CRI Profile PR.PS-01.04

NTP amplification is a specialized form of distributed denial-of-service (DDoS) reflection amplification attacks that exploits the Network Time Protocol (NTP) to overwhelm victims with high volumes of traffic. This diagnostic statement describes practice guidance to secure and manage time synchronization infrastructure. To mitigate this technique under best practice guidance, consider patching NTP Software to remove dangerous amplifying commands like monlist; enable authentication for NTP changes to mitigate anonymous abuse; filtering of inbound UDP port 123 prevents reception of NTP; limit access to NTP servers to just authorized hots rather than global organizational access to prevent potential wide-spread abuse of DDoS reflection attacks.

The ATT&CK technique T1070.006 involves adversaries modifying file timestamps to evade detection or forensic analysis. The diagnostic statement describes maintaining and securing accurate and synchronized time values across systems. Organizations can mitigate this technique through the use of secure and authenticated time synchronization protocols (e.g., NTP with authentication) to prevent adversaries from tampering with time values of files and artifacts.

The diagnostic statement focuses on the importance of maintaining and securing the accurate and synchronized time values across systems. The ATT&CK technique T1497.003 Virtualization/Sandbox Evasion: Time Based Evasion involves adversaries using time-based evasion methods to detect or bypass virtualization or sandbox environments. Organizations can mitigate these methods by ensuring time integrity, accurate time synchronization, and hardening time services across virtualized and sandbox environments.

The diagnostic statement focuses on the importance of maintaining accurate and resilient time synchronization across systems. By ensuring that time services are designed with security and reliability in mind, organizations reduce the risk of adversaries tampering with time provider components or disrupting time synchronization processes described in the Boot or Logon Autostart Execution: Time Providers technique.

NTP amplification is a specialized form of distributed denial-of-service (DDoS) reflection amplification attacks that exploits the Network Time Protocol (NTP) to overwhelm victims with high volumes of traffic. This diagnostic statement describes practice guidance to secure and manage time synchronization infrastructure. To mitigate this technique under best practice guidance, consider patching NTP Software to remove dangerous amplifying commands like monlist; enable authentication for NTP changes to mitigate anonymous abuse; filtering of inbound UDP port 123 prevents reception of NTP; limit access to NTP servers to just authorized hots rather than global organizational access to prevent potential wide-spread abuse of DDoS reflection attacks.

The ATT&CK technique T1070.006 involves adversaries modifying file timestamps to evade detection or forensic analysis. The diagnostic statement describes maintaining and securing accurate and synchronized time values across systems. Organizations can mitigate this technique through the use of secure and authenticated time synchronization protocols (e.g., NTP with authentication) to prevent adversaries from tampering with time values of files and artifacts.

The diagnostic statement focuses on the importance of maintaining and securing the accurate and synchronized time values across systems. The ATT&CK technique T1497.003 Virtualization/Sandbox Evasion: Time Based Evasion involves adversaries using time-based evasion methods to detect or bypass virtualization or sandbox environments. Organizations can mitigate these methods by ensuring time integrity, accurate time synchronization, and hardening time services across virtualized and sandbox environments.

The diagnostic statement focuses on the importance of maintaining accurate and resilient time synchronization across systems. By ensuring that time services are designed with security and reliability in mind, organizations reduce the risk of adversaries tampering with time provider components or disrupting time synchronization processes described in the Boot or Logon Autostart Execution: Time Providers technique.