Impact Flashcards
Impact
This lesson is going to cover the 12th stage in the MITRE ATT&CK framework, Impact. These techniques are used to describe the actions that adversaries may use to disrupt availability or compromise integrity by manipulating business and operational processes, such as tampering or destroying data. At the time of writing currently includes 13 top-level techniques. We will be looking at the following:
Account Access Removal
Defacement (2 sub-techniques)
Data Encrypted For Impact
Account Access Removal
MITRE Technique T1531
Adversaries may want to prevent access to accounts as an anti-forensic technique or simply to disrupt business operations. This can be achieved by completing any of the following:
Deleting Accounts
Locking Accounts
Changing Passwords
From an adversaries perspective these actions are extremely noisy and Windows has a number of logs that would alert the security team to this activity, so it would likely occur once the attacker has finished all intended objectives.
Under the Procedure Examples heading we have one entry for this technique, where it was used by LockerGoga, a ransomware strain. As well as encrypting files, it also changed account passwords and logged them out so recovery of systems was even harder.
For this technique the Mitigation section is extremely short because this technique is a legitimate system functionality that is being abused, and therefore there is no real way to prevent this. Administrative controls should be in place to limit the number of user accounts that have administrator or domain administrator account access and can modify or delete user accounts.
Account Access Removal 2
MITRE offers some incredible advice for detecting this technique, and even kindly provides us with the Windows event IDs that we need to monitor. We actually covered these events in an activity within IR3) Detection and Analysis! As mentioned below, especially in larger environments, users will become locked out for legitimate reasons, such as simply forgetting their password after changing it. Events for changing or reseting a password can also legitimately be created by non-malicious users, so other methods should be considered when writing detection rules, such as event volume (1-5 login failures is likely legitimate, over 9000 is not) and comparing to a baseline of ‘standard’ activity.
Defacement
MITRE Technique T1491
Adversaries may modify content available internally or externally to an enterprise network, such as editing desktop wallpapers to include an offensive image or ransom message, or modifying a company’s primary website reducing legitimate operation to show a public message. But why would anyone do this? It’s incredibly noisy, and if the defenders haven’t identified the malicious actor by this point, they definitely know something is wrong now. Reasons for conducting defacement actions include:
Delivering messaging, typically associated with hacktivists promoting socially or politically-motivated messages
Intimidation, to assist with blackmail attempts towards the compromised organisation,
Claiming credit for an intrusion, potentially for socially-motivated reasons such as showing off to friends or demonstrating technical capability to the organisation and others
This technique is split into two sub-techniques, internal and external.
Arguably the easiest and most effective methods to combat internal and external defacement is to revert to the latest backup that doesn’t show any malicious modification. This is easer said than done, as efforts need to be made to protect the backups themselves too as adversaries may target these to prevent recovery. The time between the latest backup being taken and recovery being applied will result in a period of lost data, so frequent backups are essential to reduce the impact of restoration.
Defacement 2
MITRE suggests that organisations monitor for changes to their website, protect the web server with a web application firewall (WAF), and filter and drop malicious traffic associated with remote-to-local (R2L) attacks including SQL inception, cross-site scripting, and others. If an attacker is able to access a web server from within the network then they may be able to circumvent the WAF by connecting directly to the system using remote tools such as Remote Desktop Protocol or Secure Shell, so file changes on the server should be monitored for unexpected changes.
Data Encryption
MITRE Technique T1486
Data encryption. What comes to mind straight away? Ransomware. Adversaries can work to encrypt files and data and withholding the decryption key so that there is no way of reversing the encryption. This is typically deployed to try and receive a ransom payment, at which point the adversary may or may not provide the decryption key. If the actor isn’t trying to extort money and simply wants to trash a system they can work to encrypt critical system files or the Master Boot Record to cripple system functionality. Because ransomware or encryption action will only affect the local system the adversary needs to identify ways for it to spread, such as utilising wormable vulnerabilities (WannaCry used a flaw in SMB, a file sharing protocol, that allowed it to spread rapidly) or access to valid accounts.
The Procedure Examples table has a ton of interesting entries, including some high-profile ransomware strains such as Ryuk, Shamoon, and WannaCry. We can see that they all sound similar, but if you take a deeper dive by clicking on the ransomware names you’ll find out the cool details that separate them (go on, take a look!)
For the Mitigations table we’re presented with the sample suggestion as Defacement, reminding organisations to keep regular backups and ensure that they are appropriately protected to prevent tampering or destruction.
Data Encryption 2
For Detection the suggestions include monitor specific command-line usages such as vssadmin, wbadmin, bcdedit, all of which can be used to encrypt data. We can also monitor for a large number of file modifications within a short timeframe which could be evidence of ransomware actively encrypting files.
