Adversaries may passively sniff network traffic to capture information about an environment, including authentication material passed over the network. Network sniffing refers to using the network interface on a system to monitor or capture information sent over a wired or wireless connection. An adversary may place a network interface into promiscuous mode to passively access data in transit over the network, or use span ports to capture a larger amount of data.
Data captured via this technique may include user credentials, especially those sent over an insecure, unencrypted protocol. Techniques for name service resolution poisoning, such as LLMNR/NBT-NS Poisoning and SMB Relay, can also be used to capture credentials to websites, proxies, and internal systems by redirecting traffic to an adversary.
Network sniffing may reveal configuration details, such as running services, version numbers, and other network characteristics (e.g. IP addresses, hostnames, VLAN IDs) necessary for subsequent Lateral Movement and/or Defense Evasion activities. Adversaries may likely also utilize network sniffing during Adversary-in-the-Middle (AiTM) to passively gain additional knowledge about the environment.
In cloud-based environments, adversaries may still be able to use traffic mirroring services to sniff network traffic from virtual machines. For example, AWS Traffic Mirroring, GCP Packet Mirroring, and Azure vTap allow users to define specified instances to collect traffic from and specified targets to send collected traffic to.(Citation: AWS Traffic Mirroring)(Citation: GCP Packet Mirroring)(Citation: Azure Virtual Network TAP) Often, much of this traffic will be in cleartext due to the use of TLS termination at the load balancer level to reduce the strain of encrypting and decrypting traffic.(Citation: Rhino Security Labs AWS VPC Traffic Mirroring)(Citation: SpecterOps AWS Traffic Mirroring) The adversary can then use exfiltration techniques such as Transfer Data to Cloud Account in order to access the sniffed traffic.(Citation: Rhino Security Labs AWS VPC Traffic Mirroring)
On network devices, adversaries may perform network captures using Network Device CLI commands such as monitor capture.(Citation: US-CERT-TA18-106A)(Citation: capture_embedded_packet_on_software)
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| I&S-03 | Network Security | mitigates | T1040 | Network Sniffing |
Comments
This control provides for monitoring, encrypting, and restricting communications between environments. Ensuring that all traffic is encrypted, using best practices for authentication protocols, and protecting web traffic with SSL/TLS can help prevent and adversary from capturing information, such as user credentials and network characteristics, through network sniffing.
References
|
| I&S-06 | Segmentation and Segregation | mitigates | T1040 | Network Sniffing |
Comments
This control provides for appropriately segmented and segregated cloud environments. This includes implementing cloud-based segmentation at each layer of the cloud network (virtual private cloud [VPC], subnet, and application level). Segmentation can be implemented to deny direct access of broadcasts and multicast sniffing, and prevent information capture.
References
|
| I&S-09 | Network Defense | mitigates | T1040 | Network Sniffing |
Comments
This control provides for the implementation of defense-in-depth network security controls for securing the cloud environment. This includes implementing cloud-based segmentation at each layer of the cloud network (virtual private cloud [VPC], subnet, and application level). Segmentation can be implemented to deny direct access of broadcasts and multicast sniffing, and prevent information capture.
References
|
| DSP-10 | Sensitive Data Transfer | mitigates | T1040 | Network Sniffing |
Comments
The control describes the implementation of strong technical and procedural safeguards, such as TLS with strong keys)to protect sensitive data during transfer and prevent unauthorized access or interception. For this technique, ensure that all wired and/or wireless traffic is encrypted appropriately. Use best practices for authentication protocols, such as Kerberos, and ensure web traffic that may contain credentials is protected by SSL/TLS.
References
|
| AIS-05 | Automated Application Security Testing | mitigates | T1040 | Network Sniffing |
Comments
The control outlines several testing approaches, including the use of automated tools, to identify vulnerabilities throughout the software development lifecycle from development to production. It emphasizes testing for risks such as injection attacks and session hijacking, and recommends alignment with industry standards like the OWASP Top 10 to enhance application security. Adversaries may passively sniff network traffic to capture traffic between microservices, API calls to SaaS platforms, or data transfers between on-premises and IaaS resources that lack proper TLS encryption.
References
|