Remote Services

From attackics
Jump to navigation Jump to search
Remote Services
Technique
ID T0886
Tactic Initial Access, Lateral Movement
Data Sources Windows event logs, Authentication logs
External Contributors Daisuke Suzuki
Asset Engineering Workstation, Human-Machine Interface, Control Server

Description

Adversaries may leverage remote services to move between assets and network segments. These services are often used to allow operators to interact with systems remotely within the network, some examples are RDP, SMB, SSH, and other similar mechanisms.123

Remote services could be used to support remote access, data transmission, authentication, name resolution, and other remote functions. Further, remote services may be necessary to allow operators and administrators to configure systems within the network from their engineering or management workstations. An adversary may use this technique to access devices which may be dual-homed1 to multiple network segments, and can be used for Program Download or to execute attacks on control devices directly through Valid Accounts.

Specific remote services (RDP & VNC) may be a precursor to enable Graphical User Interface execution on devices such as HMIs or engineering workstation software.


Procedure Examples

  • In the Ukraine 2015 Incident, Sandworm Team used native remote access tools to directly interface with operator workstations and control ICS components.4
  • XENOTIME utilized remote desktop protocol (RDP) jump boxes to move into the ICS environment.2
  • REvil uses the SMB protocol to encrypt files located on remotely connected file shares.5

Mitigations

  • Authorization Enforcement - Provide privileges corresponding to the restriction of a GUI session to control system operations (examples include HMI read-only vs. read-write modes). Ensure local users, such as operators and engineers, are giving prioritization over remote sessions and have the authority to regain control over a remote session if needed. Prevent remote access sessions (e.g., RDP, VNC) from taking over local sessions, especially those used for ICS control, especially HMIs.
  • Network Allowlists - Network allowlists can be implemented through either host-based files or system host files to specify what external connections (e.g., IP address, MAC address, port, protocol) can be made from a device.
  • Access Management - Access Management technologies can help enforce authentication on critical remote service, examples include, but are not limited to, device management services (e.g., telnet, SSH), data access servers (e.g., HTTP, Historians), and HMI sessions (e.g., RDP, VNC).
  • Network Segmentation - Segment and control software movement between business and OT environments by way of one directional DMZs. Web access should be restricted from the OT environment. Engineering workstations, including transient cyber assets (TCAs) should have minimal connectivity to external networks, including Internet and email, further limit the extent to which these devices are dual-homed to multiple networks.6
  • Password Policies - Enforce strong password requirements to prevent password brute force methods for lateral movement.
  • User Account Management - Limit the accounts that may use remote services. Limit the permissions for accounts that are at higher risk of compromise; for example, configure SSH so users can only run specific programs.
  • Filter Network Traffic - Filter application-layer protocol messages for remote services to block any unauthorized activity.