Use Case for System Intrusion Based on "2024 Data Breach Investigations Report"

?

Overview

From my point of view, in the context of "System Intrusion," described in the "2024 Data Breach Investigations Report," this use case identifies the trends, techniques, and mitigations associated with this pattern. This pattern, characterized by hacking and malware attacks, often leads to data breaches driven by ransomware and exploitation of system vulnerabilities.

Source: “Verizon 2024 Data Breach Investigations Report”

link: verizon.com/dbir

Verizon Business

#dbir

?

Key Statistics

• Incidents: 5,175 incidents, 3,803 with confirmed data disclosure.
• Threat Actors: Predominantly external (100% of breaches).
• Actor Motives: Primarily financial (95% of breaches), with some espionage (5% of breaches).
• Data Types Compromised: Personal (50% of breaches), System (26%), Internal (22%), Other (34%).

?

Relevant ATT&CK Tactics and Techniques

The tactics and techniques employed align with MITRE's ATT&CK Framework, including:

Reconnaissance TA0043

·???????? Active Scanning: T1595

·???????? Vulnerability Scanning: T1595.002

?

Resource Development TA0042

·???????? Compromise Accounts: T1586

·???????? Social Media Accounts: T1586.001

·???????? Email Accounts: T1586.002

Initial Access TA0001

·???????? Exploit Public-Facing Application: T1190

·???????? External Remote Services: T1133

·???????? Valid Accounts: T1078

·???????? Default Accounts: T1078.001

·???????? Domain Accounts: T1078.002

·???????? Local Accounts: T1078.003

·???????? Cloud Accounts: T1078.004

Persistence TA0003

·???????? External Remote Services: T1133

·???????? Valid Accounts: T1078

·???????? Default Accounts: T1078.001

·???????? Domain Accounts: T1078.002

·???????? Local Accounts: T1078.003

·???????? Cloud Accounts: T1078.004

?

Privilege Escalation TA0004

·???????? Exploitation for Privilege Escalation: T1068

·???????? Valid Accounts: T1078

·???????? Default Accounts: T1078.001

·???????? Domain Accounts: T1078.002

·???????? Local Accounts: T1078.003

·???????? Cloud Accounts: T1078.004

?

Defense Evasion TA0005

·???????? Exploitation for Defense Evasion: T1211

·???????? Use Alternate Authentication Material: T1550

·???????? Web Session Cookie: T1550.004

·???????? Valid Accounts: T1078

·???????? Default Accounts: T1078.001

·???????? Domain Accounts: T1078.002

·???????? Local Accounts: T1078.003

·???????? Cloud Accounts: T1078.004

?

Credential Access TA0006

·???????? Exploitation for Credential Access: T1212

?

Lateral Movement TA0008

·???????? Exploitation of Remote Services: T1210

·???????? Remote Services: T1021

·???????? Remote Desktop Protocol: T1021.001

·???????? Use Alternate Authentication Material: T1550

·???????? Web Session Cookie: T1550.004

?

Mitigation Strategies by Tactic and Technique

Reconnaissance (TA0043)

• Active Scanning (T1595) Minimize the exposure of sensitive information to external parties by reducing public-facing data and infrastructure. Monitor network traffic patterns for unusual behaviour indicating active scanning attempts.
• Vulnerability Scanning (T1595.002) Regularly patch and update systems to minimize vulnerabilities that attackers can identify and exploit. Implement Web Application Firewalls (WAFs) to detect and block scanning attempts.

?

Resource Development (TA0042)

• Compromise Accounts (T1586) Enable multi-factor authentication (MFA) for all sensitive accounts. Monitor for unusual login patterns, especially on social media and email accounts.
• Social Media Accounts (T1586.001) Educate users on security practices like recognizing phishing attempts. Limit personal information shared on social media profiles.
• Email Accounts (T1586.002) Regularly change passwords and avoid password reuse across different accounts. Monitor for login attempts from unusual IP addresses.

?

Initial Access (TA0001)

• Exploit Public-Facing Application (T1190) Conduct regular security audits to identify vulnerabilities in web applications. Apply security patches promptly and restrict unnecessary public-facing services.
• External Remote Services (T1133) Enforce robust authentication mechanisms, like MFA, for remote access. Disable unused services and limit remote access to internal networks.
• Valid Accounts (T1078) Use strong, unique passwords and regularly review account permissions. Monitor for abnormal account activity indicating unauthorized access.
• Default Accounts (T1078.001) Disable or change passwords for default accounts immediately. Limit administrative privileges and enforce strict access controls.
• Domain Accounts (T1078.002) Limit domain account privileges to minimize impact in case of compromise. Enforce least-privilege principles and monitor login behaviour.
• Local Accounts (T1078.003) Avoid using local accounts for sensitive operations or high-privilege access. Regularly review and disable unused or unneeded accounts.
• Cloud Accounts (T1078.004) Apply identity and access management policies, such as least privilege. Monitor for unexpected login activity, especially from untrusted devices.

?

Persistence (TA0003)

• Due to their shared nature, mitigation strategies for persistence tactics like External Remote Services and Valid Accounts are similar to those for Initial Access.

?

Privilege Escalation (TA0004)

• Exploitation for Privilege Escalation (T1068) Conduct vulnerability scanning and patch any identified issues. Use exploit protection tools like Windows Defender Exploit Guard or Enhanced Mitigation Experience Toolkit (EMET).
• Valid Accounts (T1078) Refer to the mitigation strategies outlined under Initial Access for Valid Accounts.

?

Defense Evasion (TA0005)

• Exploitation for Defense Evasion (T1211) Monitor logs for exploitation attempts and use behavior-based detection. Apply application sandboxing and micro-segmentation.
• Use Alternate Authentication Material (T1550) Prevent authentication token abuse by implementing SID filtering and OAuth proof-of-possession. Audit Active Directory requests for new ticket-granting tickets.
• Web Session Cookie (T1550.004) Limit session cookie lifespan and ensure they are bound to the IP address. Encrypt session cookies using TLS/SSL.
• Valid Accounts (T1078) Refer to the mitigation strategies outlined under Initial Access for Valid Accounts.

?

Credential Access (TA0006)

• Exploitation for Credential Access (T1212) Apply threat intelligence programs to anticipate likely exploitation attempts. Use exploit protection mechanisms and patch vulnerabilities promptly.

?

Lateral Movement (TA0008)

• Exploitation of Remote Services (T1210) Minimize service availability and ensure only necessary services are enabled. Segment networks to control lateral movement.
• Remote Services (T1021) Use centralized VPNs or remote access systems to manage remote access. Limit permissions for accounts accessing remote services.
• Remote Desktop Protocol (T1021.001) Use encryption for RDP sessions and disable RDP if not required. Monitor for unusual RDP login activity.
• Use Alternate Authentication Material (T1550) Refer to mitigation strategies for T1550 under Defense Evasion.
• Web Session Cookie (T1550.004) Refer to mitigation strategies for T1550.004 under Defense Evasion.

?

Event IDs, Logs and Processes

Relevant event IDs, logs, and processes that can be monitored in SIEM or SOC systems to detect various tactics and techniques:

Reconnaissance (TA0043)

·???????? Active Scanning (T1595)

·???????? Windows:

·???????? Windows Security Event ID 4625 (failed logon attempts).

·???????? Windows Firewall logs for port scans.

·???????? Linux:

·???????? System logs for ICMP packets and port scans via tools like nmap.

·???????? Firewall logs (e.g., iptables).

·???????? Vulnerability Scanning (T1595.002)

·???????? Windows:

·???????? Windows Security Event IDs for access attempts on vulnerable ports.

·???????? Application and system logs indicating suspicious file accesses or processes.

·???????? Linux:

·???????? System and firewall logs showing scanning attempts.

·???????? Web server logs for unusual requests.

?

Resource Development (TA0042)

·???????? Compromise Accounts (T1586)

·???????? Windows & Linux:

·???????? Authentication logs showing unusual login attempts.

·???????? Network traffic logs for data exfiltration.

·???????? SIEM alerts for unusual password resets or brute-force attacks.

·???????? Social Media Accounts (T1586.001)

·???????? Monitoring account security logs for changes in profile information.

·???????? Detecting new social media account links via web traffic analysis.

·???????? Email Accounts (T1586.002)

·???????? Email server logs indicating new forwarding rules or auto-responders.

·???????? Unusual login activity from unrecognized IPs.

?

Initial Access (TA0001)

·???????? Exploit Public-Facing Application (T1190)

·???????? Web server logs (IIS, Apache) for repeated access attempts.

·???????? Application logs for directory traversal and SQL injection attempts.

·???????? External Remote Services (T1133)

·???????? Windows:

·???????? RDP session logs for failed attempts.

·???????? VPN logs for unusual IP addresses.

·???????? Linux:

·???????? SSH logs (e.g., /var/log/auth.log).

·???????? VPN logs.

·???????? Valid Accounts (T1078)

·???????? Windows:

·???????? Windows Security Event IDs 4624 (successful logon) and 4634 (logoff).

·???????? Monitor event IDs 4672 and 4673 for sensitive privilege use.

·???????? Linux:

·???????? /var/log/secure and /var/log/auth.log for user login activity.

?

Persistence (TA0003)

·???????? External Remote Services (T1133)

·???????? Refer to logs and event IDs from Initial Access (T1133).

·???????? Valid Accounts (T1078)

·???????? Same logs and event IDs as Initial Access (T1078).

?

Privilege Escalation (TA0004)

·???????? Exploitation for Privilege Escalation (T1068)

·???????? Windows:

·???????? Monitor event ID 4673 for privilege escalation activities.

·???????? Linux:

·???????? Monitor logs for sudo and su commands.

?

Defense Evasion (TA0005)

·???????? Exploitation for Defense Evasion (T1211)

·???????? Windows & Linux:

· Application and system log showing changes in security software behaviour.

·???????? Use Alternate Authentication Material (T1550)

·???????? Windows & Linux:

·???????? Kerberos logs for abnormal ticket-granting.

?

Credential Access (TA0006)

·???????? Exploitation for Credential Access (T1212)

·???????? Windows & Linux:

·???????? Monitor access logs for unusual or unauthorized credential requests.

?

Lateral Movement (TA0008)

·???????? Exploitation of Remote Services (T1210)

·???????? Windows:

·???????? Windows Security Event IDs 4624 (successful logon) and 4634 (logoff).

·???????? Event IDs 7045 and 4697 for new services.

·???????? Linux:

·???????? Monitor /var/log/auth.log for SSH access attempts.

·???????? Remote Desktop Protocol (T1021.001)

·???????? Windows:

·???????? RDP session logs and event ID 4625 for failed attempts.

?

Additional Considerations

• Log Centralization: Use SIEM tools or centralized logging solutions to aggregate logs from multiple sources.
• Correlate Data: Combine logs across these sources for a comprehensive view.
• Alert Rules: Set up alert rules to identify TTPs early.
• Retention Policy: Maintain logs long enough for practical forensic analysis.

These strategies help organizations effectively detect and investigate TTPs through log ingestion.

?

Conclusion

The "System Intrusion" pattern highlights the necessity of combining proactive security measures and advanced detection techniques. Threat actors increasingly use sophisticated methods to evade security defenses, emphasizing the need for continuous monitoring and adaptive security measures.

?

Appendix Ingestion Logs

Windows Logs

Application Logs

·???????? Location: Event Viewer > Windows Logs > Application

·???????? Relevant Event IDs:

·???????? Event ID 1000: Application error indicates a process crash.

·???????? Event ID 1001: Application Hang, useful for identifying unexpected process hangs.

·???????? Event ID 3000 - 3002: IIS Application Pool Failure may indicate suspicious file accesses.

????????

System Logs

·???????? Location: Event Viewer > Windows Logs > System

·???????? Relevant Event IDs:

·???????? Event ID 7031 & 7034: Service Terminated Unexpectedly, can signal malicious activity affecting critical services.

·???????? Event ID 7045: A service was installed in the system, indicating new or unauthorized services.

·???????? Event ID 7040: Service Start Type Change may point to attempts to disable or enable services.

????????

Security Logs

·???????? Location: Event Viewer > Windows Logs > Security

·???????? Relevant Event IDs:

·???????? Event ID 4663: An Attempt Was Made to Access an Object, can identify unauthorized file accesses.

·???????? Event ID 4688: A New Process Has Been Created, useful for detecting suspicious processes.

Linux Logs????????

Application Logs

·???????? Location: /var/log

·???????? Relevant Logs & Events:

·???????? Syslog (/var/log/syslog): Contains logs from various applications, including access attempts.

·???????? Auth Log (/var/log/auth.log): Authentication events like failed or successful logins.

·???????? Apache Access Log (/var/log/apache2/access.log): For web server access, includes suspicious file accesses.

·???????? Apache Error Log (/var/log/apache2/error.log): Indicates web application errors, including potential exploits.

·???????? Audit Log (/var/log/audit/audit.log): Records actions performed by privileged users and processes.

????????

System Logs

·???????? Location: /var/log

·???????? Relevant Logs & Events:

·???????? Syslog (/var/log/syslog): Contains system-wide logs, including kernel and device issues.

·???????? Messages Log (/var/log/messages): Similar to Syslog, includes general system events.

????????

Security Logs

·???????? Location: /var/log

·???????? Relevant Logs & Events:

·???????? SELinux Log (/var/log/audit/audit.log): Captures detailed security events if SELinux is enabled.

·???????? Sudo Log (/var/log/secure): Records use of sudo commands, indicating privilege escalation attempts.

Monitoring Processes?????

Windows Processes

·???????? powershell.exe: Monitor for suspicious PowerShell activity.

·???????? cmd.exe: Check for unusual or unauthorized use.

·???????? svchost.exe: Can be abused to hide malicious services.

Linux Processes

·???????? sshd: Monitor for repeated login attempts.

·???????? bash: Look for unusual shell activity.

·???????? crond: Identify cron jobs running suspicious commands.