TA18-276A: Using Rigorous Credential Control to Mitigate Trusted Network Exploitation

["US-CERT" <US-CERT () ncas us-cert gov>]

U.S. Department of Homeland Security US-CERT

National Cyber Awareness System:



TA18-276A: Using Rigorous Credential Control to Mitigate Trusted Network Exploitation [ 
https://www.us-cert.gov/ncas/alerts/TA18-276A ] 10/03/2018 07:00 AM EDT 
Original release date: October 03, 2018

Systems Affected

Network Systems

Overview

This technical alert addresses the exploitation of trusted network relationships and the subsequent illicit use of 
legitimate credentials by Advanced Persistent Threat (APT) actors. It identifies APT actors' tactics, techniques, and 
procedures (TTPs) and describes the best practices that could be employed to mitigate each of them. The mitigations for 
each TTP are arranged according to the National Institute of Standards and Technology (NIST) Cybersecurity Framework [ 
https://www.nist.gov/cyberframework/framework ] core functions of Protect, Detect, Respond, and Recover.

Description

APT actors are using multiple mechanisms to acquire legitimate user credentials to exploit trusted network 
relationships in order to expand unauthorized access, maintain persistence, and exfiltrate data from targeted 
organizations. Suggested best practices for administrators to mitigate this threat include auditing credentials, 
remote-access logs, and controlling privileged access and remote access.

Impact

APT actors are conducting malicious activity against organizations that have trusted network relationships with 
potential targets, such as a parent company, a connected partner, or a contracted managed service provider (MSP). APT 
actors can use legitimate credentials to expand unauthorized access, maintain persistence, exfiltrate data, and conduct 
other operations, while appearing to be authorized users. Leveraging legitimate credentials to exploit trusted network 
relationships also allows APT actors to access other devices and other trusted networks, which affords intrusions a 
high level of persistence and stealth.

Solution

Recommended best practices for mitigating this threat include rigorous credential and privileged-access management, as 
well as remote-access control, and audits of legitimate remote-access logs. While these measures aim to prevent the 
initial attack vectors and the spread of malicious activity, there is no single proven threat response.

Using a defense-in-depth strategy is likely to increase the odds of successfully disrupting adversarial objectives long 
enough to allow network defenders to detect and respond before the successful completion of a threat actors objectives.

Any organization that uses an MSP to provide services should monitor the MSP's interactions within their organizations 
enterprise networks, such as account use, privileges, and access to confidential or proprietary information. 
Organizations should also ensure that they have the ability to review their security and monitor their information 
hosted on MSP networks.

APT TTPs and Corresponding Mitigations

The following table displays the TTPs employed by APT actors and pairs them with mitigations that network defenders can 
implement.

Table 1: APT TTPs and Mitigations

*APT TTPs* *Mitigations* *Preparation* 
  * Allocate operational infrastructure, such as Internet Protocol addresses (IPs). 
  * Gather target credentials to use for legitimate access. 
 

*Protect:*


  * Educate users to never click unsolicited links or open unsolicited attachments in emails. 
  * Implement an awareness and training program. 

*Detect:*


  * Leverage multi-sourced threat-reputation services for files, Domain Name System (DNS), Uniform Resource Locators 
(URLs), IPs, and email addresses. 
 *Engagement* 
  * Use legitimate remote access, such as virtual private networks (VPNs) and Remote Desktop Protocol (RDP). 
  * Leverage a trusted relationship between networks. 
 

*Protect:*


  * Enable strong spam filters to prevent phishing emails from reaching end users. 
  * Authenticate inbound email using Sender Policy Framework; Domain-Based Message Authentication, Reporting and 
Conformance; and DomainKeys Identified Mail to prevent email spoofing. 
  * Prevent external access via RDP sessions and require VPN access. 
  * Enforce multi-factor authentication and account-lockout policies to defend against brute force attacks. 

*Detect:*


  * Leverage multi-sourced threat-reputation services for files, DNS, URLs, IPs, and email addresses. 
  * Scan all incoming and outgoing emails to detect threats and filter out executables. 
  * Audit all remote authentications from trusted networks or service providers for anomalous activity. 

*Respond and Recover:*


  * Reset credentials, including system accounts. 
  * Transition to multifactor authentication and reduce use of password-based systems, which are susceptible to 
credential theft, forgery, and reuse across multiple systems. 
 *Presence* 

*Execution and Internal Reconnaissance:*


  * Write to disk and execute malware and tools on hosts. 
  * Use interpreted scripts and run commands in shell to enumerate accounts, local network, operating system, software, 
and processes for internal reconnaissance. 
  * Map accessible networks and scan connected targets. 

*Lateral Movement:*


  * Use remote services and log on remotely. 
  * Use legitimate credentials to move laterally onto hosts, domain controllers, and servers. 
  * Write to remote file shares, such as Windows administrative shares. 

*Credential Access:*


  * Locate credentials, dump credentials, and crack passwords. 
 

*Protect:*


  * Deploy an anti-malware solution, which also aims to prevent spyware and adware. 
  * Prevent the execution of unauthorized software, such as Mimikatz, by using application whitelisting. 
  * Deploy PowerShell mitigations and, in the more current versions of PowerShell, enable monitoring and security 
features. 
  * Prevent unauthorized external access via RDP sessions. Restrict workstations from communicating directly with other 
workstations. 
  * Separate administrative privileges between internal administrator accounts and accounts used by trusted service 
providers. 
  * Enable detailed session-auditing and session-logging. 

*Detect:*


  * Audit all remote authentications from trusted networks or service providers. 
  * Detect mismatches by correlating credentials used within internal networks with those employed on external-facing 
systems. 
  * Log use of system administrator commands, such as net, ipconfig, and ping. 
  * Audit logs for suspicious behavior. 
  * Use whitelist or baseline comparison to monitor Windows event logs and network traffic to detect when a user maps a 
privileged administrative share on a Windows system. 
  * Leverage multi-sourced threat-reputation services for files, DNS, URLs, IPs, and email addresses. 

*Respond and Recover:*


  * Reset credentials. 
  * Monitor accounts associated with a compromise for abnormal behaviors, including unusual connections to nonstandard 
resources or attempts to elevate privileges, enumerate, or execute unexpected programs or applications. 
 *Effect* 
  * Maintain access to trusted networks while gathering data from victim networks. 
  * Compress and position data for future exfiltration in archives or in unconventional locations to avoid detection. 
  * Send over command and control channel using data-transfer tools (e.g., PuTTY secure copy client [PSCP], Robocopy). 
 

*Protect:*


  * Prevent the execution of unauthorized software, such as PSCP and Robocopy. 

*Detect:*


  * Monitor for use of archive and compression tools. 
  * Monitor egress traffic for anomalous behaviors, such as irregular outbound connections, malformed or abnormally 
large packets, or bursts of data to detect beaconing and exfiltration. 
 



Detailed Mitigation Guidance

Manage Credentials and Control Privileged Access

Compromising the credentials of legitimate users automatically provides a threat actor access to the network resources 
available to those users and helps that threat actor move more covertly through the network. Adopting and enforcing a 
strong-password policy can reduce a threat actors ability to compromise legitimate accounts; transitioning to 
multifactor authentication solutions increases the difficulty even further. Additionally, monitoring user account 
loginswhether failed or successfuland deploying tools and services to detect illicit use of credentials can help 
network defenders identify potentially malicious activity.

Threat actors regularly target privileged accounts because they not only grant increased access to high-value assets in 
the network, but also more easily enable lateral movement, and often provide mechanisms for the actors to hide their 
activities. Privileged access can be controlled by ensuring that only those users requiring elevated privileges are 
granted those accesses and, in accordance with the principle of least privilege, by restricting the use of those 
privileged accounts to instances where elevated privileges are required for specific tasks. It is also important to 
carefully manage and monitor local-administrator and MSP accounts because they inherently function with elevated 
privileges and are often ignored after initial configuration.

A key way to control privileged accounts is to segregate and control administrator (admin) privileges. All 
administrative credentials should be tightly controlled, restricted to a function, or even limited to a specific amount 
of time. For example, only dedicated workstation administrator accounts should be able to administer workstations. 
Server accounts, such as general, Structured Query Language, or email admins, should not have administrative access to 
workstations. The only place domain administrator (DA) or enterprise administrator (EA) credentials should ever be used 
is on a domain controller. Both EA and DA accounts should be removed from the local-administrators group on all other 
devices. On UNIX devices, sudo (or root) access should be tightly restricted in the same manner. Employing a 
multifactor authentication solution for admin accounts adds another layer of security and can significantly reduce the 
impact of a password compromise because the threat actor needs the other factorthat is, a smartcard or a tokenfor 
authentication.

Additionally, administrators should disable unencrypted remote-administrative protocols and services, which are often 
enabled by default. Protocols required for operations must be authorized, and the most secure version must be 
implemented. All other protocols must be disabled, particularly unencrypted remote-administrative protocols used to 
manage network infrastructure devices, such as Telnet, Hypertext Transfer Protocol, File Transfer Protocol, Trivial 
File Transfer Protocol, and Simple Network Management Protocol versions 1 and 2.

Control Remote Access and Audit Remote Logins

  * *Control legitimate remote access by trusted service providers. *Similar to other administrative accounts, MSP 
accounts should be given the least privileges needed to operate. In addition, it is recommended that MSP accounts 
either be limited to work hours, when they can be monitored, or disabled until work needs to be done. MSP accounts 
should also be held to the same or higher levels of security for credential use, such as multifactor authentication or 
more complex passwords subject to shorter expiration timeframes. 
  * *Establish a baseline on the network. *Network administrators should work with network owners or MSPs to establish 
what normal baseline behavior and traffic look like on the network. It is also advisable to discuss what accesses are 
needed when the network is not being actively managed. This will allow local network personnel to know what acceptable 
cross-network or MSP traffic looks like in terms of ports, protocols, and credential use. 
  * *Monitor system event logs for anomalous activity. *Network logs should be captured to help detect and identify 
anomalous and potentially malicious activity. In addition to the application whitelisting logs, administrators should 
ensure that other critical event logs are being captured and stored, such as service installation, account usage, 
pass-the-hash detection, and RDP detection logs. Event logs can help identify the use of tools like Mimikatz and the 
anomalous use of legitimate credentials or hashes. Baselining is critical for effective event log analysis, especially 
in the cases of MSP account behavior. 
  * *Control Microsoft RDP. *Adversaries with valid credentials can use RDP to move laterally and access information on 
other, more sensitive systems. These techniques can help protect against the malicious use of RDP: 
  * Assess the need to have RDP enabled on systems and, if required, limit connections to specific, trusted hosts. 
  * Verify that cloud environments adhere to best practices, as defined by the cloud service provider. After the cloud 
environment setup is complete, ensure that RDP ports are not enabled unless required for a business purpose. 
  * Place any system with an open RDP port behind a firewall and require users to communicate via a VPN through a 
firewall. 
  * Perform regular checks to ensure RDP port 3389 is not open to the public internet. Enforce strong-password and 
account-lockout policies to defend against brute force attacks. 
  * Enable the restricted-administrator option available in Windows 8.1 and Server 2012 R2 to ensure that reusable 
credentials are neither sent in plaintext during authentication nor cached. 

  * *Restrict Secure Shell (SSH) trusts. *It is important that SSH trusts be carefully managed and secured because 
improperly configured and overly permissive trusts can provide adversaries with initial access opportunities and the 
means for lateral movement within a network. Access lists should be configured to limit which users are able to log in 
via SSH, and root login via SSH should be disabled. Additionally, the system should be configured to only allow 
connections from specific workstations, preferably administrative workstations used only for the purpose of 
administering systems. 

Report Unauthorized Network Access

*Contact DHS or your local FBI office immediately. *To report an intrusion and request resources for incident response 
or technical assistance, contact NCCIC at (NCCICCustomerService () hq dhs gov [ 
https://www.us-cert.govmailto:NCCICCustomerService () hq dhs gov ] or 888-282-0870), FBI through a local field office, 
or the FBIs Cyber Division (CyWatch () fbi gov [ https://www.us-cert.govmailto:CyWatch () fbi gov ] or 855-292-3937).

References

Revision History

  * October, 3 2018: Initial version 
________________________________________________________________________

This product is provided subject to this Notification [ http://www.us-cert.gov/privacy/notification ] and this Privacy 
& Use [ http://www.us-cert.gov/privacy/ ] policy.

body { font-size: 1em; font-family: Arial, Verdana, sans-serif; font-weight: normal; font-style: normal; color: 
#333333; } ________________________________________________________________________

A copy of this publication is available at www.us-cert.gov [ https://www.us-cert.gov ]. If you need help or have 
questions, please send an email to info () us-cert gov. Do not reply to this message since this email was sent from a 
notification-only address that is not monitored. To ensure you receive future US-CERT products, please add US-CERT () 
ncas us-cert gov to your address book. 

OTHER RESOURCES: Contact Us [ http://www.us-cert.gov/contact-us/ ] | Security Publications [ 
http://www.us-cert.gov/security-publications ] | Alerts and Tips [ http://www.us-cert.gov/ncas ] | Related Resources [ 
http://www.us-cert.gov/related-resources ]  

STAY CONNECTED: Sign up for email updates [ http://public.govdelivery.com/accounts/USDHSUSCERT/subscriber/new ]