Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network. The weakness in the system can be a software bug, a temporary glitch, or a misconfiguration.
Exploited applications are often websites/web servers, but can also include databases (like SQL), standard services (like SMB or SSH), network device administration and management protocols (like SNMP and Smart Install), and any other system with Internet accessible open sockets.(Citation: NVD CVE-2016-6662)(Citation: CIS Multiple SMB Vulnerabilities)(Citation: US-CERT TA18-106A Network Infrastructure Devices 2018)(Citation: Cisco Blog Legacy Device Attacks)(Citation: NVD CVE-2014-7169) Depending on the flaw being exploited this may also involve Exploitation for Defense Evasion or Exploitation for Client Execution.
If an application is hosted on cloud-based infrastructure and/or is containerized, then exploiting it may lead to compromise of the underlying instance or container. This can allow an adversary a path to access the cloud or container APIs, exploit container host access via Escape to Host, or take advantage of weak identity and access management policies.
Adversaries may also exploit edge network infrastructure and related appliances, specifically targeting devices that do not support robust host-based defenses.(Citation: Mandiant Fortinet Zero Day)(Citation: Wired Russia Cyberwar)
For websites and databases, the OWASP top 10 and CWE top 25 highlight the most common web-based vulnerabilities.(Citation: OWASP Top 10)(Citation: CWE top 25)
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| intel-pt | Intel Process Trace | Crowdstrike HEED | T1190 | Exploit Public-Facing Application |
Comments
CrowdStrike Falcon Hardware Enhanced Exploit Detection (HEED) is an advanced security feature that integrates Intel Processor Trace (Intel PT) technology to provide enhanced visibility into sophisticated attack techniques, including real-time detection of exploits targeting public-facing applications. These attacks often involve adversaries exploiting vulnerabilities in externally accessible web applications or services to execute malicious code, allowing attackers to manipulate system behavior, gain unauthorized access, or disrupt critical infrastructure.
Intel PT offers deep insights into program execution at the hardware level, capturing critical telemetry such as control flow, memory access, and instruction execution in real time. This telemetry helps security teams detect abnormal behaviors, such as suspicious execution paths, unauthorized interactions, or attempts to hijack legitimate processes within public-facing applications. By monitoring these low-level activities, HEED makes it easier to identify exploitation attempts that target vulnerabilities in web servers, APIs, and other externally exposed services.
By combining Intel PT’s granular telemetry with advanced detection algorithms, HEED provides a powerful defense against evasive attacks that exploit public-facing applications and may bypass traditional security measures. This proactive approach enables organizations to quickly identify and mitigate these attacks, strengthening the protection of critical systems and reducing the risk of compromise from advanced, targeted cyber threats.
References
|