Welcome to Part 3 of a series in which we walk through MITRE’s ATT&CK Tactics! Continuing the theme of any movie portraying a conflict, this is where someone takes action against their target. In HBO’s Band of Brothers, an entire episode is spent showing how Easy Company was formed and prepared for D-Day. Not only did they drill and train on general airborne skills and fitness, but they studied their sand tables and maps intently. Eventually, someone has to call the shot – in this case Eisenhower issued the order and they boarded planes & ships. Once the paratroopers, glider troops, trailblazers, and other recon units crossed the channel, the invasion had passed the point of no return. Initial Access was attempted. If you’re the Allies, hopefully the Recon and Resource Development were done right! Now let’s see how all of that pays off for the adversary in ATT&CK – Initial Access.

Timing is everything

Recon and resource development sort of happen at the attacker’s pace. Assuming they do not tip off their potential victim, an attacker’s focus should be on accuracy and completeness – not speed. As we discussed the last couple of weeks, this is because detecting that behavior can be very difficult. The best we can hope for is that we make the process harder as defenders and they move along. Eventually, however, the attack will come. And with it, we’ll likely see things meant to defenders off the trail or drain resources. This improving the success of these initial access attempts. Let’s talk about these two types of events!

Deception – always keep them guessing!

When multiple fronts stagnating in 1942, Hitler and Mussolini had a pretty good idea they were going to be counter-attacked. The Allies fed into this by creating faints, false intel leaks, and more to encourage their preparation for an invasion. While the invasion at Normandy gets a lot of attention, the initial thrust on the Axis in Europe was via Sicily in 1943. Many tactics, techniques and procedures were rehearsed, refined, and abandoned in these earlier events. This helped refine the larger invasion on June 6th, 1944.

One such TTP that led to great success was that of Allies purposely misleading Axis leadership. With Operation Mincemeat, the British stoked fears that Greece or Sardinia might be attacked. They even planted false information and plans on a dead body to deceive the Germans. The timing and coordination were unrivaled! It worked like a charm, and the Axis spent a lot of time and resources to fortify those areas. This left Sicily less guarded and likely leading to a shorter, less deadly invasion for the Allies.

This snippet of the falsified credentials used in Operation Mincemeat by the British may seem basic, but it was believable. The burden isn’t huge, folks!

Cyber adversaries do similar things to their potential victims. They know that a target organization has limited resources and overworked staff, and they will commonly blend activities and probe areas they have no real intention of expending their main resources on. As a defender, you just have to absorb it. We discussed last week how Honeypots and deception techniques can assist defenders in learning more and depleting attacker resources. Well in this phase, adversaries may deploy these as well. Bonus points if they spend multiple techniques in your Honeypot! You can’t know whether this is one attackers main thrust into your environment or a feint to distract from another’s. ATT&CK can help identify potential initial access attempts, but your operators will need to know when it is really happening.

Just what are we up against here?

There may be varying levels of deception in traditional warfare or cyber events. More traditional attacks tend to have a predetermined ‘real’ attack vector, and deception is in mere support of it. In cyber attacks, APTs might actually launch across multiple vectors and wait on making that call. If they have done their homework in the Recon and Resource Development phase, they know a few promising paths. They even prepared infrastructure to support them. Depending on their sense of urgency and probability of success, they may elect to use more than one.

The Allies do a Rope-a-Dope

Historically, diversions were know to be diversions by commanders and their staff from the get-go. The Allies obviously committed to invading Sicily in 1943 and Normandy in 1944. They created illusions to distract their enemies and consume their limited resources elsewhere. Greece, Sardinia, Corsica, the Balkans, Denmark, Calais, and even parts of Germany itself saw fortifications that were built in response to false ops. But in the physical world, it becomes impractical to keep all options open. The invaders (Allies in these cases) knew where their main thrust would be. They had to sell the deception well enough to soften defenses.

Allies spent a lot of time convincing the Germans that they were taking the path of least resistance. This meant appearing to target Calai for D-Day. That bought valuable time and depletion of defenses. (original source)

Honeypots aren’t the only deception out there

Cyber adversaries can more readily keep some subset of those vectors for later. That said, attempting several for an initial operation offers some options. Even successful defense comes at a cost: Defenders’ systems will generate more frequent alerts, the general volume of telemetry will increase, and noise levels will rise. The operators themselves will be focused on ensuring that those events were properly blocked. All of these responses can desensitize the environment to other vectors in other portions of the environment. They can also overwhelm staff. SecOps staffers and their tools may be focused on the noise created. This may lead to them missing one or more of the other vectors attempted.

Attackers can vary the timing between paths, or coordinate them to give one cover by another. Thanks to the automation and AI-assisted decision making, those same attackers can evaluate their options in real time, seeing which offers the best chance of success. For traditional adversaries, this is costly and foolhardy. Cyber adversaries, however, can deploy their own resources pretty dynamically between multiple fronts without worrying about tremendous logistics. Another advantage over traditional battlefields occurs to me – each threat actor operates as just one of many threats attempting access in an environment, and their agility allows them to take advantage of another threat actor’s noise.

This is not a drill – Initial Access’ moment of truth

Whether a feint or not, the same 10 techniques from the ATT&CK Initial Access Tactic (TA0001) are applicable. As you can see in the figure below, there are a few paths by which attackers might gain that initial foothold.

ATT&CK Navigator is showing us all of the Techniques and Sub-Techniques in this category. This is the easy part – the hard part is discerning the decoys.

Initial Access via invite only – Social Engineering related attacks

Drive-By Compromise (T1189), Content Injection (T1659) and Phishing (T1566) are watering-hole or social engineering style techniques that rely on end-users actually kicking off the attack. Adversaries lay these as traps, but user interaction (whether by clicking on something malicious, or visiting a tainted website) is what launches the operation. This may seem like another major difference between cyber and other battle spaces. But there are times in traditional warfare where an adversary baited their victim into initiating combat (border violations, assassinating a lower-ranking duke, or something similar). In a cyber attack, however, the victim may never know the root cause.

Carbanak’s Initial Access process involved a Phishing attempt with a macro-leaded Word Doc. (Original Source)

Initial Access via backdoor

When an adversary employs techniques like Exploiting Public-Facing Applications (T1190), they are initiating the attack themselves by using intel they have gathered to take advantage of a misconfiguration or vulnerability and thus gain illicit access. This is increasingly paired with another ATT&CK Initial Access technique called Supply Chain Compromise (T1195) in which the adversary may plant their own pathways. Similar to preparing guerilla forces or sleeper cells that can be activated to support the invader’s advance, the sub-techniques detail how the adversary might use software or hardware supply chains directly, or even target dependencies upstream to prepare the field for their arrival. Recent attacks have leveraged tainted libraries, abused development tools, and malicious repositories in PyPi, .NET, GitHub, and many others.

Initial Access via abused services

While a single technique is covered here, it is a doozy. External Remote Services (T1133) are fertile ground for an attacker. Much like a traditional foe might use waterways and roadways crucial to commerce, utility panels, or the cover of crowds to infiltrate, so does an APT. In this case, they are leveraging the Webmail, SSH, FTP, VPN, RDP, or VNC services used by employees, contractors, or customers to access resources. Understanding that security surrounding these portals is more lax and noisy than hardened segments of the environment, attackers have leveraged this vector whenever it presents itself. Using known compromised suites and misconfiguration of protocols exacerbates this. You can bet that the advent of APIs has caused this to balloon, as APIs are an essential but poorly understood vector depended on to manage and deploy most modern applications.

Initial Access via abused trust

It should go without saying that the above techniques take some work! What if the adversary manages to get access to legitimate user or service accounts? In a traditional sense, this is akin to a certain trusted doctor in a recent sci-fi book-turned-blockbuster turning on their masters. This is an underrated TTP, and in fact most APTs would rather leverage some Valid Accounts (T1078) or Trusted Relationships (T1199) to gain initial access. Threat actors know that defenders have spent a lot of money on perimeter defense, relying on prevention and policy to avoid disaster. It just so happens that this is also why so much detection is focused on the perimeter. By using trusted credentials or relationships, the adversary can 1) avoid making noise, 2) evade detection, 3) bypass most policy enforcement, and 4) buy considerable time to follow-up their initial access with something more persistent and sustainable.

Initial Access via Ninja stuff

While stories of “ninja stuff” pervade the Internet, these techniques can go to one are often reserved for the biggest fish that an adversary may target. Whether Replicating via Removable Media (T1091) or directly implementing Hardware Additions (T1200), the risk is mighty high. In both techniques, the adversary is trying to implant a susceptible device or system using either software (via Media – like Stuxnet, for instance) or via hardware implants, as is suspected of several hardware vendors. The closer these implants occur to the end-target, the more controlled the spread, but the more dangerous it is to the team or individual conducting the attack.

Movies or shows depict implants being placed inside victim facilities, but the truth is that getting caught risks both the implanting operator’s life and the attacker’s operation and indemnity, hence the focus on doing so much further up the supply chain. A certain covert arm of an intelligence agency is said to have employed these ATT&CK Initial Access techniques for a loooong time.

Bloomberg’s reporting was pretty extensive on potential implants in Chinese-made computer hardware.

What’s a defender to do?

Much like heavily fortified defenders in the movies falling victim to surprise attacks, defenders must learn to defend from within as well. Perimeter defenses, heavily slanted toward policy and immediate prevention, miss the behaviors within that can signal disaster. Continual vigilance and paranoia can be productivity killers. But if all are united in supporting a methodical approach to tracking and analyzing behaviors, success is more likely. The defenders need to know that their shields are keeping folks out, not masking their blind spots.

So detection and visibility are must-haves here. Not just for picking up the initial use of a TTP, but in discerning patterns. Turning those visibility tools inside to help bring to light patterns within can tip the defender off to those next steps. Allowing an ATT&CK Initial Access TTP to happen isn’t ideal. That said, most attackers are dead in the water if you see what immediately follows. After all, Initial Access lacks the bite of Impact, Exfiltration, Lateral Movement, and Collection tactics.

As with any of these stages, the simplest approach may be to reduce the things being defended in the first place. By limiting the systems used (either in total nodes or in variety & complexity), the defenders can focus on a much smaller attack surface. History has shown the danger of fighting on too many fronts, or overextending an empire or operation and outrunning logistics and communications. For defenders in the cyber realm, this is most certainly true. You can:

  • Deactivate and decommission old systems that may house sensitive data
  • Standardize and template anything mission critical, and deploy them with CI/CD processes that can ensure rapid updates or patches
  • Compartment and segment consistently, monitoring to ensure all internal traffic follows expected behaviors
  • Reduce the number of paths into the environment

Conclusion

In ATT&CK, the Initial Access Tactic marks a change in posture, and may present the defender with the first indication that anything is happening. But do we see it? Can we discern it from the millions of scans, probes, and other noise? Do we have a plan for how to automate and remediate without distracting us from other vectors? The key here is to set the defending team up for success by bounding the problem and simplifying the environment. This enables the team to defend efficiently, focus on a smaller number of vectors, and better see anomalies happening behind the front lines. I hope this breakdown of The Initial Access Tactic in MITRE’s ATT&CK gives you some things to think about, and that you see the emerging trend – preparation and simplification can help you counter the adversaries!