Why is T1193 so prevalent?
There are a relatively small number of techniques available to most adversaries who seek to gain execution on an endpoint. Spearphishing is among the most popular ATT&CK techniques because it is simple and effective. While technique prevalence varies from one organization or industry to another, T1193 and the broader variations of phishing are among the most commonly observed and most effective techniques in use by adversaries year-over-year. This is due to a number of factors, including human psychology, low cost, target availability, and the ease with which adversaries can improve targeting through open source research.
Phishing succeeds at the intersection of human psychology, technology, simplicity, and target availability.”
Spearphishing via attachment, as opposed to similar techniques, allows for the use of a wide variety of file types, and adversaries may exploit the application that handles a given document type or leverage features of the document format, such as scripting or macro languages. Because malicious code, or a bootstrap mechanism that enables retrieval of later stage payloads, is placed directly on the target, the use of attachments has many advantages over other spearphishing variants.
Nearly everyone has an email address, and sending a spearphishing email requires almost nothing of the sender. To that point, the obscurity of an email address is the only meaningful barrier that prevents an adversary from sending a phishing email to their target. Furthermore, the basic design and function of email systems are not well-equipped to prevent anything but the most basic phishing attempts. Psychologically, there is a tendency to implicitly trust email messages, and recipients are accustomed to opening attachments and complying with the directives therein. Considering these factors, there is a nearly unlimited array of potential targets that are primed to become victims and a similarly deep pool of capable attackers.
The barrier of entry is low and the potential value is high. That’s a solid value proposition for nearly any attacker.”
There are of course complications for an adversary seeking to conduct a spearphishing attack. For one, there is a whole sub-industry of products—discussed in the detections section below—designed to prevent malicious documents from ending up in your inbox. There’s also been a major drive to educate end-users. And while it’s true that anyone can send an email with a malicious attachment to a specially selected target, not everyone can do it well.
The technique has been a particularly prolific tool among governments seeking to surveil supposed dissidents. The digital and human rights advocates at Citizen Lab showcased a campaign in early 2018 where unidentified adversaries— relying on attack infrastructure thought to cost little more than $1,000—conducted a months-long series of attacks targeting Tibetan activists. Purporting to come from the Central Tibetan Administration, the attackers sent email messages containing attachments that, when opened, redirected to a fake Google login page prompting users to enter their Google account credentials.
In a more sophisticated example, researchers from Proofpoint drew the curtain back on a multi-year campaign in which adversaries targeted defense contractors, universities with military research ties, law firms, and government agencies with email messages containing malicious attachments that exploited recently patched security vulnerabilities. Unlike the previous example, which focused exclusively on access to one of the victim’s online identities, this campaign installed malicious payloads and offered the adversary a foothold from which they could leverage multiple post-exploitation tools and techniques, including at least two that are prominently featured in our top ten: PowerShell and Regsvr32.
The vaunted cybercriminal group known as Carbanak is believed to have used spearphishing attachments as the initial infection vector in some of its attacks as well. According to research from Kaspersky Lab, the criminal group may have stolen as much as $10M from banks around the world in a campaign that began with targeted emails containing malicious Windows Control Panel applets (CPL). These campaigns were designed to execute malicious shellcode and install backdoors on many thousands of systems and ended in millions of dollars worth of remote ATM cashouts.
Of course, you can’t detect what you can’t see. According to MITRE, there are a number of data sources associated with this technique, and having access to these will help security teams detect spearphishing attacks.
- File monitoring
- Packet capture
- Network intrusion detection system
- Detonation chamber
- Email gateway
- Mail server
Common phishing mechanisms:
- Delivery of malicious software (less common)
- Delivery of malicious documents
- Delivery of a URL lure in the message body or in an otherwise benign attachment
- Simple requests for information or assistance
Because of the wide variety of mechanisms and objectives associated with phishing, detection strategies vary widely and defenses should be layered to the extent feasible.
Advances in mail transport policy, phishing intelligence, and local system policy continue to make delivery of an overt software payload difficult. Most mail providers and systems will refuse to transport a message containing any executable software payload, most scripts, and even archive files that cannot be effectively inspected. This is true to a lesser degree of malicious documents, but intelligence and controls continue to improve. And in both of these cases, where a file has been successfully delivered to a user and thus an endpoint, endpoint telemetry is invaluable for detection.
Common detection strategies
The most common detection strategies for file-based phishing mechanisms include understanding the relationships between file types and the processes with which they interact. This includes:
- Looking for executable (binary or script) files written to disk by browsers, email clients, and other processes associated with the local storage and/or execution of files that are delivered via email.
- Investigating document handlers that have spawned child processes. For instance, Word spawning a command shell, a scripting executor such as PowerShell, and a variety of similar execution harnesses.
- Recent advances in runtime inspection of document macros, which are valuable controls for prevention, detection, and incident response.
The latter techniques are much more challenging. In many cases, no malicious payload is delivered to the endpoint, and thus looking at process relationships or other overt behaviors yields little fruit. The best detection mechanism in these cases is well-trained people with a keen sense of awareness. People aside, however, there are strategies that leverage one or more of these data sources in novel ways–for early detection or for investigation and scoping.
Leveraging the mail gateway
Leveraging the mail gateway to detect, sanitize, or block URL lures in email based on rules, intelligence, or other attributes can be effective in detecting and mitigating many attacks. A URL that displays as https://www.google.com but that actually points to http://www.ev1l.co is an early and easy detection, and thus prevention, win. Network-based controls, or network metadata collected on the endpoint, can then be used to take the intelligence gleaned from these detections and apply it retrospectively to ensure that messages in the campaign weren’t missed.
Similarly, network metadata is extremely valuable for detecting and scoping successful later-stage activity. An organization can follow this standard investigative flow to differentiate between potential and confirmed victims:
- Identify every employee that received the phishing email
- Identify those that clicked on the attachment
- Isolate the subset that provided credentials
- Look for any misuses of those credentials
If there’s a future for phishing, we can expect that it looks much more like the latter mechanisms than the former. Endpoint platforms are evolving such that native code execution simply isn’t an option, and rich document handlers are cloud-based and much less susceptible to the class of attacks that macros have introduced. Instead, the likely trend is toward increasingly clever social engineering, coupled with an increased focus on identity platforms, and the technical means by which adversaries can assume the identity of the victim without needing to traditionally infect the victim’s endpoint.