April 4, 2019 MITRE ATT&CK
Brian Donohue

Connection Proxy Ranks Fourth Among ATT&CK Techniques

By concealing sources of traffic and information that could link computers and infrastructure to the people controlling them, connection proxies (T1090) offer a level of operational security to criminals seeking to evade law enforcement, state-sponsored adversaries trying to avoid being publicly outed, and all variety of other adversaries who simply don’t want their real-life identities traced back to their online malfeasance.

However, proxies also offer attackers an inconspicuous way to exfiltrate information from their target, increase the resilience of attack campaigns, and serve a wide variety of other purposes, which explains exactly why T1090 is the fourth most prevalent MITRE ATT&CK technique among confirmed threats in our customers’ environments.

The following is an excerpt from our recently released 2019 Threat Detection Report, analyzing why connection proxies are so prevalent and offering strategies that security teams can implement to detect adversaries leveraging the technique. Over the next few weeks, we’ll be publishing excerpts from the report to prepare for a question-and-answer panel discussion with its authors: Keith McCammon, Casey Smith, Michael Haag, and Kyle Rainey.

 

Why is T1090 prevalent?

Connection proxies serve to obscure the identity or location of an adversary. While that’s important for a few reasons, it also simplifies a technique that has a wide variety of other, equally important functions.

In addition to providing cover from law enforcement or defensive strategies, proxies also increase adversarial resilience. It’s a relatively simple matter to trace an attack back to an IP address and then block it internally, have it blocked by a hosting or Internet service provider, or have it sinkholed through a variety of means. In this way, proxies enable the adversary to simply pack up and move their attack infrastructure to a new location should their original infrastructure become compromised.

Proxies can also serve as discrete methods for adversaries to access and remove information from networks of interest. Adversaries use a wide variety of proxy methods to hide their command and control traffic, including PuTTY/SSH forwarding, Dynamic DNS, domain fronting, fast flux, Tor, i2p, SOCKS, STUN, and host firewall forwarding. We’ll examine this in more depth below.

Prominent examples

Duqu

One of the most prominent examples of adversaries using a connection proxy comes to us from Duqu, which first emerged in 2011 and has been attributed to the same actor responsible for Stuxnet. Considering the overwhelming volume of research and analysis that’s been written about Duqu and its predecessors, it’s difficult to succinctly summarize the threat. However, Duqu was primarily an information-stealing trojan, the main purpose of which was espionage. In terms of connection proxies, Duqu’s command infrastructure was set up to forward traffic from compromised machines to proxy servers not affiliated with, and thereby cloaking, the actual C2 server(s).

APT10

The group commonly identified as APT10 is a long-standing threat group known for conducting espionage attacks targeting defense, aerospace, and telecommunications organizations in the United States, Europe, and Japan. While proxy activity probably has very little to do with APT10’s notoriety, the attack group has taken something of a novel approach to proxying its attack traffic. They are known to compromise, and subsequently route their traffic through the systems of their target’s service providers. In this way, their espionage activity appears to be the legitimate network traffic of companies that work closely with their victims.

Detection strategies

According to MITRE, there are a number of data sources associated with this technique, and having access to these will help security teams seeking to detect adversaries who are leveraging connection proxies.

DATA SOURCES
  • Process use of network
  • Process monitoring
  • Netflow/Enclave netflow
  • Packet capture
COMMON USES BY ADVERSARIES
  • Using proxies for internal or external communication
  • Injecting into trusted processes to make connections
  • Routing connections through less attributable access points

There are many ways that an organization can get a handle on proxy connections. They should begin by performing a network baseline of egress traffic by geolocation, port, and frequency by endpoint. This provides the visibility required to understand what is normal and abnormal in a given environment. This is achievable through network monitoring. It’s also possible to observe this activity in proxy logs—specifically unexpected egress ports.

At the endpoint level, security teams should begin by identifying normal process execution around netsh.exe, PuTTY, Telnet, SSH and other proxy methods. Most of the access to internal or business-related systems will be benign. Therefore, it makes sense to build out use-cases for extraordinary process execution. For example, most employees have never used PuTTY, therefore, if it is executed, it’s probably worth examining.

Among the most prevalent forms of connection proxying is the abuse of trusted, core system processes by compromised processes. On Windows systems, malware will tend toward injection into processes such as svchost.exe and others like it, as these are likely to have elevated privileges and thus have or can access explicit proxy configurations that would otherwise prevent an arbitrary process or user from establishing an outbound connection. The best detection approach in these cases is to understand how platforms operate at a lower level, what processes are authorized to communicate via the network, and with which remote endpoints.

Security teams may also want to trace back and identify the source of traffic—specifically the processes that are generating it. It’s also a good idea to build out use-cases for identifying or even preventing the use of Tor, Dynamic DNS, and other network services that route traffic to or through less attributable access points. One of the most draconian, but also most effective, approaches is to lock down egress traffic by whitelisting what is needed as opposed to permitting everything.

What’s ahead?

Proxies are a necessary part of the internet that are bound to become more popular for both legitimate and illegitimate reasons. Therefore, it’s absolutely necessary that security teams develop strategies that allow for benign uses of proxies when needed while also finding methods for preventing adversarial proxying.

 

Defense evasion: why is it so prominent & how can you detect it?

 

Adversaries use scripting more than any ATT&CK technique except PowerShell

 

Four tools to consider if you’re adopting ATT&CK

 

Threat analysis: Regsvr32 is the third most popular ATT&CK technique

Subscribe to our blog