackers looking to then pivot up into corporate or other environments. • Prioritize patches for publicly available exploits • In the cases where patching is not feasible, additional compensating controls, such as access control lists or firewalling, should be applied to mitigate the risk. • Employee’s personal systems should not contain any corporate credentials. • With privilege escalation exploits in the kernel (affecting any operating system), the affected machine must be rebooted after patching for the patch to be applied. • The use of a patch management solution can help to keep an environment patched to an appropriate level. • Require a “four-eyes” process where multiple code reviewers are mandated • Code reviewers need to look for security issues as well as concerns relating to performance, stability, correctness, etc. • Do not store directly reusable credentials in wikis and other information systems • Use a password manager for secure password storage and sharing • Log user logins to accounts on customer-fac- ing services to detect anomalous behavior. • Corporate VPNs should use strong 2FA solutions, such as TOTP or U2F, for the second factor • Cryptographic material needs to be separated between production and staging environments. • Network segmentation can be used to limit which systems an attacker can interrogate after a successful compromise. This can be achieved with host and network firewalls and/or VLANs. • While internal IDS systems can detect nmap and other scans, there are standard evasion techniques used by attackers • Monitoring account activity, including admin accounts, is important for uncovering anoma- lous and/or malicious behavior. • Attempts to modify system logs, such as the Event ID 1102 on Windows, should be logged wherever possible. • Centralized logging where logs, such as syslog, are automatically forwarded to central location can mitigate an attacker attempting to alter the logs on a local system. • Email filtering systems or services can help to identify some spearphishing threats • Office365 users should consider Microsoft’s Advanced Threat Protection (ATP) • Black lists for web traffic can be used to detect and block known malicious URLs if they happen to be opened. Exploit Public-Facing Application 1. Initial Access Spearphishing attachment, Spearphishing Link Web Shell Exploitation for Privilege Escalation Exploitation for Credential Access, Hooking, Credentials in Files, Private Keys Network Service Scanning, Remote System Discovery Data from Local System, Data from Network Shared Drive, Data Staged, Data from Information Repositories Clear Command History 6. Credential Access 5. Defense Evasion People Information Gathering, Technical Information Gathering, Technical Weakness Identification 4. Privilege Escalation !