Initial Access Flashcards
Initial Access
This lesson is going to focus on the first stage in the MITRE ATT&CK framework, Initial Access (TA0001). These techniques are used to describe ways that adversaries could get their first foothold in a network, and at the time of writing there are currently 9 techniques:
Drive-by Compromise Exploit public-facing application External remote services Hardware additions Phishing Replication through removable media Supply chain compromise Trusted relationship Valid accounts
Below we’re going to take a deep dive on a few of these techniques, but feel free to click on the links above if you’re interested in learning more about a technique that we don’t cover here!
Phishing
MITRE Technique T1566
By now you should already understand how important phishing is, and that it’s the number one initial access method. We can see that this technique actually has three sub-techniques, which are shown below (well done MITRE!). These pages will include a description of the technique, mitigations, and how to improve detection.
MITRE offers some great mitigations that we can use to reduce the risk from phishing emails, shown below (all of which we covered in the Phishing Analysis domain!)
And at the bottom of the page we have some recommendations on how to better detect phishing activity within your environment.
Phishing 2
External Remote Services
MITRE Technique T1133
External remote services can come in many forms, such as:
VPNs Remote Desktop Protocol (RDP) Secure Shell (SSH) Citrix amongst others
For an adversary to use this tactic, it is highly likely that they will also use the Initial Access technique T1078 Valid Accounts, so they can log into these remote services (harvesting accounts from data breaches, phishing with credential harvesters, social engineering, and so on). An alternative is brute-forcing credentials to try and find a valid account, but this is extremely noisy and can easily be detected, and is therefore not typically used by advanced actors. Having access to valid accounts and remote services can also make for a good persistence mechanism, allowing the attacker to connect back to systems within the private network.
Looking at the Procedure Examples table for this technique we can see quite a few examples of actors and malware that have utilized this tactic historically. A small snippet of the table is shown below.
MITRE offers some Mitigations that we can use to reduce the risk from internet-facing remote services. Examples include disabling the service if it is not needed (this is very important!), and using two-factor authentication to prevent credential reuse attacks (where an attacker finds old credentials and tries them against other services in the hope that the user has used the same password in different places).
And below that we have the Detection section which is short and sweet, and recommends monitoring usage of remote services and alerting on anomalous activity, such as an employee who works 9am – 5pm but is logging in to Remote Desktop Protocol at 3am.
External Remote Services 2
Removable Media
MITRE Technique T1091
Removable media is pretty self-explanatory, it’s using devices such as USB pens or ‘Rubber Duckies‘ to transport malware to a target system, provided we can get physical access (or we can convince someone with physical access to plug the device in!). This technique can be used to attack air-gapped systems which is when two networks are not connected, and therefore can’t interact with each other.
Below this we have the table for Mitigations to help protect the organization from this attack technique, and we have some pretty solid options, such as disabling AutoRun so that USB Devices won’t automatically run any files included on them, creating policies that state employees should simply not use USBs, and actually locking the system down so that it won’t register USBs at all (we can also use USB port blockers which sit in the USB port and can’t be removed without a special key).
And finally, we have a section on how we can detect activity related to removable media devices. Additionally to the below, we can actually monitor USB device usage using Windows Event logs, however, this functionality is not enabled by default. If you want to read about how this can be done, check out this Tech Republic article.
Removable Media 2