Appendix A: Cyber-D&D Taxonomy
Total Page:16
File Type:pdf, Size:1020Kb
Appendix A: Cyber-D&D Taxonomy This taxonomy presents an orderly classifi cation of cyber-D&D TTPs according to their relationship to classical D&D TTPs. This work draws on publications by author- itative sources as well as the body of knowledge in the security community. Grateful recognition is given to the National Institute of Standards and Technology, Sandia’s Information Design Assurance Red Team (IDART) framework, and MITRE’s Common Attack Pattern Enumeration and Classifi cation (CAPEC) project. Malicious actors use offensive TTPs to gain access to a target resource, while security personnel use defensive TTPs to protect their resources from compromise. This appendix is therefore divided into two high-level sections: use of cyber-D&D TTPs by malicious actors, and use of cyber-D&D TTPs by defenders against mali- cious actors. Usage by Malicious Actors Figure A.1 shows the offensive TTPs deployed by malicious actors to gain control of a target machine or network, implemented by abusing technical vulnerabilities in software or cognitive loopholes in people. To help correlate these offensive cyber-D&D TTPs with the concepts of revealing and concealing facts and fi ctions, Fig. A.2 presents a Venn diagram based on the D&D methods matrix in Chap. 2 . The diagram characterizes each of the offensive TTPs according to how it relates to the traditional model of revealing or concealing truths and fi ctions. This Venn diagram leads to several observations. First, it has only one intersection denoting TTPs that both simulate and dissimulate. This suggests some opportunity space in crafting new offensive D&D TTPs at the non-existent intersections. Second, most of the TTPs fall along the simulation-dissimulation axis, which suggests potential opportunity space in crafting new TTPs that reveal facts and conceal fi c- tions. Third, there are no identifi able TTPs in which adversaries conceal fi ctions. © Springer International Publishing Switzerland 2015 175 K.E. Heckman et al., Cyber Denial, Deception and Counter Deception, Advances in Information Security 64, DOI 10.1007/978-3-319-25133-2 176 Appendix A: Cyber-D&D Taxonomy Fig. A.1 Offensive Cyber-D&D TTPs Fourth, the largest category is conceal facts, which lends support to the notion presented in Sect. 6.3 that adversaries need to avoid detection to achieve their objectives. Fifth, there are few TTPs in which adversaries reveal facts voluntarily, given the disincentives in overtly showing their presence. Given the notion pre- sented in Sect. 6.3 that defenders must detect to achieve their objective, the adver- sary has very few TTPs that readily alert defenders of the adversary’s actions/ presence. Below we outline each of these offensive tactics and techniques in more detail, using the categories of the D&D methods matrix as the organizing framework. Reveal Facts Denial of Service Defi nition : Attempts to exhaust the resources of a machine preventing normal oper- ation of a system. Multiple machines could participate in a distributed denial of service (DDoS) attack or users may ‘opt-in’ as part of a coordinated protest. Appendix A: Cyber-D&D Taxonomy 177 Fig. A.2 Offensive Cyber-D&D Tactics Method : Either transmit an overwhelming amount of data to the target or exploit software resource allocation limits. Vulnerabilities in network-facing software can be triggered by incoming packets to cause a denial of service condition, for instance a memory exhaustion bug caused by half-open TCP connections. Application logic that requires nontrivial processing is generally vulnerable to requests that take more time to process than generate. Usage by Financially Motivated Actors : Coordinated networks of infected machines can be used to take competitors offl ine, prevent access to sites to cover fraudulent activity, or extract ransoms from targeted organizations. Usage by Targeted Actors : Motivated actors could suppress political opponents and activists, make systems unavailable in conjunction with a physical attack, and prevent defenders from reacting to ongoing intrusions. References Handley, Rescorla. RFC 4732: Internet Denial of Service . The IETF Trust, 2006. https://tools.ietf.org/html/rfc4732 CWE-770: Allocation of Resources Without Limits or Throttling. The MITRE Corporation. http://cwe.mitre.org/data/defi nitions/770.html 178 Appendix A: Cyber-D&D Taxonomy CAPEC-119: Resource Depletion. The MITRE Corporation. http://capec.mitre.org/ data/defi nitions/119.html CERT/CC. Denial of Service Attacks. 2001. https://www.cert.org/tech_tips/denial_ of_service.html Command Injection Defi nition : Execution of user-entered data as system commands. Method : Exploit insuffi cient sanitization of user data, allowing valid system com- mands as part of normal input, typically to server-side scripts. For instance, a vul- nerable service might allow incoming user input formatted as SQL queries to extract from a backend database. Usage by Financially Motivated Actors : Actors might wish to enumerate public- facing systems in order to compromise email accounts or personal information. Usage by Targeted Actors : Intrusions are aided by compromise of public servers, allowing their use as intermediary proxies and to further compromise website visitors. References OWASP—Command Injection. https://www.owasp.org/index.php/Command_ Injection Conceal Facts Binary Obfuscation Defi nition : The structure of software can be manipulated to conceal its functionality and increase the effort and cost involved in analyzing it. Method : Adding malicious functionality to legitimate applications, adding large sections of useless “junk” code, and encryption techniques to conceal malicious code. Usage by Financially Motivated Actors : A fi nancially motivated actor’s goal is to avoid detection by security companies and antivirus, and increase reverse- engineering efforts by competitors and security analysts. Usage by Targeted Actors : Customized implants might be heavily obfuscated to prevent detection and analysis. If an unpatched vulnerability is being exploited, obfuscation of the exploit code prevents other attackers from mimicking the same methods. Appendix A: Cyber-D&D Taxonomy 179 References David Kennedy. Metasploit: The Penetration Tester’s Guide , 2011. pp 103 NIST Special Publication 800-83: Guide to Malware Incident Prevention and Handling Bot Computer Defi nition : An infected computer capable of following instructions from an unau- thorized actor. A bot network comprises multiple machines under a unifi ed control method—typically responses from remote servers. Method : Machines are often infected through widely targeted malware leveraging client-side exploits, persisting by evading detection from antivirus software. Infected machines are typically home users or small businesses that lack the resources for detection and cleanup. Usage by Financially Motivated Actors : Credentials harvested from bots enable identity theft, money laundering, and further spread of infection. Infected machines can be used to launch denial of service attacks and spam campaigns, or can be re- sold for general purpose on the black market. Usage by Targeted Actors : Infected machines act as proxies for launching intrusions and provide a resilient infrastructure for control of Trojan horses. Stolen informa- tion can be re-used in future phishing campaigns and for better targeting of specifi c victims. References Botnets. Honeynet Project. http://www.honeynet.org/papers/bots Tracking Botnets. Roman Hüssy . https://www.abuse.ch/ Command and Control Defi nition : Communication between malware on a victim machine and a remote server. Traffi c is often obfuscated to prevent detection by security controls. Method : Implants typically report a machine’s network address, user credentials, and screen captures to its control server and wait for further instructions. File listings and credentials can be uploaded, and additional software can be downloaded to the compromised machine. Usage by Financially Motivated Actors : Actors use a set of domain or IP addresses for control, or generate them on the fl y in the client. Peer to Peer mechanisms are sometimes used to ensure resilient communication between server and clients. HTTP and IRC communications are common, including non-traditional communi- 180 Appendix A: Cyber-D&D Taxonomy cation methods like HTML comments and social media. Custom- developed com- mand and control network protocols are also common, including those deliberately designed to mimic another benign protocol. Usage by Targeted Actors : Implants connect to multiple domains, including backup domains that become active after a delay. Dynamic DNS may be used to provide fl exibility and additional concealment of attacker identity. Legitimate sites are often compromised and used as part of a controller infrastructure. Encrypted and covert communication methods are commonly used to conceal traffi c. References Michael Sikorski, Andrew Honig. Practical Malware Analysis. No Starch Press, 2012. Mandiant . M-Trends 2011. 2011. http://www.mandiant.com/resources/m-trends/ Connection Proxying Defi nition : Routing traffi c through intermediate machines that provide a level of concealment for the source machine. An anonymizing proxy allows users to hide web browser activity. An anonymizing proxy can be used to bypass web security fi lters to access blocked sites (e.g., enterprise blacklisted sites) which could contain infected webpages. Method : Software running on hosts provide forwarding of IP packets on the behalf of the source machine. Proxy software can be legitimately