ATT&CK Series: Collection Tactics – Part Two

In part one of “Collection Tactics,” we outlined three techniques attackers can leverage to perform additional reconnaissance on a network or gain access to sensitive information. In part two, we’ll cover three additional collection techniques and their risks to an organization. For reference, the full list of collection techniques can be found at Collection, Tactic TA0009 - Enterprise | MITRE ATT&CK.

Techniques

T1114 – Email Collection

Description

Email can provide a wealth of information for an attacker, ranging from highly sensitive documents to instructions on accessing corporate assets such as the organization’s VPN or other remote access portals.

What's the Risk?

The risks to an organization from email compromise are vast. Think for a moment about everything sent via email – discussions regarding proprietary information or trade secrets, sensitive human resources data, customer information, and in some instances, passwords to other systems. As an increasing amount of organizations adopt telecommuting as a standard practice, sensitive topics that may have previously been discussed in an ad hoc meeting between two employees may now be unintentionally documented and archived in email form.

Functionality built into most email platforms allows an adversary to easily search large quantities of email with a single query, and other specialized tools can provide a command line interface into user mailboxes. Also, some platforms have instant messenger conversations archived in the same location as email, which adds to the amount of easily available information. Additionally, certain strains of malware are known to harvest email contact info in order to replicate.

Another consideration is that when an adversary has access to an email account, they in essence, become that person for the purposes of social engineering. Many organizations have been targets of fraudulent wire instructions, which is a common attack performed by many known threat actor groups. Attackers can also launch internal spear phishing attacks, as security controls can sometimes be less restrictive when applied to trusted accounts.

Detection and Mitigation

Rapid detection and mitigation of email compromise is critical. As with many of the collection techniques, detection is difficult, making prevention and mitigation even more important.

Security teams should monitor for the creation of mail flow rules, as attackers will sometimes create rules to hide or delete messages that have been sent under the compromised user’s account. You should also monitor command line execution for WMI, PowerShell or remote access tools being used to search for emails and/or attachments. If your platform supports it, user behavioral analytics can alert security teams to account access or behavior that is outside the typical norm for that user, such as logging in from a new geographic area or sending email to a large number of external recipients.

Ensure that all users are protected by and enrolled in multi-factor authentication (MFA). Our experience as attackers shows that some organizations have MFA solutions with incomplete enrollment and a configuration that allows employees to self-enroll. This allows us, the attackers, to add a new device to the account and use that device to provide the additional authentication token. While multi-factor authentication can be bypassed through social engineering or abusing misconfigurations in the MFA platform, having it enabled makes an attacker’s job that much more difficult.

T1056 – Input Capture

Description

Capturing user input allows an adversary to collect data ranging from raw keystrokes to data typed into a website or application. In some cases, this can be monitored real-time or harvested and collected later. Once the data is collected, the attacker can analyze that data on their own system without detection.

What's the Risk?

Attackers in a position to capture user keystrokes can easily obtain information for further reconnaissance of the organization or usernames and passwords. If the attacker cannot obtain cleartext credentials, fake Windows login prompts can be generated, enticing the user to enter their username and password in response.

In addition to capturing keystrokes, malware such as skimmers can be installed on web portals to capture user account credentials during login, as well as payment information entered during purchases. The captured data can then be delivered directly to an attacker-controlled system and used against the organization in further attacks or sold directly in the form of credit card data and personally identifiable information (PII).

Detection and Mitigation

Detection of keyloggers and other methods of input capture includes traditional detection techniques such as regular monitoring of registry changes, driver installations, and unknown applications making system calls to Windows API functions related to keyboard or keypress status.

Mitigation is difficult, as most functionality of a keylogger is built around legitimate functionality. This makes early detection and response to unknown application execution paramount.

Skimmers provide their own unique challenges but can be addressed by practicing good secure software development techniques such as utilizing trusted content delivery networks (CDNs) for your external content, protecting against supply chain attacks, and protecting against cross-site scripting (XSS) attacks.

T1113 – Screen Capture

Description

An attacker seeking more information about a compromised user account or performing additional network reconnaissance can leverage screen captures of the user’s desktop for these purposes.

What's the Risk

Depending on the compromised user’s job role, screen captures may provide information such as passwords to other systems or situational awareness regarding internal applications. Any document open in the window of which the capture is taken could be compromised. For example, if an attacker has access to an administrator’s workstation, he/she may take screen captures at set intervals to try and uncover passwords that the admin may be viewing in a password manager.

Detection and Mitigation

Since screen capture functionality is native to most operating systems, detection of this technique is challenging. Monitor for image files being written to disk, along with unusual traffic to unknown external hosts. Fortunately, most EDR solutions have signatures to detect this activity.

Conclusion

Keeping attackers out of your network is important, but if the attacker does manage to breach the perimeter, minimizing damage and lateral movement is critical. Defenders must plan for the possibility of an attacker gaining access to user email inboxes, workstations and servers.

To combat risks associated with email accounts, defenders can employ data loss prevention techniques. By properly classifying the data within the network, defenders can implement solutions to limit data exposure within email inboxes as well as sensitive data in emails leaving the organization.

Data exposure can be further reduced by educating the organization’s users to send links to documents in protected storage locations instead of attaching those documents to an email. This will help keep sensitive information from being retained in the users’ inboxes and ensure only authorized users gain access to the information.

Organizations can further mitigate machine-based input capture and screen capture risks by implementing application whitelisting, effective endpoint detection and response solutions, and USB blocking. Because workstation-based input capture and screen capture attacks rely on malicious software running on the machine, these three things will significantly reduce the effectiveness of the data collection techniques we have outlined in this article.

Read more in Optiv’s ATT&CK series. Here's a review of related posts on this critical topic:

• ATT&CK Intro - September 2018
• ATT&CK Initial Access - October 2018
• ATT&CK Privilege Escalation - November 2018
• ATT&CK Discovery - March 2019
• ATT&CK Persistence - April 2019
• ATT&CK Credential Access - April 2019
• ATT&CK Execution - May 2019
• ATT&CK Defense Evasion - May 2019
• ATT&CK Lateral Movement Techniques - June 2019
• ATT&CK Exfiltration - July 2019
• ATT&CK Series: Command and Control - August, 2019
• ATT&CK Series: Collection Tactics – September, 2019
• ATT&CK Series: Collection Tactics Part Two - April, 2020
• ATT&CK Series: Impact – September, 2019