Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Mitre ATT&CK™ and the FIN7 Indictment: Lessons for Organizations

3,654 views

Published on

On August 1, 2018, the US Department of Justice unsealed an indictment against three members of the international cybercrime group known as FIN7. We previously wrote about what FIN7 is, the implications of this indictment and some of the fascinating details of their campaigns, such as the use of a front company that was used to mask the criminal operations. As we did before with the GRU indictment, we wanted to maximize the lessons learned for defenders and therefore used the Mitre ATT&CK framework to replay the FIN7 indictment.

Published in: Technology
  • Sex in your area is here: ❶❶❶ http://bit.ly/39pMlLF ❶❶❶
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • Dating for everyone is here: ❶❶❶ http://bit.ly/39pMlLF ❶❶❶
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • Be the first to like this

Mitre ATT&CK™ and the FIN7 Indictment: Lessons for Organizations

  1. 1. 0. Reconnaissance 4. Persistence 6. Credential Access 10. Exfiltration 9. Collection 8. Lateral Movement MITRE ATT&CK and the FIN7 Indictment Mitre ATT&CK Stage FIN7 Tactics, Techniques and Procedures Mitigation Advice • Awareness is required for which information about the organization and its employees is public, in particular, email and telephone contact details. • Certain job titles may be of more interest to attackers due to the responsibilities and access that specific employees may have. These employees may require dedicated training to educate them of the threats that they face as part of their job. • Social media searches can be used by attackers to uncover these employees but also public documents, such as SEC filings, can reveal these employees and their con- tact details. • Security teams need to understand attackers and their goals, as well as the business processes of their own organizations. • Organizations which operate inside a regulated environment may need to implement additional security controls (both technical and procedural/administrative) to verify communications with the regulator. • Public-facing employees may require dedicated tools to open potentially malicious attachments safely, such as sandboxes or cloud services. • Ensure that antivirus and other detection mechanisms are fully up-to-date with the latest signatures and heuristics is essential for increasing the likelihood that obfuscated payloads are detected and quarantined appropriately. • Organizations may wish to investigate the usage of EDR systems for advanced endpoint protection. • Microsoft’s AMSI can be used to capture obfuscated PowerShell scripts after they have been deobfuscated. • Script Block Logging for PowerShell can also be used to capture PowerShell scripts after they have been deobfuscated. • Microsoft have also released an optional patch update (KB3045645) that will remove the “auto-elevate” flag within the sdbinst.exe. This will prevent use of application shimming to bypass UAC. • Improving credential hygiene by using a password only once reduces the impact of credential theft. While the attacker can still access the system that they have captured the credentials for, lack of password reuse means that the damage is limited only to that affected system. • Blocking egress traffic that is not necessary for the organization’s requirements can assist with limiting an attacker’s options in terms of communicating outside of the organization. • Web proxies can provide granular controls for restricting egress traffic types and destinations. • DNS traffic can be used by attackers for moving data out of environments where other controls are present, as such, DNS traffic should be inspected for malicious activity • Sudden anomalies in the amount of storage used by particular machines could be an indication of unusual activity and may be worth investigating. • Application whitelisting can be used to prevent the execution of unauthorized code in an environment and can prevent the execution of certain types of malware. • Change the security descriptor of the Service Control Manager (SCM). • Lateral movement should be restricted as much as possible via restricting workstation-to-workstation communication (via firewalling or even private VLANs) • Principle of least privilege to ensure that only the necessary personnel have the administration privileges required for certain actions. • The ACSC (Australian Cyber Security Centre) recommend disabling macros as part of their Essential Eight approach for securing organizations. When disabling macros it is important to consider the business processes and legiti- mate business requirements for macros and how to miti- gate the risk incurred by them. • OLE package activation can also be disabled where possible. • LNK files can be blocked by email filtering gateways to prevent the files from reaching targeted users. • Windows Script Host (WSH) can be disabled if possible or restricted where not to mitigate its risks. Spearphishing attachment 1. Initial Access 2. Execution User execution Application Shimming Obfuscated Files or Information Input Capture Data Compressed, Data Encrypted, Exfiltration Over Other Network Medium Data Compressed, Data Encrypted, Exfiltration Over Other Network Medium Remote Services 5. Defense Evasion People Information Gathering, Organizational Information Gathering, Organizational Weakness Identification, People Weakness Identification

×