Threat Coverage

Mar 18, 2019

Hacker’s Playbook Updated with US-CERT Alert TA-18-086A

The SafeBreach Hacker’s Playbook™ includes simulations for attacks described in US-CERT Alert (TA18-086A), attributed to Iranian actors.

This alert covers general tactics used to compromise user accounts, move laterally within environments, and exfiltrate data. Thanks to the depth of the Hacker’s Playbook™, hundreds of attacks — spanning each phase of this of this campaign — have been available for some time, so customers are already able to validate security against the techniques indicated by the US-CERT.

SafeBreach recommends all industries and businesses simulate this attack to identify whether or not they are protecting against this campaign. To assess security control effectiveness against techniques involved in this attack, the SafeBreach Breach and Attack Simulation Platform contains many simulations, as highlighted below, to test endpoint and network security controls:

Password-related Infiltration

The Hacker’s Playbook contains over 20 different password-related attacks, simulating the compromise of user credentials, which was the initial infiltration point for this campaign Simulations can be customized to send multiple passwords (typical brute force), or few passwords (as used in password spraying).

Sample Playbook IDs:

  • 258 HTTP authentication brute force
  • 1307 SSH brute force
  • 1309 RDP brute force

Lateral Movement

The US-CERT only indicated Remote Desktop as an example of lateral movement techniques used by attackers. SafeBreach simulates dozens of RDP and other Windows-based lateral movement techniques, to validate both endpoint security and internal network segmentation.

Sample Playbook IDs:

  • 1306 SMB brute force
  • 192 RDP brute force
  • 286 LDAP brute force

Data Exfiltration

Again, the US-CERT did not detail the types of exfiltration techniques in use, but indicated simple file transfer as an example. SafeBreach simulates over 100 attack techniques for data exfiltration.

Sample Playbook IDs:

  • 903 Data Exfiltration via DNS tunneling
  • 105, 106, 107, 108 Exfiltration by HTTP (Various)
  • 103, 104 Exfiltration via FTP STOR (ASCII, Binary)

As always, SafeBreach Labs will continue to monitor this alert, and develop new simulations as necessary.

The Safebreach Hacker’s Playbook™ of breach methods simulates these breach scenarios, and thousands more, without impacting users or infrastructure. Breach methods are constantly updated by SafeBreach Labs, our team of offensive security researchers, to help keep customers ahead of attacks.

Get the latest
research and news