John Pescatore - SANS Director of Emerging Security Trends
DHS CISA Publishes a Detailed Incident Report Showing Living-Off-the-Land Attacks
This week’s Drilldown will focus on one item (included below) from NewsBites Issue 76, commenting on a report published by the U.S. Department of Homeland Security (DHS) Cybersecurity & Infrastructure Security Agency (CISA), which describes in detail how a government agency was penetrated and compromised.
To give away the ending: While the attackers used some advanced techniques, they had already obtained privileged administrator credentials. If you give away the combination to the safe, you have pretty much given up the crown jewels.
The attackers also took advantage of other failures of basic security hygiene. Systems weren’t patched, and the primary firewall seemed to have an Allow All policy running.
The advanced techniques are what are being called “living off the land.” Essentially, attackers are taking advantage of operating system services and other tools that system administrators frequently use and that all too often are left enabled on more systems than necessary. Not only are these very powerful services, but also by using them, attackers don’t need to import large executables. And when the tools are running, they just look like normal sys admin processes.
In the SANS Top New Attacks and Threat Report published in April 2020, Ed Skoudis described living-off-the-land techniques and listed two key mitigation requirements:
- Careful application whitelisting--Not every system needs all admin services enabled, and not all services or tools need unlimited capabilities.
- Purple teaming--If the red team penetration tests use living-off-the-land techniques, blue team defenders can increase their skills in detecting bad guys doing so and also hone their defensive controls.
The DHS/CISA report focused mainly on the firewall configuration deficiencies. It recommended the use of standard “deny all except what is required and approved” policies, but also listed two-factor authentication, least privilege and keeping software up-to-date.
CISA: Federal Agency Hacked, Data Exfiltrated
(September 24, 2020)
The U.S. Department of Homeland Security (DHS) Cybersecurity & Infrastructure Security Agency (CISA) has published an analysis report detailing a cyberattack against a federal agency's enterprise network. The threat actor gained access to the unnamed agency's system and exfiltrated data. The report provides information about the methods used to gain access to the network. The breach was detected through EINSTEIN, CISA's intrusion detection system. The threat actor was able to gain persistent network access through reverse Socket Secure (SOCKS) proxies.
[Pescatore] This is the first time I've seen DHS/CISA put out a detailed public report on how an attack against a government agency succeeded. This one starts off with a litany of basic security hygiene failures: The attackers started out with admin credentials; admin accounts didn't seem to require two-factor authentication for remote access; if a firewall was in place, it seemed to have allowed everything not explicitly denied policies; VPN patches were not applied; etc. The details on the steps the attackers took show a number of living-off-the-land techniques that Ed Skoudis detailed in his SANS "Most Dangerous New Attacks" keynote panel talk at this year's RSA.
[Neely] This is an excellent write-up of how the system was compromised and how the attacker adjusted to available resources to continue to penetrate and exploit the system. This also reinforces the need for two-factor authentication on internet-accessible services, especially email and remote access (e.g., VPN). Take a look at your network and make sure that not only strong authentication is required, but also that patches are applied.
Read more in:
ZDNet: CISA says a hacker breached a federal agency
US-CERT CISA: Analysis Report (AR20-268A) | Federal Agency Compromised by Malicious Cyber Actor