This technical alert addresses the exploitation of trusted network relationships and the subsequent illicit use of legitimate credentials by Advanced Persistent Threat (APT) actors. It identifies APT actors' tactics, techniques, and procedures (TTPs) and describes the best practices that could be employed to mitigate each of them. The mitigations for each TTP are arranged according to the National Institute of Standards and Technology (NIST) Cybersecurity Framework core functions of Protect, Detect, Respond, and Recover.
APT actors are using multiple mechanisms to acquire legitimate user credentials to exploit trusted network relationships in order to expand unauthorized access, maintain persistence, and exfiltrate data from targeted organizations. Suggested best practices for administrators to mitigate this threat include auditing credentials, remote-access logs, and controlling privileged access and remote access.
APT actors are conducting malicious activity against organizations that have trusted network relationships with potential targets, such as a parent company, a connected partner, or a contracted managed service provider (MSP). APT actors can use legitimate credentials to expand unauthorized access, maintain persistence, exfiltrate data, and conduct other operations, while appearing to be authorized users. Leveraging legitimate credentials to exploit trusted network relationships also allows APT actors to access other devices and other trusted networks, which affords intrusions a high level of persistence and stealth.
Recommended best practices for mitigating this threat include rigorous credential and privileged-access management, as well as remote-access control, and audits of legitimate remote-access logs. While these measures aim to prevent the initial attack vectors and the spread of malicious activity, there is no single proven threat response.
Using a defense-in-depth strategy is likely to increase the odds of successfully disrupting adversarial objectives long enough to allow network defenders to detect and respond before the successful completion of a threat actor’s objectives.
Any organization that uses an MSP to provide services should monitor the MSP's interactions within their organization’s enterprise networks, such as account use, privileges, and access to confidential or proprietary information. Organizations should also ensure that they have the ability to review their security and monitor their information hosted on MSP networks.
APT TTPs and Corresponding Mitigations
The following table displays the TTPs employed by APT actors and pairs them with mitigations that network defenders can implement.
Table 1: APT TTPs and Mitigations
Respond and Recover:
Execution and Internal Reconnaissance:
Respond and Recover:
Detailed Mitigation Guidance
Manage Credentials and Control Privileged Access
Compromising the credentials of legitimate users automatically provides a threat actor access to the network resources available to those users and helps that threat actor move more covertly through the network. Adopting and enforcing a strong-password policy can reduce a threat actor’s ability to compromise legitimate accounts; transitioning to multifactor authentication solutions increases the difficulty even further. Additionally, monitoring user account logins—whether failed or successful—and deploying tools and services to detect illicit use of credentials can help network defenders identify potentially malicious activity.
Threat actors regularly target privileged accounts because they not only grant increased access to high-value assets in the network, but also more easily enable lateral movement, and often provide mechanisms for the actors to hide their activities. Privileged access can be controlled by ensuring that only those users requiring elevated privileges are granted those accesses and, in accordance with the principle of least privilege, by restricting the use of those privileged accounts to instances where elevated privileges are required for specific tasks. It is also important to carefully manage and monitor local-administrator and MSP accounts because they inherently function with elevated privileges and are often ignored after initial configuration.
A key way to control privileged accounts is to segregate and control administrator (admin) privileges. All administrative credentials should be tightly controlled, restricted to a function, or even limited to a specific amount of time. For example, only dedicated workstation administrator accounts should be able to administer workstations. Server accounts, such as general, Structured Query Language, or email admins, should not have administrative access to workstations. The only place domain administrator (DA) or enterprise administrator (EA) credentials should ever be used is on a domain controller. Both EA and DA accounts should be removed from the local-administrators group on all other devices. On UNIX devices, sudo (or root) access should be tightly restricted in the same manner. Employing a multifactor authentication solution for admin accounts adds another layer of security and can significantly reduce the impact of a password compromise because the threat actor needs the other factor—that is, a smartcard or a token—for authentication.
Additionally, administrators should disable unencrypted remote-administrative protocols and services, which are often enabled by default. Protocols required for operations must be authorized, and the most secure version must be implemented. All other protocols must be disabled, particularly unencrypted remote-administrative protocols used to manage network infrastructure devices, such as Telnet, Hypertext Transfer Protocol, File Transfer Protocol, Trivial File Transfer Protocol, and Simple Network Management Protocol versions 1 and 2.
Control Remote Access and Audit Remote Logins
- Control legitimate remote access by trusted service providers. Similar to other administrative accounts, MSP accounts should be given the least privileges needed to operate. In addition, it is recommended that MSP accounts either be limited to work hours, when they can be monitored, or disabled until work needs to be done. MSP accounts should also be held to the same or higher levels of security for credential use, such as multifactor authentication or more complex passwords subject to shorter expiration timeframes.
- Establish a baseline on the network. Network administrators should work with network owners or MSPs to establish what normal baseline behavior and traffic look like on the network. It is also advisable to discuss what accesses are needed when the network is not being actively managed. This will allow local network personnel to know what acceptable cross-network or MSP traffic looks like in terms of ports, protocols, and credential use.
- Monitor system event logs for anomalous activity. Network logs should be captured to help detect and identify anomalous and potentially malicious activity. In addition to the application whitelisting logs, administrators should ensure that other critical event logs are being captured and stored, such as service installation, account usage, pass-the-hash detection, and RDP detection logs. Event logs can help identify the use of tools like Mimikatz and the anomalous use of legitimate credentials or hashes. Baselining is critical for effective event log analysis, especially in the cases of MSP account behavior.
- Control Microsoft RDP. Adversaries with valid credentials can use RDP to move laterally and access information on other, more sensitive systems. These techniques can help protect against the malicious use of RDP:
- Assess the need to have RDP enabled on systems and, if required, limit connections to specific, trusted hosts.
- Verify that cloud environments adhere to best practices, as defined by the cloud service provider. After the cloud environment setup is complete, ensure that RDP ports are not enabled unless required for a business purpose.
- Place any system with an open RDP port behind a firewall and require users to communicate via a VPN through a firewall.
- Perform regular checks to ensure RDP port 3389 is not open to the public internet. Enforce strong-password and account-lockout policies to defend against brute force attacks.
- Enable the restricted-administrator option available in Windows 8.1 and Server 2012 R2 to ensure that reusable credentials are neither sent in plaintext during authentication nor cached.
- Restrict Secure Shell (SSH) trusts. It is important that SSH trusts be carefully managed and secured because improperly configured and overly permissive trusts can provide adversaries with initial access opportunities and the means for lateral movement within a network. Access lists should be configured to limit which users are able to log in via SSH, and root login via SSH should be disabled. Additionally, the system should be configured to only allow connections from specific workstations, preferably administrative workstations used only for the purpose of administering systems.
Report Unauthorized Network Access
Contact DHS or your local FBI office immediately. To report an intrusion and request resources for incident response or technical assistance, contact NCCIC at (NCCICCustomerService@hq.dhs.gov or 888-282-0870), FBI through a local field office, or the FBI’s Cyber Division (CyWatch@fbi.gov or 855-292-3937).
October, 3 2018: Initial version