FBIとCISAが共同でTorを介して難読化したサイバー攻撃への対応ガイダンスを公表していましたね。

こんにちは、丸山満彦です。

FBIとCISAが共同でTorを介して難読化したサイバー攻撃への対応ガイダンスを公表していましたね。

3つの対策アプローチを説明していますね。少なくとも既知のTorの出入り口は監視しろということになるのですが、Torを介した通信はブロックするで良い組織がほとんどのような気がするような。。。

● CISA

・2020.07.01 Alert (AA20-183A) Defending Against Malicious Cyber Activity Originating from Tor

・2020.07.07 [PDF] CISA Releases Securing Industrial Control Systems: A Unified Initiative

The Cybersecurity and Infrastructure Security Agency (CISA) has released its five-year industrial control systems (ICS) strategy: Securing Industrial Control Systems: A Unified Initiative. The strategy—developed in collaboration with industry and government partners—lays out CISA's plan to improve, unify, and focus the effort to secure ICS and protect critical infrastructure.

CISA encourages users—including ICS and critical infrastructure partners—to review Securing Industrial Control Systems: A Unified Initiative for more information.

 

MITRE ATT&CK^® を使って説明していますね。。。

Pre-ATT&CK

• Target Selection [TA0014]
• Technical Information Gathering [TA0015]
  • Conduct Active Scanning [T1254]
  • Conduct Passive Scanning [T1253]
  • Determine domain and IP address space [T1250]
  • Identify security defensive capabilities [T1263]
• Technical Weakness Identification [TA0018]

ATT&CK

• Initial Access [TA0001]
  • Exploit Public-Facing Applications [T1190]
• Command and Control [TA0011]
  • Commonly Used Port [T1043]
  • Connection Proxy [T1090]
  • Custom Command and Control Protocol [T1094]
  • Custom Cryptographic Protocol [T1024]
  • Multi-hop Proxy [T1188]
  • Multilayer Encryption [T1079]
  • Standard Application Layer Protocol [T1071]
• Exfiltration [TA0010]
• Impact [TA0040]
  • Data Encrypted for Impact [T1486]
  • Endpoint Denial of Service [T1499]
  • Network Denial of Service [T1498]

 

 

■ 報道等

● Health IT Security
・ 2020.07.06 FBI, CISA Share Mitigation Guidance for Obfuscated Cyberattacks Via Tor by Jessica Davis

Hackers leverage Tor (The Onion Router) to anonymously conduct malicious cyberattacks against organizations, which conceals their identity as they perform reconnaissance, FBI and CISA warn.

● security boulevard
・ 2020.07.03 CISA and FBI Issue Advisory on Dealing with Tor Malicious Internet Traffic by Silviu STAHIE

At the end of the day, companies and organizations have to determine how to best deal with the traffic from known Tor nodes. It the least they can do against less sophisticated attackers, who are still relying on the default channel of spreading malware.

● Homeland Security Today
・ 2020.07.01 Defending Against Malicious Cyber Activity Originating from Tor