Ever feel like a deer-in-headlights?
This is Preventing Deer in Headlights.
Thursday @ 3:30 CENTRAL time we will talk about Command and Control via Domain Fronting.
Easy to attend
- Thursday 15:30 central
- 25 minutes
- The link to https://meet.jit.si/pdih
TOPIC: Domain Fronting T-1172.
We are in the Command-and-control Tactic of the Mitre Attack framework.
“Commanding control represents how adversaries communicate with systems under their control within a target network. There are many ways an adversary can establish command and control with various levels of covertness, depending on system configuration and network topology. Due to the wide degree of variation available to the adversary at the network level, only the most common factors were used to describe the differences in command and control. There are still a great many specific techniques within the documented methods, largely due to how easy it is to define new protocols and use existing, legitimate protocols and network services for communication. “
One of the ways are attackers communicate with their botnets is: Domain Fronting ” takes advantage of routing schemes in Content Delivery Networks (CDNs) and other services which host multiple domains to obfuscate the intended destination of HTTPS traffic or traffic tunneled through HTTPS. The technique involves using different domain names in the SNI field of the TLS header and the Host field of the HTTP header. If both domains are served from the same CDN, then the CDN may route to the address specified in the HTTP header after unwrapping the TLS header. A variation of the the technique, “domainless” fronting, utilizes a SNI field that is left blank; this may allow the fronting to work even when the CDN attempts to validate that the SNI and HTTP Host fields match (if the blank SNI fields are ignored).”
Last week we talked about DNS. This week we will talk about the abuse of DNS for the purpose of controlling botnets.
1Who? 2 What? 3 Where? 4 Why? 5 When? 6 How?
- Attackers want to maintain control over our hosts/ their bots.
- Our computing resources controlled via network connectivity.
- Internet traffic.
- Adversaries want to maintain control and not be detected.
- At the end of the attack cycle they want to become a bot herder.
- To go undetected they pass traffic over what looks like a normal DNS communication.
We will focus on CDN and how it is abused by our adversaries by Domains Fronting.
SUPPORTING LINKS:
- Original overview can be found here
- https://attack.mitre.org/techniques/T1172/
- Domain Fronting 19 pages
- http://www.icir.org/vern/papers/meek-PETS-2015.pdf
Solution?
- Use Amazon or Google DNS
- SSL inspection – if you can
Impact on security?
- The attacker can pass Command-and-control signals undetected
- Reduction in Availability “Listen to me, Coppertop”…
This is what we will talk about on Thursday.
Come be a part of cybersecurity. Don’t be a deer-in-headlights.
Can’t make it or need CPEs – yesssss!
If you are a past student, you will have access to the recordings. Most CPE requirements have both a validation step and an audit-able requirement. We do both for our past students. Free. You must login. Use this link ONLY if you are a past student who has been given audit-able access. (Account holder link)
If you need to reset access email Dean.
I hope you attend – it will be fun.
A snip of this was posted: https://www.linkedin.com/pulse/command-control-vulnerability-management-mitre-way-dean-bushmiller