Disclaimer: This information is provided as-is for the benefit of the Community. Please contact Sophos Professional Services if you require assistance with your specific environment.
Table of Contents
- Background
- 1) Default Configurations of Software and Applications
- 2) Improper Segmentation of User/Administrator Privilege
- 3) Insufficient Internal Network Monitoring
- 4) Lack of Network Segmentation
- 5) Poor Patch Management
- 6) Bypass of System Access Controls
- 7) Weak or Misconfigured MFA Methods
- 8) Insufficient ACLs on Network Shares and Services
- 9) Poor Credential Hygiene
- 10) Unrestricted Code Execution
- Closing
Background
On October 5th, 2023, the National Security Agency (NSA) and Cybersecurity and Infrastructure Security Agency (CISA) released a joint cybersecurity advisory (JSA) under the alert code AA23-278A to highlight the most common cybersecurity misconfigurations in large organizations, and detail the tactics, techniques, and procedures (TTPs) actors use to exploit these misconfigurations.
Alert Code AA23-278A: https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-278a
In this post, we will review the list and share feedback, including relevant resources and knowledge base articles, to support securing your organizations footprint in line with the advisory. Some of the details are direct from the advisory. It is important to note that Sophos cannot advise on 3rd-party configurations. If you are curious for any custom query for your Sophos Central XDR licensing, please post within our Live Discover and Response forum.
1) Default Configurations of Software and Applications
- Default Credentials
- Predefined credentials for administration of commercial off-the-shelf (COTS) technology
- Includes hardware and software deployment
| TECHNIQUE | DESCRIPTION |
| 1072 | Software Deployment Tools |
| 1078.001 | Valid Accounts: Default Accounts |
| 1078.002 | Valid Accounts: Domain Accounts |
| 1098 | Account Manipulation |
| 1133 | External Remote Services |
| 1589.001 | Gather Victim Identity Information: Credentials |
- Relevant Sophos KBAs:
- Default Service Permissions and Configuration Settings
- Out-of-box (OOB) has overly permissive controls or vulnerable configurations
- Adversaries may abuse if user/admin enables them
| TECHNIQUE | DESCRIPTION |
| 1021.001 | Remote Services: SMB/Windows Admin Share |
| 1110.002 | Valid Accounts: Default Accounts |
| 1557 | Adversary-in-the-Middle |
| 1557.001 | Adversary-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay |
| 1588.001 | Steal or Forge Kerberos Tickets: Golden Ticket |
| 1649 | Steal or Forge Authentication Certificates |
- Relevant Sophos KBAs:
2) Improper Segmentation of User/Administrator Privilege
- Excessive Account Privileges
- Elevated Service Account Permissions
- Non-Essential Use of Elevated Accounts
An over simplified way to ask this: do any of your email accessible accounts have administrative privileges, and if so, why?
| TECHNIQUE | DESCRIPTION |
| 1024 | User Execution |
| 1078 | Valid Accounts |
| 1087 | Account Discovery |
| 1528 | Steal Application Access Token |
| 1550.001 | Use Alternate Authentication Material: Application Access Token |
| 1558.003 | Steal or Forge Kerberos Tickets: |
| 1566 | Phishing |
- Relevant Sophos KBAs
- Relevant Sophos MDR Note:
- Rules, detections, and workbooks are in place to monitor for this type of activity
3) Insufficient Internal Network Monitoring
- Suboptimal configuration on host and network traffic collection and end-host logging
- Undetected Adversarial Compromise
- Improper Sensor Configuration
- The techniques are broad under MITRE
This area of the market has grown quickly and is known as "Network Detection and Response" at Sophos, and many others. If curious of the full breakdown, we can see it explained here: What is Network Detection and Response?
- Relevant Sophos Technologies within NDR
- Deep Detection Engine - engine that uses deep learning to analyze encrypted traffic and patterns across the network
- Deep Packet Inspection - uses known IoCs to identify threat actors and malicious TTPs to identify across the network
- Encrypted Payload Analytics - detects 0-day C2 servers and malware variants
- Domain Generation Algorithm - engine identifies dynamic domain generation technology used by malware to avoid detection
- Session Risk Analytics - utilizes Sophos defined rules that send alerts on session-based risk factors
- Relevant Sophos MDR Note:
- If you are licensed for this, you are receiving this data stream
4) Lack of Network Segmentation
- Separating portions of the network with security boundaries
- Without boundaries between the user, production and critical systems, any adversary can more easily move laterally
- Leave organizations exposed to become more vulnerable and prone to ransomware attacks and post-exploitation techniques
- IT and IoT/OT are a growing risk as everything continually gets IP-connected
In addition to segmentation, understanding what services need to speak between the segmentation is another opportunity to minimize the attack surface.
- Relevant Sophos KBAs
5) Poor Patch Management
- Lack of Regular Patching
- Use of unsupported operating systems and outdated firmware
This area is particularly dangerous for any public-facing applications or services. Once exposed, it becomes easy for a skilled adversary to find and take advantage of these risks.
| TECHNIQUE | DESCRIPTION |
| 1190 | Exploit Public-Facing Application |
| 1210 | Exploitation of Remote Services |
| 1592 | Gather Victim Host Information |
| 1595.002 | Active Scanning: Vulnerability Scanning |
- Relevant Sophos KBAs
- The Endpoint Schema and Data Lake Schema has data collection for this in Win/Linux/Mac
- In addition, you can query the reg entries and other components to gauge assessments
- Relevant Sophos MDR Note:
- Rules, detections, and workbooks are in place to monitor for this type of activity
6) Bypass of System Access Controls
- Compromise alternative authentication methods
- Pass-the-hash
- Kerberoasting
- etc
- Relevant Sophos KBAs:
- Intercept X: Cred Guard
- We also have a number of published XDR behavioral rules to capture these attempts
- Relevant Sophos MDR Note:
- Rules, detections, and workbooks are in place to monitor for this type of activity
7) Weak or Misconfigured MFA Methods
- Misconfigured Smart Cards or Tokens
- Lack of Phishing-Resistant MFA
| TECHNIQUE | DESCRIPTION |
| 1111 | Multi-Factor Authentication Interception |
| 1598 | Phishing for Information |
| 1621 | Muti-Factor Authentication Request Generation |
- Relevant Sophos KBAs:
8) Insufficient ACLs on Network Shares and Services
- Data shares and repositories are primary targets
- Improper ACLs for unauthorized users to access sensitive or administrative data on shared drives
Adversaries will use open source tools, commercial software, or living off the land methods. This makes it increasingly difficult to detect and respond.
| TECHNIQUE | DESCRIPTION |
| 1018 | Remote System Discovery |
| 1039 | Data from Network Shared Drive |
| 1046 | Network Service Discovery |
| 1083 | File and Directory Discovery |
| 1135 | Network Share Discovery |
| 1552 | Unsecured Credentials |
- Relevant Sophos KBAs:
- Sophos XG or XGS Best Practice
- NOTE: this only scratches the surface and you can always contact Professional Services for more insight
- We also have a number of published XDR behavioral rules to capture these attempts
- Relevant Sophos MDR Note:
- Rules, detections, and workbooks are in place to monitor for this type of activity
9) Poor Credential Hygiene
- Easily crackable
- Cleartext password disclosure
NIST has a Special Publication (SP) 800-132 for Recommendations for storing passwords or pass phrases. As of 05/11/2023, NIST will be revising this publication and can read the announcement here.
As always, use a Password Manager or similar for secure storage of these words, phrases, tokens, etc.
| TECHNIQUE | DESCRIPTION |
| 1110.002 | Brute Force: Password Cracking |
| 1552.001 | Unsecured Credentials in Files |
| 1555 | Credentials from Password Stores |
10) Unrestricted Code Execution
- Unverified programs executing on hosts
- I.e. no legitimate purpose or business reason for running on the network
| TECHNIQUE | DESCRIPTION |
| 1027.010 | Obfuscated Files or Information: Command Obfuscation |
| 1059 | Command and Scripting Interpreter |
| 1059.005 | Command and Scripting Interpreter: Visual Basic |
| 1068 | Exploitation for Privilege Escalation |
This can occur in waves -- including after successful techniques. The Intercept X agent has coverage on the attack surface, before an object runs, active detections, and remediation features. You can view them all Intercept X // XDR // MDR Tech Specs
- Relevant Sophos MDR Note:
- Rules, detections, and workbooks are in place to monitor for this type of activity
Closing
As a best practice, be sure maximize your ability to communicate with us:
- Receive email digests, subscriptions, and notifications from the Sophos Community
- Subscribe to the Sophos Notification alerts for products and services
- Complete the Sophos Certification Program (FREE) to obtain access to a senior support agent
- Consider using a Technical Account Manager or TAM to maximize support and minimize risk
- Subscribe to Sophos News for the latest in Threat Research and security news
- If an MDR customer, take advantage of the Monthly Threat Cast, Broadcast Announcements, and resources
- If you are not, consider our offerings to provide cyber resiliency with your staff.
- Most importantly, find out who supports your account and introduce yourself for guided best practice, feature updates, and more!
-jk
Added outline
[edited by: JeramyKopacko at 2:17 PM (GMT -7) on 30 Oct 2023]