The MITRE ATT&CK Framework is a comprehensive guide detailing the tactics and techniques used by cyber attackers. It serves as an invaluable tool for cybersecurity professionals, helping them understand how attacks unfold and where to implement effective defenses. The framework is divided into several phases, from initial reconnaissance to exfiltration and impact. In this blog post, we will explore how SSHepherd® can bolster defenses at each various phases of the MITRE ATT&CK Framework.
Phase One: Reconnaissance
During the Reconnaissance phase, attackers gather information about their targets. Active Scanning is a common technique where attackers search for open ports on a network to identify potential entry points. SSHepherd® effectively mitigates this threat by closing these ports, rendering them invisible to hackers. When attackers scan your network, they find no open ports and no entry points, significantly hindering their ability to gather necessary information for an attack.
Phase Two: Initial Access
In the Initial Access phase, attackers attempt to gain a foothold in your network, often exploiting vulnerabilities through open ports. An example is the BlueKeep vulnerability (CVE-2019-0708), which targeted Remote Desktop Protocol (RDP) services via open RDP ports. SSHepherd® eliminates these common attack vectors by closing open ports, thereby preventing exploits like BlueKeep and securing the network against initial compromises.
Phases Three & Four: Persistence and Privilege Escalation
If an attacker gets into the network, their goal is to maintain access and elevate their privileges. The SSH backdoor exploit (CVE-2018-15473) is a case where attackers used an open SSH port to enumerate valid usernames and establish a persistent backdoor. With SSHepherd®, closed ports prevent attackers from maintaining access or moving laterally within the network, significantly restricting their ability to elevate privileges through network exploits.
Phases Five & Six: Defense Evasion and Credential Access
Attackers use various techniques, such as port knocking and exploiting services running on open ports, to evade detection and gather credentials. A common tactic is the SSH brute-force attack, where attackers target open SSH ports with repeated username and password attempts. By closing these ports, SSHepherd® neutralizes these methods, making it impossible for attackers to hide their activities or harvest credentials from exposed services
Phases Seven & Eight: Discovery and Lateral Movement
During these phases, attackers map out the network and move between systems. The MySQL attack which scans for open MySQL ports to locate databases and move laterally, is a typical example. SSHepherd®‘s strategy of closed ports makes network discovery tools ineffective, significantly limiting attackers’ ability to map out the network or find new targets, thereby containing their lateral movement.
Phases Nine to Eleven: Collection, Command and Control, and Exfiltration
In the final phases, attackers gather data, communicate with compromised systems, and attempt to exfiltrate information. The SQL injection attack on Apache web servers (CVE-2017-5638) is an example where attackers exploited open web server ports to inject malicious SQL code and exfiltrate data. SSHepherd® disrupts these activities by closing the ports necessary for establishing reliable command and control channels, making it difficult for attackers to exfiltrate data even if they manage to collect it.
Conclusion
SSHepherd® provides robust defense across the entire MITRE ATT&CK Framework by closing the very ports that attackers rely on throughout their exploits. By making your network invisible to scanning and limiting potential entry points, SSHepherd® helps you stay one step ahead of cyber adversaries.