This technical alert addresses the exploitation of trusted network relationships and the subsequent illicit use of legitimate credentials by Advanced Persistent Threat (APT) actors. It identifies APT actors' tactics, techniques, and procedures (TTPs) and describes the best practices that could be employed to mitigate each of them. The mitigations for each TTP are arranged according to the National Institute of Standards and Technology (NIST) Cybersecurity Framework core functions of Protect, Detect, Respond, and Recover.
APT actors are using multiple mechanisms to acquire legitimate user credentials to exploit trusted network relationships in order to expand unauthorized access, maintain persistence, and exfiltrate data from targeted organizations. Suggested best practices for administrators to mitigate this threat include auditing credentials, remote-access logs, and controlling privileged access and remote access.
APT actors are conducting malicious activity against organizations that have trusted network relationships with potential targets, such as a parent company, a connected partner, or a contracted managed service provider (MSP). APT actors can use legitimate credentials to expand unauthorized access, maintain persistence, exfiltrate data, and conduct other operations, while appearing to be authorized users. Leveraging legitimate credentials to exploit trusted network relationships also allows APT actors to access other devices and other trusted networks, which affords intrusions a high level of persistence and stealth.
Recommended best practices for mitigating this threat include rigorous credential and privileged-access management, as well as remote-access control, and audits of legitimate remote-access logs. While these measures aim to prevent the initial attack vectors and the spread of malicious activity, there is no single proven threat response.
Using a defense-in-depth strategy is likely to increase the odds of successfully disrupting adversarial objectives long enough to allow network defenders to detect and respond before the successful completion of a threat actor’s objectives.
Any organization that uses an MSP to provide services should monitor the MSP's interactions within their organization’s enterprise networks, such as account use, privileges, and access to confidential or proprietary information. Organizations should also ensure that they have the ability to review their security and monitor their information hosted on MSP networks.
APT TTPs and Corresponding Mitigations
The following table displays the TTPs employed by APT actors and pairs them with mitigations that network defenders can implement.
Table 1: APT TTPs and Mitigations
- Allocate operational infrastructure, such as Internet Protocol addresses (IPs).
- Gather target credentials to use for legitimate access.
- Educate users to never click unsolicited links or open unsolicited attachments in emails.
- Implement an awareness and training program.
- Leverage multi-sourced threat-reputation services for files, Domain Name System (DNS), Uniform Resource Locators (URLs), IPs, and email addresses.
- Use legitimate remote access, such as virtual private networks (VPNs) and Remote Desktop Protocol (RDP).
- Leverage a trusted relationship between networks.
- Enable strong spam filters to prevent phishing emails from reaching end users.
- Authenticate inbound email using Sender Policy Framework; Domain-Based Message Authentication, Reporting and Conformance; and DomainKeys Identified Mail to prevent email spoofing.
- Prevent external access via RDP sessions and require VPN access.
- Enforce multi-factor authentication and account-lockout policies to defend against brute force attacks.
- Leverage multi-sourced threat-reputation services for files, DNS, URLs, IPs, and email addresses.
- Scan all incoming and outgoing emails to detect threats and filter out executables.
- Audit all remote authentications from trusted networks or service providers for anomalous activity.
Respond and Recover:
- Reset credentials, including system accounts.
- Transition to multifactor authentication and reduce use of password-based systems, which are susceptible to credential theft, forgery, and reuse across multiple systems.
Execution and Internal Reconnaissance:
- Write to disk and execute malware and tools on hosts.
- Use interpreted scripts and run commands in shell to enumerate accounts, local network, operating system, software, and processes for internal reconnaissance.
- Map accessible networks and scan connected targets.
- Use remote services and log on remotely.
- Use legitimate credentials to move laterally onto hosts, domain controllers, and servers.
- Write to remote file shares, such as Windows administrative shares.
- Locate credentials, dump credentials, and crack passwords.
- Deploy an anti-malware solution, which also aims to prevent spyware and adware.
- Prevent the execution of unauthorized software, such as Mimikatz, by using application whitelisting.
- Deploy PowerShell mitigations and, in the more current versions of PowerShell, enable monitoring and security features.
- Prevent unauthorized external access via RDP sessions. Restrict workstations from communicating directly with other workstations.
- Separate administrative privileges between internal administrator accounts and accounts used by trusted service providers.
- Enable detailed session-auditing and session-logging.
- Audit all remote authentications from trusted networks or service providers.
- Detect mismatches by correlating credentials used within internal networks with those employed on external-facing systems.
- Log use of system administrator commands, such as net, ipconfig, and ping.
- Audit logs for suspicious behavior.
- Use whitelist or baseline comparison to monitor Windows event logs and network traffic to detect when a user maps a privileged administrative share on a Windows system.
- Leverage multi-sourced threat-reputation services for files, DNS, URLs, IPs, and email addresses.
Respond and Recover:
- Reset credentials.
- Monitor accounts associated with a compromise for abnormal behaviors, including unusual connections to nonstandard resources or attempts to elevate privileges, enumerate, or execute unexpected programs or applications.
- Maintain access to trusted networks while gathering data from victim networks.
- Compress and position data for future exfiltration in archives or in unconventional locations to avoid detection.
- Send over command and control channel using data-transfer tools (e.g., PuTTY secure copy client [PSCP], Robocopy).
- Prevent the execution of unauthorized software, such as PSCP and Robocopy.
- Monitor for use of archive and compression tools.
- Monitor egress traffic for anomalous behaviors, such as irregular outbound connections, malformed or abnormally large packets, or bursts of data to detect beaconing and exfiltration.
Detailed Mitigation Guidance
Manage Credentials and Control Privileged Access
Compromising the credentials of legitimate users automatically provides a threat actor access to the network resources available to those users and helps that threat actor move more covertly through the network. Adopting and enforcing a strong-password policy can reduce a threat actor’s ability to compromise legitimate accounts; transitioning to multifactor authentication solutions increases the difficulty even further. Additionally, monitoring user account logins—whether failed or successful—and deploying tools and services to detect illicit use of credentials can help network defenders identify potentially malicious activity.
Threat actors regularly target privileged accounts because they not only grant increased access to high-value assets in the network, but also more easily enable lateral movement, and often provide mechanisms for the actors to hide their activities. Privileged access can be controlled by ensuring that only those users requiring elevated privileges are granted those accesses and, in accordance with the principle of least privilege, by restricting the use of those privileged accounts to instances where elevated privileges are required for specific tasks. It is also important to carefully manage and monitor local-administrator and MSP accounts because they inherently function with elevated privileges and are often ignored after initial configuration.
A key way to control privileged accounts is to segregate and control administrator (admin) privileges. All administrative credentials should be tightly controlled, restricted to a function, or even limited to a specific amount of time. For example, only dedicated workstation administrator accounts should be able to administer workstations. Server accounts, such as general, Structured Query Language, or email admins, should not have administrative access to workstations. The only place domain administrator (DA) or enterprise administrator (EA) credentials should ever be used is on a domain controller. Both EA and DA accounts should be removed from the local-administrators group on all other devices. On UNIX devices, sudo (or root) access should be tightly restricted in the same manner. Employing a multifactor authentication solution for admin accounts adds another layer of security and can significantly reduce the impact of a password compromise because the threat actor needs the other factor—that is, a smartcard or a token—for authentication.
Additionally, administrators should disable unencrypted remote-administrative protocols and services, which are often enabled by default. Protocols required for operations must be authorized, and the most secure version must be implemented. All other protocols must be disabled, particularly unencrypted remote-administrative protocols used to manage network infrastructure devices, such as Telnet, Hypertext Transfer Protocol, File Transfer Protocol, Trivial File Transfer Protocol, and Simple Network Management Protocol versions 1 and 2.
Control Remote Access and Audit Remote Logins
- Control legitimate remote access by trusted service providers. Similar to other administrative accounts, MSP accounts should be given the least privileges needed to operate. In addition, it is recommended that MSP accounts either be limited to work hours, when they can be monitored, or disabled until work needs to be done. MSP accounts should also be held to the same or higher levels of security for credential use, such as multifactor authentication or more complex passwords subject to shorter expiration timeframes.
- Establish a baseline on the network. Network administrators should work with network owners or MSPs to establish what normal baseline behavior and traffic look like on the network. It is also advisable to discuss what accesses are needed when the network is not being actively managed. This will allow local network personnel to know what acceptable cross-network or MSP traffic looks like in terms of ports, protocols, and credential use.
- Monitor system event logs for anomalous activity. Network logs should be captured to help detect and identify anomalous and potentially malicious activity. In addition to the application whitelisting logs, administrators should ensure that other critical event logs are being captured and stored, such as service installation, account usage, pass-the-hash detection, and RDP detection logs. Event logs can help identify the use of tools like Mimikatz and the anomalous use of legitimate credentials or hashes. Baselining is critical for effective event log analysis, especially in the cases of MSP account behavior.
- Control Microsoft RDP. Adversaries with valid credentials can use RDP to move laterally and access information on other, more sensitive systems. These techniques can help protect against the malicious use of RDP:
- Assess the need to have RDP enabled on systems and, if required, limit connections to specific, trusted hosts.
- Verify that cloud environments adhere to best practices, as defined by the cloud service provider. After the cloud environment setup is complete, ensure that RDP ports are not enabled unless required for a business purpose.
- Place any system with an open RDP port behind a firewall and require users to communicate via a VPN through a firewall.
- Perform regular checks to ensure RDP port 3389 is not open to the public internet. Enforce strong-password and account-lockout policies to defend against brute force attacks.
- Enable the restricted-administrator option available in Windows 8.1 and Server 2012 R2 to ensure that reusable credentials are neither sent in plaintext during authentication nor cached.
- Restrict Secure Shell (SSH) trusts. It is important that SSH trusts be carefully managed and secured because improperly configured and overly permissive trusts can provide adversaries with initial access opportunities and the means for lateral movement within a network. Access lists should be configured to limit which users are able to log in via SSH, and root login via SSH should be disabled. Additionally, the system should be configured to only allow connections from specific workstations, preferably administrative workstations used only for the purpose of administering systems.
Report Unauthorized Network Access
Contact DHS or your local FBI office immediately. To report an intrusion and request resources for incident response or technical assistance, contact NCCIC at (NCCICCustomerService@hq.dhs.gov or 888-282-0870), FBI through a local field office, or the FBI’s Cyber Division (CyWatch@fbi.gov or 855-292-3937).