- 1 Case / 1 Protection / 1 Threat / 1 KQL
- (UB3.C4.K1) How non-secure ISPs Aid Attackers in Evading Detection
- 1 Case / 1 Protection/ 1 Threat / 1 KQL
SCKIPT is an initiative created by Sergio Albea focus on detect possible User Behaviours which can put the security of our systems in risk. Nowadays, we have multiple solutions, models and tools that allow us to increase our level of protection against different threats and attacks. However, there are multiple scenarios where the security will rely on how the users interact with their manage systems.
SCKIPT is oriented to list and provide possible measures to respond against the mentioned threats in scenarios where most of the possible activities by users are not blocked or limited. This model is not focused from the perspective of possible attacks by bad actors (of which there are multiple initiatives and models), it is focused on threats arising from possible actions by our users. More explanations here.
UB – User Behaviour Rp -Related Page K -KQL Queries W– WebSites M – MITRE ATT&CK Reference
SCKIPT User Behaviour Matrix | ||||
---|---|---|---|---|
Source (UB) | Case Scenario (C) | Known Interactions (K) | Protection (P) | Threats (T) |
UB1. Email | UB1.C1 – Send Emails UB1.C2 – Open Emails UB1.C3 -Enable Auto-Reply Messages UB1.C4 – Email Sender Lists UB1.C5 – Email Rules UB1.C6 – Remove Emails UB1.C7 – Delegate mailbox permissions | UB1.C1.K1 – Send attachments UB1.C2.K1 – Open attachments UB1.C2.K2 – Click on URL’s UB1.C4.K1 – Add Domains or senders as trusted UB1.C5.K1 – Auto-forwarding Rules | UB1.C1.K1.P1 – Split information to not allow to identify sensitive / confidential data from one source – Whitemark, obfuscate, replace sensitive / Confidential data – DLP/DRM – Deny screenshot software and/or monitor screenshot software extensions UB1.C1.K1.P2/UB1.C2.K1.P1 – BlockMonitor/Restrict attachment extensions – BlockMonitor/Restrict file hashes – BlockMonitor/Restrict file actions (execution, web redirection, OS modifications, and others) UB1.C2.K2.P1 – Configure and monitor IP/Domains/URL IOC’s – Monitor URL redirection – Monitor sender domains and sender email addresses UB1.C3.P1 – Block/Monitor/Restrict Auto-Replies messages (ex. Internally) UB1.C4.K1.P1 – Monitor/Restrict Domains/Email Address added into Sender Lists UB1.C5.K1.P1 – Block/Monitor/Restrict Auto-Forwarding Rules (ex. Internally) UB1.C6.P1 – Backups and archive UB1.C6.P2 -Audit Mailbox actions UB1.C6.P3 – Preserved and store emails after being removed by the user (ex. In-Place Hold and Litigation Hold in Exchange Server) UB1.C7.P1 – Audit Mailboxes UB1.C7.P2 -Block/Disable permission delegation feature or require on-demand approval | UB1.C1.K1.T1 – Send personal or confidential Data UB1.C2.K1.T1 Open malicious or infected attachment files UB1.C2.K2.T1 Click on URLs redirecting to malicious content UB1.C3.T1 – Send private data externally in the Auto-Reply messages UB1.C4.K1.T1 Add malicious domains or senders as trusted UB1.C5.K1.T1 – Email Rules can forward sensitive data or/and trigger risky activities UB1.C6.T1 – Lost of email non-reputation evidence UB1.C7.T1 – Unauthorised user access to restricted or sensitive information over the delegated mailbox UB1.C7.T2 -Lost of email non-reputation evidence |
UB2. Devices | UB2.C1 – Use external Devices UB2.C2 – Use external connections UB2.C3 – Install Software UB2.C4 – Establish Remote connections UB2.C5 -Manage device services UB2.C6 -Connect devices to charge stations via USB | UB2.C1.K1 – Connect PnP devices UB2.C2.K1 – Use open WIFI’s UB2.C2.K2 – Use unknown ISP’s UB2.C2.K3 – DHCP IP assignment UB2.C3.K1 – Have non-updated software UB2.C5.K1 – Disable or stop services | UB2.C1.K1.P1 – Deny PnP devices by policy UB2.C2.(K1-K2-K3) – VPN – Restrict Allowed connections depending on the network/DNS/DHCP configured – Filter network traffic -Revoke Tokens and password reset after risky or unknown connections UB2.C3.K1.P1 – Configure Auto-Patch options UB2.C4.P1 – Monitor/Deny or Restrict Remote (RDP/SSH) connections internally UB2.C5.K1.P1 – Configure policies and permissions to not allow modify device service status UB2.C6.P1 – Add USB condom, Use AC power outlets or External batteries | UB2.C1.K1.T1 – Use non-updated PnP devices UB2.C1.K1.T2- PnP devices on critical servers UB2.C1.K1.T3 – PnP devices from Unknown PnP vendors UB2.C2.K3.T1 – Use external or non-trusted DHCP servers UB2.C2.K3.T2- Unknown DHCP servers added into device register keys UB2.C3.K1.T1 Software with possible exploits and vulnerabilities UB2.C4.T1 Non-allowed remote connections UB2.C5.K1.T1 Stop or disable services related to antivirus ,antimalware, firewall or other threat monitoring software UB2.C6.T1 Install Malware and/or steal device data via USB using Juice Jacking technique |
UB3. Users | UB3.C1 – Scan QR Codes UB3.C2 – User sign-in UB3.C3 – Take screenshots-photos of company data UB3.C4 -Users use different ISPs | UB3.C2.K1 – Sign-in attempts from anywhere UB3.C2.K2 – Sign-in on non-owner devices UB3.C4.K1 – Users contract and use non-secure ISP | UB3.C1.P1 – Monitor content/URLs behind QR Codes UB3.C2.P1 – Restrict User Sign-in by Country UB3.C3.P1 – Split information to not allow to identify sensitive / confidential data from one source – Whitemark, obfuscate, replace sensitive / Confidential data – DLP/DRM – Deny screenshot software and/or monitor it file extensions UB3.C4.K1.P1 – Monitor activities from non-secure ISP | UB3.C1.T1 – Access to malicious content through malicious URL after scan QR Codes UB3.C2.K1.T1 – Suspicious sign-in attempts from multiple countries in a short time UB3.C2.K2.T1 – User sessions remains active on non-owner devices after user activity UB3.C3.T1 -Data leakage of sensitive or critical information UB3.C4.K1.T1 -Sign-in attempts using non-secure ISP |
UB4. Network | UB4.C1 – Web Surfing | UB4.C1.K1 – Establish unencrypted communications UB4.C2.K1 – Use plugins on websites. | UB4.C1.K1.P1 Enforce Last version of TLS Enforce Strong Cipher Suite algorithms Enforce highest curve encryption methods | UB4.C1.K1.T1 – Low/risk Cipher Suite algorithms UB4.C1.K1.T2 – Low/risk Curve encryption established |
UB5. Software | UB5.C1 Software updates UB5.C2 Install software plugin and add-ons UB5.C3 Software configurations | UB5.C1.K1 Install third-party software UB5.C1.K2 Software with malicious DLL UB5.C3.K1 – Users can add exclusions | UB5.C1.K1.P1 Restrict allowed software and requires approval for new programs UB5.C1.K2.P1 Monitor DLL changes or/and updates UB5.C2.P1 – Monitor/Restrict allowed software plugins and add-ons UB5.C3.K1.P1 – Monitor/Restrict allowed exclusions actions | UB5.C1.K1.T1 Install malicious or non-allowed software UB5.C1.K2.T1 DLL Hijacking UB5.C2.T1 Malicious plugins or add-ons added into browsers UB5.C2.T2 Plugins and add-ons added into software programs establishing connections or exchanging data to non-allowed countries UB5.C3.K1.T1 Users could add exceptions in antivirus, anitmalware or other threat monitoring tools which would let the excluded folders or files vulnerable. |
UB6. Auth. | UB6.C1 Passwords UB6.C2 Account Names (UPNs) UB6.C3 Generate tokens UB6.C4 SMS UB6.C5 Authentication apps | UB6.C1.K1 Weak/Guessable Passwords UB6.C2.K1 Users share it name and surname on social networks UB6.C4.K1 Users authenticate with SMS | UB6.C1.K1.P1 Configure Password policies to require strong passwords. UB6.C1.K1.P2 Create a block list of known words that can potentially be used as passwords by the users and are easy for attackers to guess UB6.C2.K1.P1 Configure different domains or use different username patterns to create email addresses and UPNs that cannot be identified with user identity UB6.C3.P1 Use tokens with short lifespans or implement token rotation strategies. UB6.C3.P2 Implement a process to detect and revoke compromised tokens as soon as possible. UB6.C3.P3 To store tokens use secure storage solutions, such as environment variables, key management service or secure vaults UB6.C4.K1.P1 Avoid using SMS as the primary form of 2FA. | UB6.C1.K1.T1 Password discovered UB6.C2.K1.T1 Malicious actors can easily discover users’ email addresses and UPNs for phishing, spamming and other threats using engineering. UB6.C3.T1 Long-lived tokens that are not rotated regularly increase the risk of misuse if they are compromised. UB6.C3.T2 If a token is compromised and not immediately revoked, unauthorized access can continue UB6.C3.T3 Storing tokens in plain text can expose them to unauthorized access. UB6.C4.K1.T1 Cybercriminals can send fake verification codes or request real codes sent by legitimate services. |
UB7. Content | UB7.C1 Copy | UB7.C1.K1 Copy data in external sources or drives | UB7.C1.K1.P1 – DLP/DRM UB7.C1.K1.P2– Block/Monitor external sources and drives | UB7.C1.K1.T1 Data leakage |