Tired of waiting around for that Friday afternoon phone call every week? Yeah, you know the one. The one that says your organization may still be struggling to shift to a proactive defense posture. The one that indicates your hunt team may also be struggling to prioritize and focus on meaningful hunt missions.

But what more could you do to better prepare? To begin, let’s consider how the enemy operates.

In a way, threat actors are like stools. They need three durable legs — two if they’re good enough — to support their weight and prop up operations. We call these legs the three Cs (C3) of active defense posturing: capability, connections, and credentials. As defenders, we look to kick out as many legs as possible to help minimize the likelihood of threat actors achieving their objectives. Or to stick with the analogy, from taking a seat in your network.

<<< Start >>>

Copyright © 2020 Accenture. All rights reserved.

<<< End >>>

  1. Capability: A threat actor’s ability to pull off an attack and cause harm or damage to your organization. A capability is often described as an assessed (i.e., subjective) level of sophistication associated with a particular threat actor.
  2. Connections: Remote network connections to/from the threat actor’s target can take many forms: TCP/UDP, encrypted/plain-text, various ports and protocols, APIs, vendor connectivity, data highways, etc.
  3. Credentials: Credentials and keys for accessing systems and objects, or data, across a target network include various privilege levels and both domain and non-domain credentials: administrator (domain, local, system), service accounts, user accounts, SSH keys, badges for physical access to sites.

The C3 approach also considers a cyber threat intelligence (CTI) framework, which lets us evaluate an adversary’s capability, opportunity, and hostile intent in order to prioritize a defense strategy that aligns with your organization’s risk. In this blog, we’re assuming we’ve already determined opportunity and hostile intent so we can focus on established or impending threats.

Prioritizing for better results
  • In theory, C3 is a relatively simple concept. In practice, it can be quite difficult to execute if you lack positive control of your environment. So, how do you prioritize C3 at a tactical level? By understanding your organization’s ability to address the fundamentals:
  • Reduce vulnerabilities, End-of-Life (EOL) systems, and legacy or non-essential items from the network. If you reduce the attack surface, you can deny the threat actor opportunities to thrive while also facilitating technical control deployment and/or management, as well as monitoring, detection, and response.
  • Use tools, configurations, and process to help control and limit the success and pervasiveness of threat actor actions.
  • Log and analyze everything you cannot eliminate or control. Model your day-to-day baseline and make the threat actor “stand out.”
  • Hunt only what you cannot eliminate, control, or model. Start your hunt hypotheses by applying the 3Cs.
Addressing the 3Cs

With the 3Cs prioritized, let’s explore some practical examples from the Cyber Investigation and Forensics Response (CIFR) team’s incident response and threat hunting engagements to illustrate ways to leverage the C3 approach. For example, by throttling control deployment and active defense to “kick out the legs,” we’ve been able to help our clients rapidly take back and/or maintain positive control of their environments.

C1 capability

Threat actors need capability to present a risk to your organization, but because their capability typically falls outside of a defender’s control, it’s critical to work with CTI teams to gain situational awareness and an understanding of potential risks.

  1. Based on the evidence available, work with your CTI team on the iterative process of analyzing threat actor behavior, TTPs employed, and tactical indicators.
  2. Leverage CTI to develop detections using, for example, YARA rules or hunting queries across available datasets, as well as indicators of compromise (IOCs), which will be more useful during tactical response.
C2 credentials

Remove the opportunity for threat actors to leverage credentials and you’ll make it exceedingly difficult for them to access and/or move laterally across even a moderately defended network.

CIFR Example MITRE Techniques Eliminate–Control–Observe–Hunt

Initial Access:
Exposed or vulnerable remote services and APIs, such as the Azure AD GetCredentialType API to enumerate 0365 users.

External Remote Services: T1133
  • Eliminate: If not approved for business use, remove externally exposed Services.
  • Control: Deploy and enforce multifactor authentication (MFA) on all remote access solutions.
    Control: Restrict non-user domain accounts from interactive logins (e.g., service accounts).
    Control: If not approved for business use, restrict user direct logon capabilities from external public IP addresses.
  • Observe: Harden APIs and monitor their usage for suspicious activity.
  • Hunt: Perform regular hunts to enumerate external Infrastructure and open-source intelligence (OSINT).

Initial Access: Compromised credentials used for initial access into the organization, such as through cloud or remote access solutions (e.g., O365, Citrix, VPNs, etc.).

Valid Accounts: T1078

Default Accounts: T1078.001

Domain Accounts: T1078.002

Local Accounts: T1078.003

Cloud Accounts: T1078.004
  • Eliminate: Remove legacy authentication and email protocols (IMAP, POP3, etc.) for cloud services.
  • Control: Deploy and enforce MFA on all remote access solutions.
    Control: Restrict non-user domain accounts from interactive logins (e.g., service accounts).
    Control: Enforce complexity and singularity of local administrator accounts on all systems.
  • Observe: Monitor for new local account creation events and privileged logon (e.g., 4720 and 4672 Windows Event IDs).
  • Hunt: Perform regular hunts to enumerate external Infrastructure, local administrative account activities, and OSINT.

Credential Access: Threat actor leveraging Azure™ infrastructure to evade detection[i]

Steal Application Access Token: T1528
  • Eliminate: Block end-user consent to OAuth applications not approved for company use.
  • Control: Restrict Azure app usage to approved applications.
  • Observe: Monitor for cloud application usage.
  • Hunt: Hunt for suspicious user consents to OAuth applications.

Credential Access: Threat actor uses Kerberoasting technique to obtain a ticket-granting service (TGS) for service principal names (SPNs) from a domain controller.[i]

Steal or Forge Kerberos Tickets: T1558

Golden Ticket: T1558.001

Silver Ticket: T1558.002

Kerberoasting: T1558.003
  • Eliminate: Enable strong encryption for authentication events instead of RC4.
  • Control: Vault all domain administrator credentials and restrict permissions.
    Control: Implement Microsoft LAPS on compatible systems.
  • Observe: If domain controllers are configured to log 4769 events, monitor for anomalous Kerberos activity, such as EventID 4769, with ticket option 0x40810000 and RC4 encryption (type 0x17). Anomalies in endpoint Windows Security logon/off events where the domain fields are either blank or null, username and ID mismatch, ticket lifetimes exceeding the domains maximum default value of 10 hours.
  • Hunt: For single users requesting RC4 (0x17) encrypted TGS tickets for multiple SPNs, TGS ticket requests for usernames that don’t exist, and group membership modification events.
C3 connections

Take away network connections and remove the human operator from the equation to force threat actors to rely on autonomous tooling and operations to achieve their objectives — a difficult task in any network.

CIFR Example

MITRE Techniques

Eliminate–Control–Observe–Hunt

Command and Control (C2):
C2 obfuscation via cloud fronting using common content delivery networks (CDNs).

Proxy: T1090
Domain Fronting: T1090.004

 
  • Eliminate: Ensure DNS queries from local workstations are routed through known internal resolvers.
  • Control: Block traffic to known C2 infrastructure, non-approved proxy services and anonymity networks.
  • Observe: Monitor for traffic to suspicious CDNs.
  • Hunt: Hunt for server name indication (SNI) versus HTTP header domain name mismatch.

Execution:
Encoded Cobalt Strike beacon with meterpreter payload.

 

Command and Scripting Interpreter:
T1059

PowerShell: T1059.001
  • Eliminate: Upgrade PowerShell to the latest stable version (v5.0) across the environment for enhanced logging and protection. Disable older versions, where possible.
  • Control: If not approved for business use, block external connection associated with PowerShell usage (e.g., DownloadFile).
    Control: Block non-standard service execution, such as high-entropy service name creation.
  • Observe: Monitor for encoded PowerShell commands, command line arguments containing %COMSPEC%, rundll32.exe process with no associated arguments.
  • Hunt: Hunt for beaconing behavior over domain name system (DNS), external network connections, such as initiated from PowerShell.exe or rundll32.exe processes.

Exfiltration:
Fileshare mount and exfiltration over FTP.

Exfiltration over C2 Channel: T1041

Exfiltration Over Alternative Protocol: T1048
  • Eliminate: Remove data that is past its retention cycle within corporate data governance policies.
  • Control: Restrict outbound transfer limits, lock down access to file shares and implement granular egress controls.
  • Observe: Monitor for spikes in traffic using common exfiltration protocols and uncommon data flows.
  • Hunt: hunt for file transfer and share-mounting utilities on endpoints (e.g., rclone).

Lateral Movement: Named pipe pivoting over SMB for internal C2. 

Remote Services:
T1021

Remote Desktop Protocol:T1021.001
SMB/Windows Admin Shares:T1021.002 Distributed Component Object Model (DCOM):T1021.002 SSH:T1021.004 VNC:T1021.005
Windows Remote Management (WinRM):T1021.006
  • Eliminate:  If not approved for administrative business use, restrict the use of remote services for non-administrative accounts.
  • Control: Employ network segmentation and network security monitoring at key chokepoints.
    Control: Implement user account controls to limit the use of remote services across the network, harden user account privileges when utilizing remote services (e.g., WinRm).
  • Control: Employ host-based intrusion detection system (HIDS) and network-based intrusion detection system (NIDS).
  • Hunt: Hunt for encoded commands over SMB, login activity related to remote execution of service installation utilizing PowerShell (e.g., Windows 4697 events) or binaries located in Admin Shares.

 

Now that you have a better understanding of the 3Cs and are armed with some real-world examples, try applying these to your own defense capabilities to maintain or take back positive control of your environment. Happy hunting!

If you have an incident or need additional information on ways to detect and respond to cyberthreats, contact a member of our CIFR team 24/7/365 by phone 888-RISK-411 or email CIFR.hotline@accenture.com.

 

Accenture Security

Accenture Security helps organizations build resilience from the inside out, so they can confidently focus on innovation and growth. Leveraging its global network of cybersecurity labs, deep industry understanding across client value chains and services that span the security lifecycle, Accenture help organizations protect their valuable assets, end-to-end. With services that include strategy and risk management, cyber defense, digital identity, application security and managed security, Accenture enables businesses around the world to defend against known sophisticated threats, and the unknown. Follow us @AccentureSecure on Twitter or visit us at www.accenture.com/security.

Accenture, the Accenture logo, and other trademarks, service marks, and designs are registered or unregistered trademarks of Accenture and its subsidiaries in the United States and in foreign countries. All trademarks are properties of their respective owners. All materials are intended for the original recipient only. The reproduction and distribution of this material is forbidden without express written permission from Accenture. The opinions, statements, and assessments in this report are solely those of the individual author(s) and do not constitute legal advice, nor do they necessarily reflect the views of Accenture, its subsidiaries, or affiliates. Given the inherent nature of threat intelligence, the content contained in this report is based on information gathered and understood at the time of its creation. It is subject to change. Accenture provides the information on an “as-is” basis without representation or warranty and accepts no liability for any action or failure to act taken in response to the information contained or referenced in this report.

This document makes descriptive reference to trademarks that may be owned by others. The use of such trademarks herein is not an assertion of ownership of such trademarks by Accenture and is not intended to represent or imply the existence of an association between Accenture and the lawful owners of such trademark.

Copyright © 2020 Accenture. All rights reserved.

___

[i] Custom content developed by CIFR.
[ii] Custom content developed by CIFR.

Ryan Leininger

Senior Manager – Accenture Security

Medicus A. Riddick III

SECURITY DELIVERY ASSOCIATE MANAGER

Subscribe to Accenture's Cyber Defense Blog Subscribe to Accenture's Cyber Defense Blog
Subscribe