Overview of the MITRE ATT&CK matrix

The MITRE ATT&CK matrix is a publicly accessible knowledge-base of adversary tactics and techniques that are based on real-world observations. It is used as a foundation for the development of specific threat models and methodologies in the private sector, in government, and in the cybersecurity product and service community. The aim of the MITRE ATT&CK list is to solve problems and produce a safer world by bringing communities together to develop more effective cybersecurity. ATT&CK is open and available to any person or organization for use at no charge.

What are hardware additions and what are their uses?

Hardware additions are tools and components that resemble normal hardware within the office.  However, they conceal exploits or code that allows them to take advantage of the systems (computers) they are plugged into. It is usually very easy to pass them off as normal hardware since they really do resemble normal hardware. In recent times, hardware additions and implants have gotten tremendously tiny, to the point of being included within supply chains. Hardware additions are commonly utilized by security personnel to demonstrate the capabilities of adversaries. As to the potential difficulty of this hack, Monta Elkins of FoxGuard says, “It’s not magical. It’s not impossible. I could do this in my basement.” Adversary attacks leveraging hardware additions has not yet been made public. This is not to say, however, that malicious actors are not employing these methods against enterprise infrastructure.

What are some of the most common hardware addition tools?

Hardware addition tools are mostly relevant for penetration testers and red team members, who demonstrate the possibility of malicious actors gaining access into enterprise networks during security assessments. The following are some of the most commonly used hardware additions:

Rubber Ducky – This device grossly resembles a normal USB drive. It is capable of functioning as a keyboard when plugged into a computer, allowing hackers to use it to execute scripts as if an actual user were typing, and keystrokes targeting stored passwords and keyed in keystrokes. LAN Turtle – This is a stealth remote access device with a built-in computer which is capable of performing man-in-the-middle and network intelligence gathering. The LAN turtle is a USB device as well as an Ethernet adapter at the same time. Its appearance within a server room can fool IT teams to pass it off for a normal network device. Bash Bunny – Similar to Rubber Ducky but much more advanced, this USB device employs multiple attack vectors including HID keyboard, USB Ethernet, Serial and Mass Storage. It is also capable of keystroke injection. WiFi Pineapple – This hardware addition tool is capable of cloning legitimate WiFi hotspots, deauthing the connected members and allowing them to connect to the cloned ones. Hackers can use this tool for Social Engineering and similar attacks. ATM Card Skimmers – This is yet another hardware addition that is capable of collecting information from credit cards and allowing hackers to clone this. Hackers have used this on numerous occasions to execute fraud attacks against credit card holders. Pwn Plug – This is a tiny device that contains a built-in computer inside it as well. It plugs into the network and can allow an attacker to remotely connect back into the network from the internet.

Jason E. Street is a famous hacker who has used a couple of the tools above for pen-tests and red team assessments. Once, when contracted to execute an assessment, Jason said of the exercise, “At one branch, the bank manager got out of the way so I could put it behind her desk.”

How can malicious and unwanted hardware additions be detected?

The detection of hardware addition tools can be quite difficult due to their uncanny resemblance to normal hardware, and their increasingly smaller size. It would also be tedious walking through the office checking the contents of every USB drive for malicious scripts. The idea also that USB keys might contain malicious content might not necessarily mean they are hardware additions. With this in mind, we decided to include the following to help in detection:

Asset Management Systems – The availability of asset management systems ensure that network devices that should not be present within the network are discovered. This is possible since every hardware is accounted for and those not found to be accounted for are revoked/retired. Endpoint Sensors – Endpoint sensors such as DigitalGuardian have the capability to detect any piece of hardware that is plugged in via either USB, thunderbolt or any other external device communication ports.

Due to the difficulty in detecting USB threats and other hardware additions, it is advisable to prevent the possibility of such attacks way before they can even materialise. This is necessary for sensitive environments in which data security is the top most concern. Prevention can be done by completely and physically removing ports that might lead to a compromise such as USB ports.

How do organizations mitigate against the use of hardware additions?

We have seen how difficult it is to completely do away with the threat of hardware additions. Organizations can, however, take some steps to prevent attacks resulting from this threat. Below are some of the few things that we noted:

Strict Policies – Policies such as strict bring-your-own-device rules determines the allowed devices which can be brought onto the premises. This restricts the entry of malicious hardware additions and makes it easy to identify them. A policy restricting DHCP prevents unregistered devices from communicating with trusted systems. A policy that specifies network access control measures also works in favor of restricting unauthorised communication within the network. Limit Hardware Installation – Some endpoint security solutions are capable of identifying and restricting communication from unknown devices within the network. Encouraging Vigilance – Vigilance should be encouraged within the workplace. Encouraging and allowing employees to be on the lookout for suspicious devices plugged in within the network can prevent an attack from taking place. Conducting Awareness Training – Security trainings are capable of creating awareness to employees to be on the lookout for familiar hacking devices that might actually be hardware additions. Disabling Automatic WiFi Connection – Hardware additions such as WiFi Pineapples are able to clone WiFi signals, deauth everyone connected within legitimate WiFi Hotspots, and allow them to connect to cloned ones. Having automatic connection to known WiFi hot-stpots disables prevents potential phishing attacks.

Even though the mitigation moves above do not completely prevent these attacks from taking place, they are better than having no security measures in place.

Conclusion

The threat of hardware additions will increasingly become harder to detect and defend against due to the advancement in technology and the motivations that threat actors will develop. It is, however, important to ensure that you have taken the right steps forward in preventing these attacks now. This article has been an introductory piece into the world of hardware additions and the different forms they take. The future is an interesting place, and nobody knows the direction that hardware additions will take, but with the increase of cyber espionage within nation states, it can only be feared to get worse. Vigilance and common sense are still your best retaliatory weapons.  

References

https://attack.mitre.org/techniques/T1200/ https://www.hak5.org/blog/main-blog/stealing-files-with-the-usb-rubber-ducky-usb-exfiltration-explained https://arstechnica.com/information-technology/2012/03/the-pwn-plug-is-a-little-white-box-that-can-hack-your-network/ https://www.pcmag.com/article/328010/how-to-spot-and-avoid-credit-card-skimmers http://www.bsidesto.ca/2015/slides/Weapons_of_a_Penetration_Tester.pptx https://theintercept.com/2019/01/24/computer-supply-chain-attacks/