Chinese military general Sun Tzu’s treatise The Art of War has been cited over the years by millions of self-help gurus and corporate strategy consultants – and misquoted in a million more PowerPoint slides. It’s beyond cliché at this point, but indulge us for a moment, because some things become cliché because they never cease to be relevant. Sun Tzu claimed that “all warfare is based on deception,” a truism that speaks as much to 5th century battlefields as it does to 21st century cybersecurity. And while we think of malicious agents sneaking around the shadows of the cyber world waiting to strike as soon as a flaw reveals itself, defenders must be equally trained in cunning and deception.
This thinking underpins the popular “MITRE ATT&CK™” framework. Short for “Adversarial Tactics, Techniques and Common Knowledge,” this agnostic database categorizes known adversarial tactics and techniques to help cybersecurity teams, threat hunters and Red Teamers keep tabs on how attackers think and operate. This information can help organizations prioritize mitigation strategies and controls, recover from breaches faster and sometimes even trick foes into trapping themselves.
When our own white hat hacker and CyberArk Global Sales Engineer Len Noe talks through such attack scenarios, he sounds a bit like he’s channeling Sun Tzu himself, dropping aphoristic nuggets such as “cyber attacks aren’t singular events, but an accumulation of steps” or “you can’t hack what isn’t there.”
With Noe providing occasional guidance, we’re putting the MITRE ATT&CK framework to work by examining some of the specific tactics and techniques reportedly used in a high-profile 2021 ransomware attack on one of the largest fuel pipelines in the United States. Based on publicly reported information on the attack, Noe’s full analysis can be seen in this on-demand Attack & Defend guided experience.
Understanding what has been done before can help organizations better prepare for the next way in, or the newest means of attack. Because, as Noe puts it, “You need to address the technique, not the tool.”
Using the MITRE ATT&CK Framework to Deconstruct a Real-World Ransomware Attack
ATTACK PHASE 1 – RECON
During this initial phase, the attacker combed through publicly available information about its intended target and launched a Metasploit listener to keep an ear on incoming connections. The attackers employed simple phishing techniques, such as a fake email from the organization’s IT admin requesting an update requesting that the user upgrade their version of PuTTY. This “upgrade” was infected with a malicious payload generator, MSFvenom, which created a “call home” between the targeted machine and the attacker.
ATTACK PHASE 2 – INITIAL ACCESS
From there, the threat actors navigated to the user’s desktop and uploaded an “AD Recon” tool to get a lay of the Active Directory land, and better understand the company’s internal infrastructure. After running some advanced data recon reports and exfiltrating the necessary information, the attackers removed traces of their activity to avoid discovery.
In this particular scenario, the attackers used several different MITRE-defined techniques to gain an initial foothold: They abused access to valid accounts gained through social engineering and other techniques; they engaged in active phishing campaigns targeting credentials to compromise identities and gain more access; and they exploited public-facing applications.
ATTACK PHASE 3 – EXECUTION
Once the initial foothold was established, attackers dug through output directories to gain information about the location of the domain controller, along with its IP address and hostname.
The domain controller is the crown jewel for attackers and if not secured properly, unauthorized access can be devastating for an organization. Attackers can exploit vulnerabilities in Kerberos, the default authentication protocol for Microsoft Windows, to pose as a legitimate user, traverse a network undetected, navigate from host to host to steal data, spread ransomware or wreak havoc in any number of ways.
With access to the domain controller, it was very simple for these attackers to run a built-in tool to set up dual sessions — essentially setting their own computer up in parallel to the system admin.
As Noe points out, securing Kerberos implementation programs is critical for keeping unauthorized users from gaining access and executing devastating attacks such as “golden ticket” and “pass-the-hash.” It goes back to the importance of an “assume-breach” mentality.
ATTACK PHASE 4 – PERSISTENCE
Patience and persistence are often seen as virtues, but they are also key to ransomware attacks. Once the attackers established that parallel admin, they used malicious agents to create a scheduled task that – when live – automatically reached back out to the command and control server and kept the attacker’s portal back to that host open.
From there, they were able to run exploits and hashdumps – essentially a glut of information that can be rendered readable by a program like Hashcat. Once that information was readable and sort-able – which takes time and, well, persistence – the attacker was able to locate admin passwords critical to the mission.
It’s here that Noe advises some sort of automatically re-generated password system, to avoid having one set of keys to unlock a system, as well as to help prevent against re-used or replicated passwords across systems. Again, it’s about limiting lateral and upward movement as much as possible.
ATTACK PHASE 5 – ESCALATION
The name of the game is almost always privilege escalation. Attackers kept cracking open hashdumps and pulling out credentials in an attempt to navigate around the system. They performed various types of credential-oriented operations and ultimately, used this elevated access to navigate to where they wanted to dump – or, more accurately, upload – their ransomware payload.
ATTACK PHASE 6 – EVASION
As Noe says, “After initial access, an attacker’s second priority is defense evasion. The ability to remain undetected is critical.” This is where things get a little Spy vs. Spy – the compromised system (hopefully) has some covert defense mechanisms, while the adversaries try their best to sneak around. For example, to keep things “clean,” attackers will remove output directories, CSV files (Comma-separated values) and powerscripts to eliminate any indications of compromise. These evasive techniques highlight the necessity of a layered, defense-in-depth approach to ransomware protection, Noe points out.
ATTACK PHASE 7 – CREDENTIAL ACCESS
This ransomware attack, like so many others before it, went far beyond desktop mirroring and hashdump-diving for passwords. It targeted privileged credentials that gave the adversary far-reaching administrative access to sensitive data and systems.
This is why, Noe stresses, privileged access management controls that grant users the minimum set of rights are an essential part of that layered security approach — and contribute to the broader “trust nothing, verify everything” Zero Trust philosophy.
The Next Big Attack Probably Won’t Look Like This
While the MITRE ATT&CK framework is indeed useful, it has to be a fluid resource — a starting point. Attackers are constantly innovating, and each attack follows its own path. There’s a constant stream of new techniques emerging in the wild — from biohacking to ransomware-as-a-service innovations, but also the occasional return of old tricks, too. As Noe explains, “We’re seeing brand new ways of zipping files that include Javascript that executes when you unzip. We’ve seen that before, but it’s been a long time since attackers have gone after compression this way.”
So in the words of our cybersecurity philosopher Len Noe, being proactive, being creative and thinking like an attacker are necessary approaches to cybersecurity. But, it’s how we balance tackling the knowns and preparing for the unknowns that will not only help win battles against attackers, it could just help win the war.