BACK

TA18-276A: Using Rigorous Credential Control to Mitigate Trusted Network Exploitation

TA18-276A: Using Rigorous Credential Control to Mitigate Trusted Network ExploitationOriginal release date: October 03, 2018Systems Affected Network Systems Overview This technical alert addresses the exploitation of trusted network relationships and the subsequent illicit use of legitimate credentials by Advanced Persistent Threat (APT) actors. It identifies APT actors’ tactics, techniques, and procedures (TTPs) and describes the …

  • 03 Oct 2018
7 min read
TA18-276A: Using Rigorous Credential Control to Mitigate Trusted Network Exploitation
Original release date: October 03, 2018Systems Affected Network Systems Overview This technical alert addresses the exploitation of trusted network relationships and the subsequent illicit use of legitimate credentials by Advanced Persistent Threat (APT) actors. It identifies APT actors' tactics, techniques, and procedures (TTPs) and describes the best practices that could be employed to mitigate each of them. The mitigations for each TTP are arranged according to the National Institute of Standards and Technology (NIST) Cybersecurity Framework core functions of Protect, Detect, Respond, and Recover. Description APT actors are using multiple mechanisms to acquire legitimate user credentials to exploit trusted network relationships in order to expand unauthorized access, maintain persistence, and exfiltrate data from targeted organizations. Suggested best practices for administrators to mitigate this threat include auditing credentials, remote-access logs, and controlling privileged access and remote access. Impact APT actors are conducting malicious activity against organizations that have trusted network relationships with potential targets, such as a parent company, a connected partner, or a contracted managed service provider (MSP). APT actors can use legitimate credentials to expand unauthorized access, maintain persistence, exfiltrate data, and conduct other operations, while appearing to be authorized users. Leveraging legitimate credentials to exploit trusted network relationships also allows APT actors to access other devices and other trusted networks, which affords intrusions a high level of persistence and stealth. Solution Recommended best practices for mitigating this threat include rigorous credential and privileged-access management, as well as remote-access control, and audits of legitimate remote-access logs. While these measures aim to prevent the initial attack vectors and the spread of malicious activity, there is no single proven threat response.Using a defense-in-depth strategy is likely to increase the odds of successfully disrupting adversarial objectives long enough to allow network defenders to detect and respond before the successful completion of a threat actor’s objectives.Any organization that uses an MSP to provide services should monitor the MSP's interactions within their organization’s enterprise networks, such as account use, privileges, and access to confidential or proprietary information. Organizations should also ensure that they have the ability to review their security and monitor their information hosted on MSP networks.APT TTPs and Corresponding MitigationsThe following table displays the TTPs employed by APT actors and pairs them with mitigations that network defenders can implement.Table 1: APT TTPs and MitigationsAPT TTPsMitigationsPreparationAllocate operational infrastructure, such as Internet Protocol addresses (IPs).Gather target credentials to use for legitimate access.Protect:Educate users to never click unsolicited links or open unsolicited attachments in emails.Implement an awareness and training program.Detect:Leverage multi-sourced threat-reputation services for files, Domain Name System (DNS), Uniform Resource Locators (URLs), IPs, and email addresses.EngagementUse legitimate remote access, such as virtual private networks (VPNs) and Remote Desktop Protocol (RDP).Leverage a trusted relationship between networks.Protect:Enable strong spam filters to prevent phishing emails from reaching end users.Authenticate inbound email using Sender Policy Framework; Domain-Based Message Authentication, Reporting and Conformance; and DomainKeys Identified Mail to prevent email spoofing.Prevent external access via RDP sessions and require VPN access.Enforce multi-factor authentication and account-lockout policies to defend against brute
Source: US-CERT AlertsPublished on 2018-10-03
Blog Details
  • 03 Oct 2018

Newest Articles.

View all
  • 04 Mar 16

    Top 5 Recent Cyber-attacks/hacks and How They Could Relate to your Business.

    Read Article logo
  • 13 Mar 16

    Data leaks, how can they affect Sales and Business Integrity?

    Read Article logo
  • 20 Apr 16

    Common Cyber Security Threats Faced by Businesses and The Impacts

    Read Article logo
  • 11 May 16

    Regular Vulnerability Scans Assessments: Keeping You Safe

    Read Article logo

Get a Quote

Click below and we’ll send you a quote within 48 hours.

quote-form-pattern
  • This field is for validation purposes and should be left unchanged.

Contact Us

Click below and we’ll send you a quote within 48 hours.

quote-form-pattern
  • This field is for validation purposes and should be left unchanged.

Step 1 of 4 - Let’s get started

25%
  • Thanks for your interest in working with us. Please complete the details below and we’ll get back to you within one business day.

Buy Cyber Essentials

price-popup-pattern