Homework 1
h1 Adversarial mindset
Install Debian on Virtualbox.
I’ll start with the simplest, by installing the Debian Linux distribution on a virtual machine. I did this for another course that started at the same time as this one. In this post, I will describe how I did it.
For the Penetration testing course, I downloaded a Xubuntu 20.04.4 desktop image, a Kali 2022.1 installer image, and a Kali 2022.1 VMWare virtual machine. I had VMWare Workstation PRO 15 installed on my laptop and I have some experience installing Unix and Linux systems. So it was not difficult for me to install three virtual machines with the following parameters.
– RAM 2GB
– HDD 20 GB
– Network NAT
All of these machines are connected to a virtual network that is connected to the local network using network address translation (NAT).
After the installation was complete, I had to change the passwords for the admin users and update and upgrade packages on Linux operating systems with the following command.
$ sudo apt-get update
$ sudo apt-get upgrade
https://www.cyberciti.biz/faq/what-does-sudo-apt-get-update-command-do-on-ubuntu-debian/
I also installed ufw on all VMs and opened port 22 for remote access via ssh protocol. I am using the MobaXterm client installed on the host machine to access remote hosts via SSH.
So as a result, I have three Debian distribution VMs because Ubuntu/Xubuntu and Kali are just variations of the popular Debian Linux distribution.
How would you compare Cyber Kill Chain and ATT&CK Enterprise matrix? Who do you think could benefit from these models?
ATT&CK is a kind of periodic table that lists and organizes the actions of attackers in an accessible and user-friendly format. This is a lower-level model that describes tactics, techniques, procedures, etc. of known hacking methods. Cyber Kill Chain uses ordered phases to describe high-level achievement goals.
Cyber Kill has a well-defined linear sequence of phases, the ATT&CK structure is a matrix of intrusion techniques that is not limited to a specific order of operations. Models can be combined and used by security professionals to prevent and stop attacks and detect illegal activity on a corporate network.
Sources:
Francisco Cosio https://www.brierandthorn.com/post/spot-the-difference-mitre-framework-vs-lockheed-martin-kill-chain-cyber-kill-chain
Dave Farquhar https://dfarq.homeip.net/cyber-kill-chain-vs-mitre-attck/
AttackIQ https://attackiq.com/mitre-attack/matrix/
Pick a security incident and learn about it. Write briefly about it. Point out the concepts of the threat actor, exploit, vulnerability and (business) impact.
I chose one of the most famous cases that have occurred recently. Cyberattack on Colonial Pipeline (May 7, 2021) is a malware attack on the US Colonial Pipeline system.
Attack shut down all system pipelines for five days. The company said the attackers only targeted its corporate IT networks and not the pipeline’s protection and security systems, but it shut down the pipeline anyway as a precaution. However, some experts noticed that Colonial closed its pipeline due to the fact that its billing system suffered, and there was no way to get paid for fuel.
Darknet hacker group hacked Colonial Pipeline’s network using a compromised VPN account. According to a statement from Colonial Pipeline, the cyberattack on its systems was carried out using a ransomware virus, which temporarily blocks its operation and encrypts data until the victim of a cyber-attack pays the amount demanded by hackers.
Mr. Charles Carmakal from FireEye, a Mandiant security company, which helped Colonial Pipeline investigate the attack, stated that the VPN login, which remains the earliest known hack in the attack, was that of an employee who was not believed to be active yet. He added that the employee “may have used” the password on another website that had previously been compromised. “Carmakal added that the credentials have been removed and multi-factor authentication has been implemented as part of the recovery.” (TechTarget)
The company paid the attackers a ransom in bitcoins in the amount of approximately $4.4 million. Most of the money was returned by hacking the bitcoin wallet of the attackers. In addition to the financial loss, the company’s reputation was badly damaged by the incident. After an investigation, the case was heard in House Committee on Homeland Security US Congress
Sources:
Krebs on Security https://krebsonsecurity.com/2021/06/justice-dept-claws-back-2-3m-paid-by-colonial-pipeline-to-ransomware-gang/
House Committee on Homeland Security, US Congress
Video: https://homeland.house.gov/activities/hearings/cyber-threats-in-the-pipeline-using-lessons-from-the-colonial-ransomware-attack-to-defend-critical-infrastructure
Text: https://www.govinfo.gov/content/pkg/CHRG-117hhrg45085/html/CHRG-117hhrg45085.htm
TechTarget https://www.techtarget.com/searchsecurity/news/252502216/Mandiant-Compromised-Colonial-Pipeline-password-was-reused
Use either (Hutchins et al 2011) cyber kill chain or MITRE ATT&CK framework for analyzing the incident you used in a. You can pick any incident you want, but try to pick a source that gives you enough technical and business detail to do some analysis.
I’m trying to analyze the Colonial Pipeline ransomware attack using Cyber Kill Chain because there is not enough information about this attack from public sources, which prevents a more technical analysis of this case.
Reconnaissance:
As it became known, the attack was carried out using the account of one of the employees of the Colonial Pipeline company. The media reported that the password may have been used on another compromised site. Perhaps in this way, the attackers were able to gain access to the corporate network.
Weaponization:
Preparing hacking tools is an integral part of every attack. Specifically, in this case, most likely the malware used was obtained from the REvil group, which provided it using the Ransomware-as-a-service model.
Delivery:
The malware was delivered using an employee’s VPN account. The account was not protected by an MFA, which made it easier for hackers
Exploitation:
Elevation exploits may have been used inside the corporate network, as subsequent actions required higher permissions.
Installation:
At this point, the attackers installed Ransomware on the system responsible for billing customers. At the same time, they downloaded about 100 gigabytes of data, which they later threatened to publish.
Command and Control:
At night, when fewer employees were at work, the attackers launched Ransomware, which encrypted the data on the system disks.
Actions on Objective:
At 5 a.m., a company employee received a ransom demand for providing an encryption key to decrypt the data.
Sources:
TechTarget https://thehackernews.com/2021/06/hackers-breached-colonial-pipeline.html
TechTarget https://thehackernews.com/2021/05/ransomware-cyber-attack-forced-largest.html
Cybereason https://www.cybereason.com/blog/research/cybereason-vs-darkside-ransomware