Skip to main content

Top 20 CIS Critical Security Controls (CSC) Through the Eyes of a Hacker – CSC 12

September 22, 2016

In this blog series, members of Optiv’s attack and penetration team are covering the top 20 Center for Internet Security (CIS) Critical Security Controls (CSC), showing an attack example and explaining how the control could have prevented the attack from being successful. Please read previous posts covering:

csc-12

CSC 12: Boundary Defenses

The Control

Detect/prevent/correct the flow of information transferring networks of different trust levels with a focus on security-damaging data.

The Attack

Border protections are generally your first line of defense against an outside attacker. It is extremely common for an attacker to probe for as much information as possible from the perimeter network in order to build a profile on the attacker’s target. While the mindset relating to protecting the perimeter network has been around for quite a while, the methods in which it is enforced have changed. Putting up a firewall is no longer enough, organizations today face complex threats which require additional perimeter solutions such as IDS/IPS, SIEM, SSL Decryption, Outbound Proxy and network monitoring.

For my example attack in this blog post, I am going to demonstrate creating a covert channel of communications to exfiltrate data which could be detected by many technologies mentioned above if they are properly configured. In my five years of penetration testing I have only seen one organization with the ability to track and report on my covert communications channel. 

This attack involves tunneling the TCP protocol used for most Internet activities (web browsing, email, etc.) over the ICMP protocol, which is used primarily for diagnostics. Most organizations make an effort to filter the known exfiltration opportunities to attackers by limiting the websites they can visit and disabling support for other protocols known to exfiltrate data. Many organizations, however, still leave the ICMP protocol enabled for testing purposes, and by leveraging that we can create a covert communications channel to tunnel out sensitive data. Below is a screenshot of how data would flow from a compromised corporate PC to an attacker’s data store.


Figure 1: Attack Data Flow

To start this attack, an attacker must configure a proxy to relay the ICMP traffic. This is accomplished using the tool ptunnel. With very little technical aptitude, an attacker could configure this proxy in the matter of minutes.


Figure 2: A web proxy is configured to listen for and forward ICMP traffic

Next, in order to exfiltrate data, the attacker must already have some level of access on a compromised corporate machine. Using that access an attacker can begin to send data to the ICMP proxy, which will convert the network traffic into normal Internet bound TCP traffic. We can establish the ICMP proxy tunnel by executing ptunnel and specifying the destination port. In this case we want to chain this with SCP so that we can transfer files over the tunnel in an encrypted format, so we will select destination port 22. 


Figure 3: Establishing the ICMP tunnel to the web proxy

The last step involves using the created tunnel to exfiltrate the file containing sensitive data.


Figure 4: Transferring data over the covert communications channel

The Solution

For this specific attack scenario, only a few technologies can detect and prevent this attack. From what I’ve seen, none of them do it by default. Generally the adage is to support compatibility over security. Devices that analyze network traffic could have rules applied which detect the malicious activity. Analyzing the exfiltration attempt performed, it is possible to identify the traffic as suspicious.

First, showing what normal traffic looks like I have pinged a machine at Google and analyzed its network traffic. Looking at the communications there were two packets exchanged, one ping request and one ping reply. The size of these packets are 100 bytes which is normal for the ICMP protocol. Everything in this request is legitimate and can be used to determine instances on illegitimate ICMP traffic.


Figure 5: Legitimate ICMP traffic

Subsequent requests pertain to data exfiltration. Analyzing this data we can see a few key patterns that than can be utilized to create network traffic rules in an IDS/IPS/SIEM/Application Aware Firewall. These patterns include:

  • Large packet size (1000 bytes instead of 100 bytes)
  • Huge amount of replies compared to the number of request
  • The data payload potion of the ICMP traffic is encrypted


Figure 6: ICMP being used to tunnel data

Fortunately the security industry is full of solutions which, if properly implemented, could detect and potentially prevent this activity from taking place. Boundary defenses are not just about keeping attackers out, but just as much about keeping sensitive information in. Implementing a comprehensive toolset on your perimeter network can give you unseen insight into what is happening and can assist in detecting potentially malicious activity. Some of these tools and strategies are:

  • Perimeter IDS/IPS  – To filter unwanted malicious communications from getting in
  • Outbound Web Proxy – To filter unwanted sites from being visited by employees
  • SSL Decryption – To analyze encrypted data for exfiltration or malicious content
  • SIEM – To correlate and consolidate data from multiple sources
  • Application Aware Firewalls – To analyze outbound communications for abnormalities

The next post will cover CSC 13: Data Protection.


    Joshua Platz

By: Joshua Platz

Senior Consultant

See More

Related Blogs

October 21, 2016

Top 20 CIS Critical Security Controls (CSC) Through the Eyes of a Hacker – CSC 13

Detect/prevent/correct the flow of information transferring networks of different trust levels with a focus on security-damaging data.

See Details

January 25, 2017

Escape and Evasion Egressing Restricted Networks

A command kill chain consists of payload delivery, code execution on a target system, and establishing a command and control (C2) channel outside of a...

See Details

How Can We Help?

Let us know what you need, and we will have an Optiv professional contact you shortly.


Privacy Policy

Related Insights

November 21, 2014

Strategy and Tactics: Penetration Testing in the Security Program

In the war of information security, the eldritch horror of knowing resides in the bowels of the vulnerability scanning report. Before, you might have ...

See Details

July 21, 2015

Network Security Solutions

Learn how we help protect your environment while maintaining connectivity.

See Details

October 26, 2014

Common Web Application Vulnerabilities - Part 1.1

While Cross-Site Scripting (“XSS”) is neither a new nor a particularly exciting class of web application vulnerabilities, it certainly is one of the m...

See Details

Stay in the Know

For all the latest cybersecurity and Optiv news, subscribe to our blog and connect with us on Social.

Subscribe

Join our Email List

We take your privacy seriously and promise never to share your email with anyone.

Stay Connected

Find cyber security Events in your area.