Sunday, February 5, 2012

Using Metapsloit to Illustrate CNE

Technical mentoring and training is equal parts essential and challenging. Turning highly technical concepts into simple statements that can be interpreted and adopted takes effort and focus . A recent mentoring session resulted in an "ah-ha" moment that inspired me to go back, re-visit my approach by extending the context, and then share it with all of you. By dedicating additional focus to the attack baseline, the output of sophisticated TTPs applied in support of cyber network defense (CND) becomes more valuable. 

Part of the recent session included a basic introduction to offensive computing with the Metasploit framework. Defenders must understand attack phases and patterns to perform effectively and mature technically. I set up a vulnerable web server, provided an attack node, and provided a predefined mission for the peer assigned the role of attacker:
  1. Identify running services
  2. Exploit vulnerable service(s)
  3. Deliver a payload (Meterpreter)
  4. Interact with the device (victim)
Then we stepped through a client-side attack analyzing a weaponized PDF file I pulled from a popular malware dump. This attack technique comprised of exploiting both a person and an application instead of a just a service:
  1. Identify victim
  2. Exploit user and vulnerable application
  3. Deliver a payload (Trojan backdoor program)
  4. Interact with the device
I think the current approach adds value to an analyst. We review a sample of current attack patterns and the basic principles of exploiting vulnerable services and applications to deliver a payload. The payload provides the communication channel to interact with the victim. 

Taking a step back and reviewing my approach, I realized that I wasn't providing enough context. While this was an effective first step, I needed to extend my approach by adding real world context and applicability to the current environment to make this more cohesive.
Disclaimer, statements are my own and do not necessarily rep those of my company. My opinions are based on inferential analysis of open source reporting; including documented attack patterns and TTPs used against cyber network exploitation (CNE) victims that have disclosed data breach; most don't. Again, I'm inferring the life-cycle of targeted attacks carried out by structured adversaries to paint a broader picture of the targeted attack life-cycle up to the point of initial interaction.  Providing attacker activity post initial interaction is not within the scope of this article; however if you need pointed in the right direction for open source reporting let me know.

Extending the Attack Phase:

Our first Client-Side attack model:
  • Identify victim
  • Exploit user and vulnerable application
  • Deliver a payload (Trojan backdoor program)
  • Interact with the device
This provides a baseline. We need to extend the attack framework to include attack motivation, recon, and goals. This illustrates the notion of a structured adversary and provides context to the delivered payload. This is not just a piece of malicious software, this is a tool used to carry out a mission predetermined by intelligence collected by the adversary. It's important to understand what you're up against. 

Real World Attack Model of Basic Phases of CNE as Per Adversary View Up to Interaction
  • Exploit/Payload Delivery Method: Well crafted email with attachment containing unknown (or known) exploit used to deliver payload (Backdoor Trojan Program for Interaction/C2)

Exploit Techniques:
  • Social Engineering (Exploit vulnerability of user trust method. You can't patch this, it will always exist.)
  • Client Side Exploitation (Exploit program with unknown (or known) vulnerability. A patch does not yet exist)

Updated Attack Model 
  • Assumes command and control infrastructure is already set up
  • This is not meant to be all-encompassing but a mere sample operational model for adversary awareness
  1. Identify mission
    • What data is the attacker seeking to obtain? Identifies what data and who owns it
    • Could identify 3rd party that is attack launch point (See RSA Hack)
    • Attackers own mission could be to address and remove their own (perceived) defensive weakness
  2. Does the value of the data warrant use of developed code to exploit an unknown vulnerability within an application used by most corporate orgs?
  3. Gather intel on target organization
    • Weakness furthered by increased inter-connectivity, online presence, and more and more data about us and orgs captured and shared globally via the internet
  4. Identify target(s) (victims within target organization acquired from intel)
    • Use what we know about the victim to get them to click through attachment
  5. Craft email/deliver exploit
  6. Exploit victim and vulnerable application
    • Go back to step 6, change file format if  initial attempt is unsuccessful
      • Developed code isn't always required. Repeat until you find a vulnerable application. If the user clicks once, they will click twice. 
  7. Deliver a payload (Provides mechanism for interaction)
  8. Interact with compromised device (victim)
  9. Establish persistence
  10. Take actions to facilitate mission 
    • Download tool set
    • Establish presence on different device(s)
  11. Perform intended operation as defined by mission 
    • Supported by intel of target, and practiced intrusion/CNE techniques
Establishing a baseline applying the Metasploit framework and then extending the attack baseline per inferential analysis of real world scenarios provides a solid foundation and understanding of the current threat landscape. From this baseline, we can now "build up" the more technical details and target more focused areas for skill development. Registry artifacts and event logs become indicators not only of process creation, but of attacker presence. A suspicious file started during Windows Logon from %Temp% is not only identified as malware, but a tool used by a sophisticated attacker for interaction and an established point of presence within our network boundary.

Now, from a cyber network defender perspective, initial questions to ask and answer (getting answers to these questions is wishful thinking, important to understand why we would want these answered)
  • Know WHO you are protecting. What does the company produce, design, manufacture?
  • Define (continuously) WHAT your most critical data is. Hard
  • Know WHERE that data lives, where it's stored, how it's stored, how it's accessed and by who?
  • Know HOW to monitor access/connections to those resources. What are my logging sources? What is my visibility? What are my current TTPs as a defender? How can I increase my level of visibility?
  • Know WHEN new projects will be introduced, where that data will live, sensitivity of the data, and logging/monitoring/visibility to potential resources hosting that data. Hard
    • What is the value of the data? (Not just monetary value)
    • When do you reach a threshold of assigning the data a value that indicates that it should NEVER be accessible on a network.
While working with malware samples and identifying the presence of indicators are essential to any internal training program and TTP development, it's equally important that greater context of the attack structure and motivation is understood to facilitate analysis performed in support of CND.