Hacker's Playbook Updated with Methods for US-CERT Alert TA17-293A

SafeBreach Labs has updated the Hacker's Playbook™ with simulations for a new US-CERT Alert TA17-293A, updated October 21, 2017.

Thanks to the depth of the Hacker's Playbook™, many of the phases of this multi-stage attack campaign have already been simulated. This means that existing SafeBreach customers who have run these simulations and remediated to protect against them can be confident that their existing security controls will alert and protect against this new campaign — for example: secure web gateway, malware sandbox, IPS/IDS, next-generation firewalls, and endpoint security. As always, SafeBreach Labs will continue to monitor the situation, and develop new simulations as necessary.

This alert, related to the ongoing Dragonfly campaign, is classified as a series of advanced persistent threat (APT) actions targeting government entities and organizations in the energy, nuclear, water, aviation, and critical manufacturing sectors. However, SafeBreach recommends all industries and businesses simulate this attack to identify whether or not they can be compromised, and then take action to prevent this APT campaign.

To assess security control effectiveness against techniques involved in US-CERT Alert TA17-293A, the SafeBreach Breach and Attack Simulation Platform specifically tests the following endpoint and network security controls:

Newly Added Playbook Methods

Playbook #1390: SMB - Shares Connection Attempts

• Network controls - Are controls in place that prevent connection to malicious servers posing as SMB shares located outside the local network in order to steal user credentials ?

Playbook #1391 - Network transfer of attack tools

• Network controls - Are controls in place that prevent the download and transfer of the specific attack tools included in the US-CERT IOC for this attack?

Playbook #1393 - Local installation of attack tools

• Endpoint controls - Are controls in place that prevent the local installation of the specific attack tools included in the US-CERT IOC for this attack?

Already Existing Playbook Methods

Playbook #268: Passing malicious Windows Shortcut (LNK) via HTTP/S

• Network controls - Are controls in place that prevent transfer of specific LNK that leads to further execution of malicious tools?

Playbook #1269: Windows - Scheduled task creation

• Endpoint controls - Are controls and/or hardening in place that prevent the creation and scheduling of rogue automated tasks?

Playbook #1342: PowerShell - Get Periodic Screenshot and Zip

• Endpoint controls - Are controls and/or hardening in place that prevent the remote execution of specific malicious commands?

The SafeBreach Hacker's Playbook™ of breach methods simulates these breach scenarios, and thousands more, without impacting users or infrastructure. Breach methods are constantly updated by SafeBreach Labs, our team of offensive security researchers, to help keep customers ahead of attacks.