Phineas Fisher: MITRE ATT&CK Analysis & ICS Defenses

Table of Links

I. Abstract and Introduction

II. Related Work

III. Mitre ATT&CK

IV. Phineas Fisher

V. Analysis

VI. Conclusion and References

V. ANALYSIS

This section presents an analysis of Phineas Fisher’s intrusions, followed by a discussion of the consequent potential threat to critical infrastructure, and possible detection methods.

A. Analysis of Fisher’s Intrusions

The MITRE ATT&CK framework currently has 266 techniques in the enterprise matrix, from these techniques we have chosen a subset which represents Phineas Fisher’s tactics and techniques. This is based on her self-published break downs of each attack [22], [18], [21], [5], and is presented in Table I. The table follows the standard MITRE ATT&CK presentation format, where the column headers describe the adversary tactics, while the remaining cells describe the techniques that were performed by Fisher. Each of the tactics are now discussed in turn. Each technique is mapped back to the source: A, Gamma Group; B, Hacking Team; C, Police Union; D, Cayman Bank. Techniques that were not explicitly stated are noted with an ‘I’, which denotes, ‘Inferred’ based on the context. Cells with a red background are mitigated by the countermeasures discussed in section V-C.

1. Initial Access: In all of the intrusions, initial access was gained by exploiting internet facing applications, typically by performing SQL injection attacks. For the Hacking Team incident, Fisher was able to perform reverse engineering and identify a zero-day vulnerability in their VPN appliance. It later turned out that the appliance was also vulnerable to the trivially performed shellshock3 vulnerability. While Fisher did not use spear-phishing to gain access, she did refer to them in her guides.

2. Execution: During the time of these exploits, circa 2015, PowerShell was commonly used to perform a lot of execution once initial access had been gained. Today, Microsoft has deployed several mitigations against its misuse, and while this has prevented the same methods from working, there are a plethora of other methods to achieve the same results. This leads on to the other techniques such as Command-Line Interface, Scripting, Graphical User Interface, and Windows Management Instrumentation/Windows Remote Management, which, if enabled on this target will allow the adversary to execute commands. All of these methods we used or discussed by Fisher. Interestingly, these are all tools normally found in an enterprise network, and follows the philosophy of living off the land, which is strongly advocated in the manifestos.

3. Persistence: Persistence was often performed using web shells that were uploaded to a compromised service. Hacking Team was a particular exception, where she developed a backdoored firmware for their VPN service. This firmware included many additional tools needed for the next stages. Fisher also maintained a redundant access service, in case she was locked out from her primary persistence method. The guides stated that ”I always use Duqu 2 style ‘persistence’, executing in RAM on a couple high-uptime server” [21], Duqu2 is a relative of Stuxnet, and performed covert, inmemory, espionage operations [30].

4. Privilege Escalation & Credential Access: Privilege escalation was performed by monitoring the activities of operators, using techniques to capture user input and hijack authenticated multi factored sessions, as well as intercepting credentials by modifying popular services to record the plaintext, which was the technique against the Catalonia police union. These approaches are similar to those of state actors.

5. Defense Evasion: In most cases there were few active defences to be evaded, since Fisher tried to maintain a RAM only presence, e.g. exploiting services without placing malware on the disk, which may trigger alerts. When touching the disk, Timestomping was performed, which masks the modification dates of files changed. When impersonating a user login, Fisher would change the logged IP and UserAgent to match historical access logs.

6. Discovery & Lateral Movement: All of Fisher’s guides start by discovering as much information about the target

as possible, typically involving domain and IP scanning for services and other publicly identifiable data. This helps outline the target, and is performed again once an initial compromise has been done. The second time focuses on passive monitoring of network traffic, to find additional targets. Techniques such as LLMNR/NBT-NS poisoning and relay are used which allow for lateral movement. These techniques take advantage of broadcast messages on the network and forge a response to the service to gain an insight into what is running on the network.

7. Collection & Impact: Collection and Impact were Fisher’s main ATT&CK tactics (objectives), which was achieved via several techniques. Network file shares were remotely accessed and downloaded locally, with the most common aims being the collection of the target’s email archive, internal documentation, client/staff details, and source code. For any company, this can result in a significant impact on the day-to-day operations, and how they are perceived by the public. As a final step, Fisher has previously taken over the company social media account and announced to the world they have been compromised. Although the ATT&CK model does not have a technique for disclosing private information as an impact tactic, it does include Defacement and Account Access Removal.

8. Command And Control & Exfiltation: Command and Control, and Exfiltration were performed via commonly used port numbers and connection proxies. While Fisher would use multiple hops and off-the-self remote access tools, and often simple file transfers via HTTP and SSH. These approaches are often sufficient to bypass simple IDS which are unmonitored, as the traffic generated matches day-to-day operations (though more bandwidth may be used, this is often not monitored).

It is noticeable that Fisher’s intrusion methods did not significantly vary between each attack in terms of the techniques used. While the techniques are dependant on the environment, the skills required to perform a successful intrusion are readily attainable.

B. Threat to Critical Infrastructure

Based on the techniques employed by Fisher, we can deduce that a dedicated hacktivist is a valid threat to critical infrastructure. Moreover, in recent years there has been a growing concern for climate change, which may drive people towards targeting oil, gas, and other energy related infrastructure in particular. Such ‘hacktivist’ threats targeting critical infrastructure could feasibly adopt techniques similar to those discussed above, however, the environment found within critical infrastructure is not the same as a traditional enterprise network, due to different underlying operations and requirements. It is common to find older operating systems and applications, which have been validated and certified for specific operations. It may not be possible to update the systems to include the most recent attack mitigations, since that may require additional verification. For example, many techniques make use of PowerShell, which was first released in 2006. Since then there has been a great deal of improvements for threat mitigation and event logging. These improvements may not be found within critical infrastructure systems. Moreover, there may be many old Unix systems, and architectures, that contain exploitable vulnerabilities allowing an adversary alternative avenues of attacks. As discovered in our analysis, Fisher would maintain a few remote access paths into their compromised network, to ensure that if one of the compromised machines were detected, she would have another entry point. Within critical networks, there are often multiple redundant network paths providing a resilient network, and while this is a necessity, it also provides adversaries with alternative paths of attack.

As reported by the ICS-CERT [10], spear-phishing has become common within operators of critical infrastructure. While Fisher did not use this technique, it was mentioned frequently in her manifestos. From our analysis, developing backdoored firmware is within the capability of a hacktivist. This is a concern for critical infrastructure networks as they often contain many embedded devices and network appliances, which may not be recently patched, as was seen in the Duqu and Stuxnet intrusions.

Due to the advancement and proliferation of security controls and mitigations, adversaries are having to resort to more subtle modes of operation. As seen in the 2016 Ukrainian power outage, and by Fisher, the adversary mimicked legitimate users actions to avoid detection. The motivation of a hacktivist might be to find and leak information about the company or to disrupt operations. Leaking information could be a concern for manufacturing companies, which often have trade secrets encoded into the network. Meanwhile, power generation and transmission operators may have financial fines imposed for service disruptions.

C. Mitigations

Based on the analysis of the tactics and techniques used by Fisher, which could potentially be deployed by anyone hacktivist threat actor, we now highlight seven mitigations methods defined by the ATT&CK framework, that may be deployed within critical infrastructure systems. The mitigations are ordered by level of deployment complexity, and were chosen based on the number of techniques which they mitigate:

1. Execution Prevention: Application whitelisting may be able to prevent the running of executables masquerading as other files.

2. Application Isolation and Sandboxing: Perform application isolation via operating system calls, or virtualisation and application microsegmentation to mitigate the impact of a compromise.

3. Network Intrusion Prevention: Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate activity at the network level. Signatures are often for unique indicators within protocols and will be different across various malware families and versions. Adversaries will likely change tool signatures over time or construct protocols in such a way as to avoid detection by common defensive tools. In which case anomaly based IDS may be used.

4. Multi-factor Authentication: Integrating multi-factor authentication (MFA) as part of the organisational policy can greatly reduce the risk of an adversary gaining control of valid credentials that may be used for additional tactics such as initial access, lateral movement, and collecting information. MFA can also be used to restrict access to cloud resources and APIs.

5. Privileged Account Management: Audit account and group permissions to ensure that accounts used to manage servers do not overlap with accounts and permissions of users in the internal network that could be acquired through Credential Access and used to log into the Web server and plant a Web shell or pivot from the Web server into the internal network.

6. Filter Network Traffic: Use host-based security software to block non essential traffic e.g. LLMNR/NetBIOS.

7. Restrict File and Directory Permissions: Restrict write access to scripts to specific administrators. Where possible perform access and execution logging.

Table I includes which of the mitigations may prevent each techniques, by colouring the cells red and including a number of each mitigation.