Overview of MITRE ATT&CK Tactic - TA0011 Command and Control
Introduction In modern days, cyber violations, command and control are one of the main set of techniques with which attackers can gain control over the system within a victim’s network. Once control is gained over the system, the attackers can steal sensitive data, move laterally and blend into normal activity. Command and Control (MITRE ATT&CK Tactic TA0011) represents another critical stage of the adversary lifecycle, where the adversaries focus on communicating with the systems under their control. There are multiple ways to achieve this, either by mimicking the expected traffic flow to avoid detection or mimicking a normal behavior of the compromised system. To avoid the vulnerability, it is important for defenders to understand how communication is established to any system in the network and the various levels of stealth depending on the network structure. This article walks through the most common Command and Control techniques, and how F5 solutions provide strong defense against them. T1071 - Application Layer Protocol To communicate with the systems, the adversaries blend in with the existing traffic of the OSI layer protocols to avoid detection/network filtering. The results of these commands will be embedded within the protocol traffic between the client and the server. T1071.001 - Web Services Adversaries mimic normal, expected HTTP/HTTPS traffic that carries web data to communicate with the systems under their control within a victim network. T1071.002 - File Transfer Protocol Protocols used to implement this technique includes SMB, FTP, FTPS and TFTP. The malicious data is concealed within the fields and headers of the packets produced from these protocols. T1071.003 - Mail Protocols Protocols carrying electronic mail such as SMTP/S, POP3/S, and IMAP is utilized by concealing the data within the email messages themselves. T1071.004 - DNS An administrative function in computer networking is served by the DNS Protocol, and DNS traffic may also be allowed even before the authentication of the network. Data is concealed in the fields and headers of these packets. T1071.005 - Publish/Subscribe Protocols For message distribution managed by a centralized broker, where Publish/Subscribe design utilizes MQTT, XMPP, AMQP and STOMP protocols. T1092 - Communication Through Removable Media On disconnected networks, command and control between the compromised hosts can be performed using removable media to execute commands from system to system. For a successful execution, both systems need to be compromised and need to replicate the removable media through lateral movement. T1659 - Content Injection Adversaries may also gain control over the victim’s system by injecting malicious content into the systems, by initially accessing the compromised data-transfer channels where the traffic can be manipulated or content can be injected. T1132 – Data Encoding Another technique to gain control over the system is by encoding the information using a standard data encoding system. Encoding includes the use of ASCII, Unicode, Base64, MIME or other binary-to-text encoding systems. T1132.001 - Standard Encoding Data Encoding schemes utilized for Standard Encoding includes ASCII, Unicode, hexadecimal, Base64 and MIME. Data compression, such as gzip, are also an example of standard encoding. T1132.002 - Non-Standard Encoding Data Encoded in the message body of an HTTP request, such as modified Base64, is utilized as encoding schemes. T1001 – Data Obfuscation Obfuscation of command-and-control communication is hidden as part of this technique, making it even more difficult to discover or decipher. The focus is to make the communication less conspicuous and hidden, by incorporating several methods, which create below sub-techniques: T1001.001 - Junk Data Adversaries may abuse the protocols by adding random, meaningless junk data to the protocols, which can prevent trivial methods for decoding or deciphering the traffic. T1001.002 - Steganography Steganographic sub-techniques are used to transfer hidden digital data messages between systems, such as images or document files. T1001.003 - Protocol or Service Impersonation Adversaries can impersonate legitimate protocols or web services, to command-and-control traffic by blending in with legitimate network traffic. T1568 – Dynamic Resolution To establish connections dynamically to command-and-control the infrastructure and prevent any detections, adversaries use malware sharing a common algorithm with the infrastructure to dynamically adjust the parameters, such as a domain name, IP address, or port number. T1568.001 - Fast Flux DNS Fast Flux DNS is used to hide a command-and-control channel behind an array of rapidly changing IP addresses linked to a single domain resolution. T1568.002 - Domain Generation Algorithm Rather than relying on a list of static IP addresses or domains, adversaries may utilize Domain Generation Algorithms to dynamically identify a destination domain for command-and-control traffic. T1568.003 - DNS Calculations Instead of utilizing the predetermined port number or the actual IP address, to dynamically determine which port and IP address to use, adversaries calculate on addresses returned in DNS results. T1573 – Encrypted Channel Adversaries rely on an encrypted algorithm channel to conceal command-and-control traffic rather than depending on any inherent protections by the communication protocols. T1573.001 - Symmetric Cryptography Symmetric Encryption Algorithms, such as AES, DES, 3DES, Blowfish and RC4, use keys for plaintext encryption and ciphertext decryption. T1573.002 - Asymmetric Cryptography Asymmetric cryptography, or public key cryptography, uses a keypair per party: one public and one private. The sender encrypts the data with the receiver’s public key, and the receiver decrypts the data with their private key. T1008 – Fallback Channels If the primary channel is compromised or inaccessible, then in order to maintain reliable command and control, adversaries use fallback communication channels. T1665 – Hide Infrastructure To hide and evade detection of the command-and-control infrastructure, adversaries identify and filter traffic from defensive tools, masking malicious domains to abuse the true destination, and otherwise hiding malicious contents to delay discovery and prolong the effectiveness of adversary infrastructure. T1105 – Ingress Tool Transfer Tools or other files transfer from an external adversary-controlled source into the compromised environment through controlled channels or protocols such as FTP. Also, adversaries may spread tools across the compromised environment as part of Lateral Movement. T1104 –Multi-Stage Channels To make detection more difficult, adversaries create multiple stages for command-and-control for several functions and different conditions. T1095 – Non-Application Layer Protocol To communicate between the host and command-and-control server, adversaries use non-application layer protocols, such as ICMP (Internet Control Message Protocol), UDP (User Datagram Protocol), SOCKS (Secure Sockets), or SOL (Serial over LAN). T1571 – Non-Standard Port Adversaries communicate using port pairings that are not associated with the protocol, for, say, HTTPS over port 8088 or port 587 as opposed to the traditional port 443. T1572 – Protocol Tunneling Another approach to avoid detection/network filtering is to explicitly encapsulate a protocol within another protocol to enable routing of network packets which otherwise not reach their intended destination, such as SMB, RDP. T1090 – Proxy To direct network communications to a command-and-control server to avoid direct connections to the infrastructure and override the existing actual communication paths to avoid suspicion and manage command-and-control communications inside a compromised environment, proxy act as an intermediary between the systems, such as, HTRAN, ZXProxy and ZXPortMap. T1090.001 - Internal Proxy Internal proxies are primarily used to conceal the actual destination while reducing the need for multiple connections to external systems, such as peer-to-peer (p2p) networking protocols. T1090.002 - External Proxy External proxy is used to mask the true destination of the traffic with port redirectors. Purchased infrastructure such as Virtual Private Servers which are the compromised systems outside the victim's network, are generally used for these purposes. T1090.003 - Multi-Hop Proxy Multiple proxies can also be chained together to abuse the actual traffic directions, making it more difficult for defenders to trace malicious activity and identify its source. T1090.004 - Domain Fronting Adversaries can even misuse Content Delivery Networks (CDNs) routing schemes to infect the actual HTTPS traffic destination or traffic tunneled through HTTPS. T1219 – Remote Access Tools To access the target system remotely and establish an interactive command-and-control within the network, remote access tools are used to bridge a session between two trusted hosts through a graphical interface, a CLI, or a hardware-level access (KVM, Keyboard, Video, Mouse) over IP solutions. T1219.001 - IDE Tunneling IDE Tunneling combines SSH, port forwarding, file sharing and letting the developers gain access as if they are local, by encapsulating the entire session and tunneling protocols alongside SSH, allowing the attackers to blend in with the actual development workflow. T1219.002 - Remote Desktop Software Adversary may access the target systems interactively through desktop support software, which provides a graphical interface to the remote adversary, such as VNC, Team Viewer, AnyDesk, LogMein, are commonly used legitimate support software. T1219.003 - Remote Access Hardware To access the legitimate hardware through commonly used legitimate tools, including IP-based keyboard, video, or mouse (KVM) devices such as TinyPilot and PiKVM. T1205 – Traffic Signaling Traffic signaling is used to hide open ports or any other malicious functionality to prolong command-and-control over the compromised system. T1205.001 - Port Knocking To hide the open ports for persistence, port knocking is included, to enable the port, in which the adversary sends a series of attempted connections to a predefined sequence of closed ports. T1205.002 - Socket filters Socket Filters are filters to allow or disallow certain types of data through the socket. If packets received by the network interface match the filtering criteria, desired actions are triggered. T1102 – Web Service Adversaries use an existing, legitimate external Web Service to transfer data to/from the compromised system. Also, web service providers commonly use SSL/TLS encryption, which gives adversaries an additional level of protection. T1102.001 - Dead Drop Resolver Adversaries post content called dead drop resolver on Web Services with encoded domains. These resolvers will redirect the victims to the infected domain/IP addresses. T1102.002 - Bidirectional Communication Once the system is infected, they can send the output back to the Web Service Channel. T1102.003 - One-Way Communication Compromised Systems may not return any output at all in a few cases where adversaries tend to send only one way instructions and do not want any response. How F5 Can Help F5 security solutions provide multiple different functionalities to secure and protect applications and APIs across various platforms including Clouds, Edge, On-prem or Hybrid. F5 supports risk management solutions mentioned below to effectively mitigate and protect against command-and-control techniques: Web Application Firewall (WAF): WAF is supported by all the F5 deployment modes, which is an adaptable, multi-layered security solution that defends web applications against a broad spectrum of threats, regardless of where they are deployed. API Security: F5 offers to ease the security of APIs with F5 Web Application and API Protection (WAAP) solutions, which protects API endpoints and other API dependencies by restricting the API definitions using specified rules and schemas. Rate-Limiting & Bot Protection: Brute-force, credential stuffing, and session attacks can be mitigated with configurable thresholds and automated bot protection. For more information, please contact your local F5 sales team. Conclusion Command and Control (C2) encompasses the methods adversaries employ to communicate with compromised systems within a target network. Adversaries disguise their C2 traffic as legitimate network activity to evade detection. To defend against Command-and-Control techniques, defenders should gain a clear understanding of implementation of robust segmentation and egress filtering using Web Application Firewalls (WAF) to limit communication channels and regularly monitor traffic for anomalous patterns and leverage threat intelligence to identify any C2 indicator. Additionally, employing endpoint detection and response (EDR) using API Security solutions can help detect and block malicious C2 activity at the host level. Reference links MITRE | ATT&CK Tactic 09 – Command and Control MITRE ATT&CK: What It Is, how it Works, Who Uses It and Why | F5 Labs MITRE ATT&CK®Overview of MITRE ATT&CK Tactic : TA0009 - Collection
This article is a continuation of our MITRE ATT&CK series. In this article, we focus on the Collection tactic, and the techniques adversaries use to gather, stage, and organize data from compromised systems before exfiltration. As attackers progress through an intrusion, Collection becomes critical for assembling sensitive files, credentials, screenshots, and other high‑value information that will fuel data theft, espionage, or destructive operations.Overview of MITRE ATT&CK Tactic: TA0040 - Impact
This article focuses on the Impact Tactic, and the techniques adversaries use to manipulate, disrupt or damage the systems and data as they reach the final stage of an attack. This is one of the critical tactics, as it highlights the adverse effects attackers can cause, including exploitation, operational disruption, data destruction, or financial gainApp Migration across Heterogeneous Environments using F5 Distributed Cloud
F5 XC helps in deploying Customer Edge (CE) on different cloud environment such as VMware, Nutanix, Red Hat Openshift (OCP), Azure, AWS, GCP and more. This helps in migration across on-prem and cloud platforms for easy of use and leverage the services of cloud platforms for migration.Mitigating OWASP API Security Risk: BOPLA using F5 BIG-IP
BOPLA i.e Broken Object Property Level Authorization is combination of Mass Assignment vulnerability and Excessive Data Exposure attack, one is caused due to automatic binding of client-provided data to code internal object without proper validation while other is due to expose of sensitive data such as Personally Identifiable Information (PII), Social Security Number (SSN), Credit Card Number (CCN) and Phone Number etc. These vulnerabilities in the application is mitigated by the F5 BIG-IP Advanced WAF.Mitigating OWASP API Security Risk: Excessive Data Exposure using F5 BIG-IP
Excessive Data Exposure vulnerability leaks the sensitive data of the user results in serious concerns to an organization security. F5 BIG IP Advanced WAF or ASM protects the web application or server from Excessive Data Exposure vulnerability and provides feasibility to block/mask valuable data like Social Security Number (SSN), Credit Card Number (CCN). Personally Identifiable Information (PII) and Phone Number as well. This protects from attackers and leverages system security.Mitigating OWASP API Security Risk: Mass Assignment using F5 BIG-IP
This article is a continuation of the OWASP Top 10 API Security series. It aims to explain Mass Assignment and how to stop it using F5 BIG-IP Advanced WAF. Introduction to Mass Assignment: In today’s world of data communication, applications often interact with one another to enable data sharing and improve services to meet user needs. At the core of these interactions are APIs, which are extensively utilized in modern application development. To streamline their implementation, developers commonly rely on various software frameworks. However, these frameworks often introduce a security risk by automatically binding client-provided data to code variables and internal objects without proper validation. This lack of validation creates an opportunity for an attacker to exploit a vulnerability known as Mass Assignment. In the screenshot mentioned above, describes the exploitation of Mass Assignment vulnerability. Attacker has successfully escalated his role from normal user to admin by modifying the JSON content of the API request. At first, the attacker sends a valid API request to the vulnerable application to add the user and gets a response back with a parameter that defines the role. In the second step, the attacker tampers the role parameters and sends the API request, due to lack of validations at the web server. This results in successful exploitation of the system. Preventive Steps: Automatic binding of client-input data into application’s internal code variables must be avoided. Clearly defining input parameters that should be allowed/blocked from the client-input data. Schema should be explicitly defined and enforced for the input parameters. Demo Attack and Mitigation steps using BIG-IP Advanced WAF: Using BIG-IP Advanced WAF, we define schemas with fixed parameters and only those are allowed from the client-input data and block the rest, thereby causing restrictions to the parameters that make the system vulnerable. The steps mentioned below give some brief details about creating a security policy using WAF policy API Security templates, which are designed to protect web applications that expose APIs from vulnerabilities. It focuses on safeguarding API endpoints, managing authentication, controlling access, and mitigating threats that target API logic and data handling. We generate a mass assignment attack followed by enforcing blocking mode to block the attack using BIG-IP. Let us now see a quick demo of mass assignment and mitigate it using BIG-IP Advanced WAF policy API Security template. Note: Following configs and validations are done on F5 BIG-IP VE with version: BIG-IP 16.1.6 Build 0.0.3 As a vulnerable application to exploit mass assignment, I chose crAPI demo application. Demo app crAPI Github repo Note: Before proceeding further into the demo, let us restrict the “quantity” value to 1 by adding a “minimum” keywork with value as 1 in the crAPI’s OpenAPI specification file or swagger file to positive values before uploading it to BIG-IP while creating a policy. Let’s try to violate the quantity value with input parameters and observe the behavior during Transparent and blocking mode. Step 1: Creating a security policy On the Main tab, click Security > Application Security > Security Policies. Click on Create to create the policy. Provide a name in the Name field. Make sure the Policy Type is Security. From the Policy Template, select API Security. The OpenAPI (Swagger) File field is now visible. Click Upload File to navigate to your OpenAPI specification file and upload it. From the Virtual Server dropdown, select the virtual server to which this policy should be assigned. Under Learning and Blocking section, make sure Enforcement Mode is initially set to Transparent to observe the attack requests. Click on Save to save the security policy configured. This confirms security policy is saved successfully. Step 2: Attack Generation and Mitigation In the demonstration below, we have an API endpoint which is used to order products. This endpoint has a vulnerable object named “quantity”. By providing negative value to this variable not only results in successful ordering of a product but also causes increment in available balance. This results in successful exploitation of mass assignment. As shown above, the available balance for a user is $200. From the above screenshot, you can be able to see on placing the order worth $10 successfully shows available balance as $190, which is expected behavior. Now, let us try to place an order for the same product with negative quantity for the same endpoint and check whether mass assignment vulnerability is present or not. As you can be able to see from above screenshot, order is successfully placed by providing client-input variable “quantity” with negative value and increment in available balance by $10 which is not expected. This confirms that mass assignment vulnerability exists in this demo application. BIG-IP logs show alarm for the above request in transparent mode. Now, let’s modify the policy to Blocking mode and observe the behavior. From the Policy configuration, Select Enforcement mode as Blocking, click on Save and then click on Apply Policy button. Once the policy is updated, and re-trying the same attack, the attack request is blocked. Conclusion: Mass assignment vulnerability provides an opportunity for attackers to exploit the vulnerability using client-input variables. BIG-IP Advanced WAF’s OpenAPI schema validation feature helps to detect and mitigate these vulnerabilities, thereby safeguarding the application and enhancing overall security of the system. References: For more detailed guidance on OWASP and steps to configuring Advanced WAF security policy on F5 BIG IP, refer to the official documentation below: https://owasp.org/API-Security/editions/2019/en/0xa6-mass-assignment/ https://techdocs.f5.com/en-us/bigip-17-0-0/big-ip-asm-implementations/working-with-openapi.htmlMitigating OWASP Web Application Risk: Security Misconfiguration using F5 BIG-IP
Security misconfiguration is OWASP Top 10 Web Application Security risk, it occurs when security settings are not properly set, and hence attacker comes up with XXE (XML eXternal Entity) attack to exploit the vulnerability. F5 BIG-IP Advanced WAF or ASM looks for XML injection attempts and blocks it, there by protecting the application.
