Mitre Attack
Framework
An attack scenario can be described due to the findings of the Red Team exercise. Firstly, adversaries
would begin the attack with Reconnaissance tactics. The technique of ‘Active Scanning’, specifically
the subtechnique ‘Vulnerability Scanning’ (MITRE ATT&CK, T1595.002) would be executed. This is
accomplished by using an application or software tool, which gathers information including
identifying systems, services, and the version type (Andrew, 2020). This attack scenario would be
performed outside the network and would use a non-intrusive scan. This would then identify that
Brunel Tech is running an outdated version of the Apache Tomcat server. This version of the
software has a bug and therefore attackers will exploit this vulnerability (CVE Mitre 2019-0232). The
attackers would not have been able to continue with their attack if Brunel Tech kept their software
up to date. However, due to the identification of the vulnerability, the adversary will now commence
the attack. Additionally, mitigations at this stage may be difficult, being a start-up company, Brunel
Tech is unlikely to have cyber security experts working to monitor suspicious network traffic.
Since the adversaries have discovered a vulnerability with the server, their next step is to begin the
Initial Access tactic. The ‘Exploit Public-Facing Application’ technique will be used to take advantage
and establish access into the network (MITRE ATT&CK, T1190). Brunel Tech could consider investing
in vulnerability scanners themselves in order to patch up any weaknesses identified.
The next step is for the Execution tactic to begin. The Common Gateway Interface (CGI) is the
interface to execute programs and applications on the web server. The vulnerability discovered is
that ‘enableCmdLineArguments’ is enabled, which allows for the adversaries to execute scripts and
commands to the server. This is referred to as the ‘Command and Scripting Interpreter’ technique.
(MITRE ATT&CK, T1059). The attacker will deploy unauthorised scripts and commands associated
with account creation using PowerShell.
Therefore, the attacker will have now moved onto using a Persistence tactic to use the technique
‘Create Account’ to maintain access to Brunel Tech’s systems (MITRE ATT&CK, T1136.001).
Mitigations include a multi-factor authentication; Brunel tech should use a 2 Factor Authentication
(2FA). This is when a system would request for an additional token once a user logs on, which would
have been effective to avoid this attack scenario. For example, inserting a physical smart card to
access a machine or browse files which only Brunel Tech employees would have.
, The adversaries are now in the final phases and will use the Command and Control tactic, and scripts
can be used to download and launch Remote Access Software. The attacker will now be able to roam
the infested machines using the Remote Access software ‘LogMein’ (MITRE ATT&CK, T1219). The
attacker having gained access will now pose a threat to several of Brunel Tech’s assets, including
customer and employee data and will now be stolen, violating their privacy, as the attackers
commits data theft.
Brunel Tech is likely to have information such as payroll slips with banking details and National
Insurance numbers. Additionally, names, contact information and other sensitive data will be
extracted and the attacker will now have the ability to share the data, as well as commit identify
theft. This will be complete through the Exfiltration tactic, with the technique ‘Transfer Data to
Cloud Account’ (MITRE ATT&CK, T1537). This consists of transferring all the accessible data on the
infested machine, to a cloud account the attacker has access to for example Mega.nz.
Overall, the threat agent in this scenario being a Black-Hat Hacker reveals the potential threats,
which have been identified within this attack scenario, including but not limited to data theft and
data loss to the assets, this being customer and employee data. The impact of this can be
detrimental to the company, with the impact including fines from the UK government due to the
lack of security and being responsible for the breach in the General Data Protection Regulation.
Intrusion Detection Systems (IDS) is a device or piece of software that monitors networks for
malicious activity, policy violations or unwanted intrusions. Anomaly based IDS uses statistical
techniques to discover unusual behaviour. The objective is to find patterns in network traffic that do
not conform to the expected normal behaviour.
One apporach of anomaly-based IDS includes the statistical approach. This approach looks for
correlations and deviations from the normal data and uses statistical tests to identify what the
correlations are for the data and flag up any signficant changes from the norm. One example
includes the t-test which is one of the simplist statistical tests used to determine the difference
between the means of two groups. Prior to executing these tests, there must be a large amount of
data available and the data must be normal which can be done through the application of the
kolmogorov-smirnov test for normalist which ensures the data is normal. If the data is not normal,
parametric stastic techniques cannot be used and therefore a non-parametric test such as chi
squared test can be used through ranking the data.
Framework
An attack scenario can be described due to the findings of the Red Team exercise. Firstly, adversaries
would begin the attack with Reconnaissance tactics. The technique of ‘Active Scanning’, specifically
the subtechnique ‘Vulnerability Scanning’ (MITRE ATT&CK, T1595.002) would be executed. This is
accomplished by using an application or software tool, which gathers information including
identifying systems, services, and the version type (Andrew, 2020). This attack scenario would be
performed outside the network and would use a non-intrusive scan. This would then identify that
Brunel Tech is running an outdated version of the Apache Tomcat server. This version of the
software has a bug and therefore attackers will exploit this vulnerability (CVE Mitre 2019-0232). The
attackers would not have been able to continue with their attack if Brunel Tech kept their software
up to date. However, due to the identification of the vulnerability, the adversary will now commence
the attack. Additionally, mitigations at this stage may be difficult, being a start-up company, Brunel
Tech is unlikely to have cyber security experts working to monitor suspicious network traffic.
Since the adversaries have discovered a vulnerability with the server, their next step is to begin the
Initial Access tactic. The ‘Exploit Public-Facing Application’ technique will be used to take advantage
and establish access into the network (MITRE ATT&CK, T1190). Brunel Tech could consider investing
in vulnerability scanners themselves in order to patch up any weaknesses identified.
The next step is for the Execution tactic to begin. The Common Gateway Interface (CGI) is the
interface to execute programs and applications on the web server. The vulnerability discovered is
that ‘enableCmdLineArguments’ is enabled, which allows for the adversaries to execute scripts and
commands to the server. This is referred to as the ‘Command and Scripting Interpreter’ technique.
(MITRE ATT&CK, T1059). The attacker will deploy unauthorised scripts and commands associated
with account creation using PowerShell.
Therefore, the attacker will have now moved onto using a Persistence tactic to use the technique
‘Create Account’ to maintain access to Brunel Tech’s systems (MITRE ATT&CK, T1136.001).
Mitigations include a multi-factor authentication; Brunel tech should use a 2 Factor Authentication
(2FA). This is when a system would request for an additional token once a user logs on, which would
have been effective to avoid this attack scenario. For example, inserting a physical smart card to
access a machine or browse files which only Brunel Tech employees would have.
, The adversaries are now in the final phases and will use the Command and Control tactic, and scripts
can be used to download and launch Remote Access Software. The attacker will now be able to roam
the infested machines using the Remote Access software ‘LogMein’ (MITRE ATT&CK, T1219). The
attacker having gained access will now pose a threat to several of Brunel Tech’s assets, including
customer and employee data and will now be stolen, violating their privacy, as the attackers
commits data theft.
Brunel Tech is likely to have information such as payroll slips with banking details and National
Insurance numbers. Additionally, names, contact information and other sensitive data will be
extracted and the attacker will now have the ability to share the data, as well as commit identify
theft. This will be complete through the Exfiltration tactic, with the technique ‘Transfer Data to
Cloud Account’ (MITRE ATT&CK, T1537). This consists of transferring all the accessible data on the
infested machine, to a cloud account the attacker has access to for example Mega.nz.
Overall, the threat agent in this scenario being a Black-Hat Hacker reveals the potential threats,
which have been identified within this attack scenario, including but not limited to data theft and
data loss to the assets, this being customer and employee data. The impact of this can be
detrimental to the company, with the impact including fines from the UK government due to the
lack of security and being responsible for the breach in the General Data Protection Regulation.
Intrusion Detection Systems (IDS) is a device or piece of software that monitors networks for
malicious activity, policy violations or unwanted intrusions. Anomaly based IDS uses statistical
techniques to discover unusual behaviour. The objective is to find patterns in network traffic that do
not conform to the expected normal behaviour.
One apporach of anomaly-based IDS includes the statistical approach. This approach looks for
correlations and deviations from the normal data and uses statistical tests to identify what the
correlations are for the data and flag up any signficant changes from the norm. One example
includes the t-test which is one of the simplist statistical tests used to determine the difference
between the means of two groups. Prior to executing these tests, there must be a large amount of
data available and the data must be normal which can be done through the application of the
kolmogorov-smirnov test for normalist which ensures the data is normal. If the data is not normal,
parametric stastic techniques cannot be used and therefore a non-parametric test such as chi
squared test can be used through ranking the data.
