author photo
By Bruce Sussman
Tue | Jan 7, 2020 | 7:59 AM PST

How does Iran go after its enemies in cyberspace? 

According to a new alert from the U.S. Cybersecurity and Infrastructure Security Agency (CISA), there are 10 known tactics and techniques Iran likes to use against the world.

Iran's top 10 APT cyberattack techniques

Following the killing of one of Iran's top leaders by the United States, it seems like alerts about possible cyber retaliation have been non-stop.

However, for cybersecurity leaders and teams, the most valuable alert came from CISA. The agency lists the top 10 Iranian cyberattack techniques along with detection and mitigation best practices. Let's take a look:

1. Credential dumping attacks

CISA suggested mitigation includes:

  • Manage the access control list for "Replicating Directory Changes" and other permissions associated with domain controller replication.

  • Consider disabling or restricting NTLM.

  • Ensure that local administrator accounts have complex, unique passwords across all systems on the network.

  • Limit credential overlap across accounts and systems by training users and administrators not to use the same password for multiple accounts.

Detection of this cyberattack:

  • Windows: Monitor for unexpected processes interacting with Isass.exe.
  • Linux: The AuditD monitoring tool can be used to watch for hostile processes opening a maps file in the proc file system, alerting on the pid, process name, and arguments for such programs.

2. Obfuscated files or information attacks

Mitigation

  • Consider utilizing the Antimalware Scan Interface (AMSI) on Windows 10 to analyze commands after being processed/interpreted.

Detection

  • Windows: Monitor for unexpected processes interacting with Isass.exe.
  • Linux: The AuditD monitoring tool can be used to watch for hostile processes opening a maps file in the proc file system, alerting on the pid, process name, and arguments for such programs.

3. Data compression attacks

Mitigation

  • Network intrusion prevention or data loss prevention tools may be set to block specific file types from leaving the network over unencrypted channels.

Detection

  • Process monitoring and monitoring for command-line arguments for known compression utilities.
  • If the communications channel is unencrypted, compressed files can be detected in transit during exfiltration with a network intrusion detection or data loss prevention system analyzing file headers.

4. PowerShell attacks

Mitigation

  • Set PowerShell execution policy to execute only signed scripts.
  • Remove PowerShell from systems when not needed, but a review should be performed to assess the impact to an environment, since it could be in use for many legitimate purposes and administrative functions.
  • Disable/restrict the WinRM Service to help prevent uses of PowerShell for remote execution.
  • Restrict PowerShell execution policy to administrators.

Detection

  • If PowerShell is not used in an environment, looking for PowerShell execution may detect malicious activity.
  • Monitor for loading and/or execution of artifacts associated with PowerShell specific assemblies, such as System. Management.Automation.dll (especially to unusual process names/locations).
  • Turn on PowerShell logging to gain increased fidelity in what occurs during execution (which is applied to .NET invocations).

5. User execution attacks

Mitigation

  • Application whitelisting may be able to prevent the running of executables masquerading as other files.
  • If a link is being visited by a user, network intrusion prevention systems and systems designed to scan and remove malicious downloads can be used to block activity.
  • Block unknown or unused files in transit by default that should not be downloaded or by policy from suspicious sites as a best practice to prevent some vectors, such as .scr., .exe, .pif, .cpl, etc.
  • Use user training as a way to bring awareness to common phishing and spearphishing techniques and how to raise suspicion for potentially malicious events.

Detection

  • Monitor the execution of and command-line arguments for applications that may be used by an adversary to gain Initial Access that require user interaction. This includes compression applications, such as those for zip files that can be used to Deobfuscate/Decode Files or Information in payloads.
  • Anti-virus can potentially detect malicious documents and files that are downloaded and executed on the user's computer.
  • Endpoint sensing or network sensing can potentially detect malicious events once the file is opened (such as a Microsoft Word document or PDF reaching out to the internet or spawning Powershell.exe) for techniques such as Exploitation for Client Execution and Scripting.

6. Scripting attacks

Mitigation

  • Configure Office security settings enable Protected View, to execute within a sandbox environment, and to block macros through Group Policy. Other types of virtualization and application microsegmentation may also mitigate the impact of compromise.
  • Turn off unused features or restrict access to scripting engines such as VBScript or scriptable administration frameworks such as PowerShell.

Detection

  • Examine scripting user restrictions. Evaluate any attempts to enable scripts running on a system that would be considered suspicious.
  • Scripts should be captured from the file system when possible to determine their actions and intent.
  • Monitor processes and command-line arguments for script execution and subsequent behavior.
  • Analyze Office file attachments for potentially malicious macros.
  • Office processes, such as winword.exe, spawning instances of cmd.exe, script application like wscript.exe or powershell.exe, or other suspicious processes may indicate malicious activity.

7. Remote file copy attacks

Mitigation

  • Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware or unusual data transfer over known tools and protocols like FTP can be used to mitigate activity at the network level.

Detection

  • Monitor for file creation and files transferred within a network over SMB.
  • Monitor use of utilities, such as FTP, that does not normally occur.
  • Analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server).
  • Analyze packet contents to detect communications that do not follow the expected protocol behavior for the port that is being used.

8. Spearphishing link attacks

Mitigation

  • Determine if certain websites that can be used for spearphishing are necessary for business operations and consider blocking access if activity cannot be monitored well or if it poses a significant risk.
  • Users can be trained to identify social engineering techniques and spearphishing emails with malicious links.

Detection

  • URL inspection within email (including expanding shortened links) can help detect links leading to known malicious sites.
  • Detonation chambers can be used to detect these links and either automatically go to these sites to determine if they're potentially malicious, or wait and capture the content if a user visits the link.

9. Spearphishing attachment attacks

Mitigation

  • Anti-virus can automatically quarantine suspicious files.
  • Network intrusion prevention systems and systems designed to scan and remove malicious email attachments can be used to block activity.
  • Block unknown or unused attachments by default that should not be transmitted over email as a best practice to prevent some vectors, such as .scr, .exe, .pif, .cpl, etc.
  • Some email scanning devices can open and analyze compressed and encrypted formats, such as zip and rar that may be used to conceal malicious attachments in Obfuscated Files or Information.
  • Users can be trained to identify social engineering techniques and spearphishing emails.

Detection

  • Network intrusion detection systems and email gateways can be used to detect spearphishing with malicious attachments in transit.
  • Detonation chambers may also be used to identify malicious attachments.
  • Solutions can be signature and behavior based, but adversaries may construct attachments in a way to avoid these systems.
  • Anti-virus can potentially detect malicious documents and attachments as they're scanned to be stored on the email server or on the user's computer.

10. Registry run keys/startup folder attack

Mitigation

  • This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.

Detection

  • Monitor Registry for changes to run keys that do not correlate with known software, patch cycles, etc.
  • Monitor the start folder for additions or changes.
  • Tools such as Sysinternals Autoruns may also be used to detect system changes that could be attempts at persistence, including listing the run keys' Registry locations and startup folders.
  • To increase confidence of malicious activity, data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as network connections made for Command and Control, learning details about the environment through Discovery, and Lateral Movement.

Collective defense against cyberattacks from Iran

Hopefully, this bullet-point list will help you and your cybersecurity team play a part in what CISA calls "collective defense." 

It also urges you to report cyberattacks you suspect may be coming from Iran, because this can lead to greater intelligence regarding Iranian APT techniques and activity. The CISA reporting portal is here.

For more, see Alert (AA20-006A) Potential for Iranian Cyber Response to U.S. Military Strike in Baghdad.

[RESOURCE: Collaborate with your cybersecurity peers at a SecureWorld conference this year. See our 2020 event calendar for North America.]

Tags: APT, Iran,
Comments