This will be a miniseries of posts; this is part 1 of 4. I was advised by a leader long ago in my consulting career to never do “Free Consulting.” I still strongly believe in that sentiment today, but there is also a part of me that wants to give back to the community, and this post is my and RSM Defense’s way of doing so. I also strongly believe that in 2022, threat actor tactics are going to shift dramatically, especially when speaking about ransomware and extortion tactics. Combine that with what we are witnessing with the growing cyber tensions between Ukraine and Russia presently, and you can begin to understand why some organizations may believe these disruptive and, “new” destructive cyber-attacks and tactics will be leveraged by other threat actor groups and nation states outside of the Russia and Ukraine conflict. History repeats itself here. In the past, tactics and tool sets—such as those that came from the Shadow Brokers leak and EternalBlue—were picked up and quickly deployed by the general threat actor community soon after their release.
These posts will also help give readers a glimpse into the mind of what RSM Defense’s Unit26 team looks for in our client environments on a daily basis and how we detect and respond to evil. This list isn’t meant to be comprehensive, but rather serve as a starting point for many organizations to start taking control of their system hardening posture and get a sense of the specific use cases professional security operations teams are monitoring environments for. The topics in this series are as follows:
- Part 1 – External facing services and applications and authentication best practices – hardening/detection possibilities
- Part 2 – Critical assets considerations – hardening/detection possibilities
- Part 3 – Lateral movement – detection/hardening techniques
- Part 4 – How to harden and protect credentials
External Facing Services and Applications
Discover, Itemize, and Fortify
For the majority of organizations to operate effectively today they must expose services and applications externally to the public internet. If you want to effectively protect against a threat actor leveraging and exploiting vulnerabilities or even misconfigurations via this attack surface, the organization must first get a good handle on what is exposed publicly. Understanding how threat actors perceive your organization externally represents a major step towards maturing an organization’s cyber security program , and it starts with understanding what is visible publicly.
Here are some of the ways you can proactivity start to identify and corroborate externally exposed services and applications
- Hold your software vendors accountable to patch or otherwise help you mitigate known software vulnerabilities. Remember, threat actors are turning around exploits to known vulnerabilities in record time. I’ve stated in other blog posts on the War Room that known vulnerabilities in most circumstances should be treated at Tier 1 security events. Further, in these circumstances these systems should also be forensically reviewed to ensure there has been no evidence of suspicious modifications which may have already occurred prior to the patch/mitigations being deployed.
- Deploy or leverage a vulnerability scanning technology to help identify assets and any known vulnerabilities on those assets. Some examples of these technologies are Tenable/Nessus, Qualys, Rapid7, and Shodan.
- Perform a penetration test. Specific penetration tests can be focused to help identify external facing attack surfaces a threat actor would leverage for access.
Let’s Authenticate – The time for MFA is now!
Most of the friction points around adoption of MFA (Multi- Factor Authentication) since its introduction roughly in 2000 – yeah…22 years ago…(insert blank stare here)–have been removed, and yet still 22 years later adoption of MFA still lags. I’d be willing to testify that if an organization is still using single factor authentication on any external services and applications that they are conducting gross negligence of some degree, but I digress. Applications and external services still using single factor authentication are hyper susceptible to brute force attacks, password spraying attacks, or remote attacks like stolen credential reuse. If applications and external services are still using a single factor method of authentication, they should be reconfigured to use MFA as soon as possible. These MFA comments also apply to 3rd party managed infrastructure and cloud-based environments and software like Microsoft 365 and the like.
MFA Methods
There are several methods an organization can use to implement MFA. I have also included some of those methods’ security considerations as well as some specific drawbacks to those methods in the list below on how they could be possibly defeated.
- OATH Token
- Hardware Tokens (i.e., Fido2)
- Authenticator Applications (i.e., Duo, Google Authenticator, Microsoft Authenticator)
- Push notifications – be careful with these. I have observed organizations using push notifications for authenticator apps such as the above, and users almost always never question the push notification and always hit accept. If you are using this option, additional user base training may be required to help spot possible rogue push notifications that the user did not initiate.
- Timed base codes – these are usually 6+ digit codes that are used to challenge responses to successful logins
- Phone Calls – Risks associated to using this particular MFA method is that the communication is not encrypted, and there are attacks called SIM Swapping attacks where a threat actor is able to transfer the user’s phone number to an attacker-controlled device and not the intended user.
- SMS/Text notifications – SIM Swapping attacks apply here as well.
- Email Notifications – The major risk with this method is that if a threat actor already has gained access to the organization or user email account, they would be able to retrieve the needed email to successfully authenticate and complete the MFA process.
As always, if any of the methods above are deployed, please take into consideration training programs that will give end users the ability to:
- Never accept or respond to authentication notifications where they are not actively trying to login. If this occurs its needs to be reported as a security incident.
- Establish a process for users to report suspicious MFA requests and notifications.
Time for Detection
As stated above, once an organization has these tools and solutions in place there are many opportunities where professional security teams can begin to start to make detections around anomalous or malicious activity and behavior using telemetry from those solutions. To accomplish this task, we turn to MITRE ATT&CK. If your organization is not familiar with MITRE ATT&CK and what it aims to accomplish, I will leave a link to a getting started with MITRE ATT&CK guide below for further reading. As MITRE’s website states, “MITRE’s Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK) is a curated knowledge base and model for cyber adversary behavior, reflecting the various phases of an adversary’s attack lifecycle and the platforms they are known to target. ATT&CK originated out of a project to enumerate and categorize post-compromise adversary tactics, techniques and procedures (TTPs) against Microsoft Windows systems to improve detection of malicious activity. It has since grown to include Linux and MacOS, and has expanded to cover pre-compromise tactics and techniques, and technology-focused domains like mobile devices. At a high-level, ATT&CK is a behavioral model that consists of the following core components:
- Tactics, denoting short-term, tactical adversary goals during an attack
- Techniques, describing the means by which adversaries achieve tactical goals
- Documented adversary usage of techniques and other metadata (linked to techniques)”
In sum, if we can understand what tactics and techniques an adversary is likely to use to exploit a control, we can begin to make detections around those tactics and techniques; the more tactics and techniques we can check off that you have detections around, the more hardened your environment becomes.
Sample use cases and detections for external services and applications
Detection Use Case | Description |
Brute Force | MITRE ID: T1110 – Brute Force The brute force rule triggers in RSM Defense’s systems when a single user with an excessive number of failed logins from an external IP address |
External Authentication Attempt from an Account with Elevated Permissions | MITRE ID: T1078 – Valid Accounts Accounts with elevated permissions or privileges should only be used on systems that are internally managed and secured for use with those accounts. Access to these accounts should not be available from external sources, nor should their use be observed on any services and applications exposed externally. |
Multiple Failed MFA attempts from Same User | MITRE ID: T1078 – Valid Accounts and T1110 – Brute Force A defined query for multiple MFA failures for logins from a single account. This may be a good indicator of a compromised account. This also extends to other exposed services where failed logins and the users making those logins can be observed typically in a SIEM. |
Password Spraying Attempts | MITRE ID: T1110.003 – Password Spraying A query and alert looking for a high number of accounts with failed logins; usually in a defined time period. Typically, from the same destination address. Password Spraying detection also extends past MFA to other management services that may be exposed where failed logins can be observed such as SSH, FTP, Telnet etc. |
Multiple Failed MFA attempts from Same Source | MITRE ID: T1078 – Valid Accounts A query and alert to find multiple failed MFA attempts for different users from the same source. Again, this could be a sign of credential compromise. |
Wrap Up
Hardening your external systems and applications to pass the proverbial, “sniff test” from a would-be threat actor may just take your organization off the target list in favor of easier prey where the posture of their systems is more favorable to trivial exploitation and attack. To not get eaten in the ravenous food chain of cyberattacks, it’s important to not make yourself look like food.
Whoarewe?
RSM Defense and our Unit26 security team brings decades of global cyber defense operations experience to your doorsteps. We entered this arena with an innovative cloud-native security solution that aims to stop cyber threats in whatever realm or vertical your business operates, including multi-cloud, third-party hosted, or remote deployments. If you have an existing security stack that is growing, RSM Defense and Unit26 can help manage, triage and respond to your cyber threats within that environment.
If your organization is looking for help with responding to the growing number of cyber threats, let’s get in touch and talk through how we can introduce you to the RSM Defense approach to obtaining a more secured cyber presence.
-Todd
Getting started with MITRE ATT&CK
https://attack.mitre.org/resources/getting-started/