T0172 - Runtime backdoor

A runtime backdoor attack is a type of cyber attack where an attacker gains unauthorized access to a computer system or network and installs a malicious software or code that allows them to control the system or steal sensitive information. This type of attack is called a "runtime" backdoor attack because it involves manipulating the system at runtime, while it is running, rather than during the development or deployment stages. The attacker typically gains access to the system through a vulnerability, such as an unpatched software flaw or weak authentication mechanism. Once inside, the attacker can install a backdoor that provides them with persistent access to the system, even after the initial entry point has been closed.

ID: T0172
Type: Technique
Tactic: Execution
Summary: Runtime backdoor
State: draft

Mitigations

id

type

summary

description

M1720
Mitigation
Implement regular patches and updates
Regular patches and updates are necessary to improve the security, performance, and reliability of software and systems. They include bug fixes, security updates, and performance improvements. Regular patches and updates also ensure compatibility with new technologies and can help maintain compliance with regulatory standards. Failure to install patches and updates can leave systems vulnerable to security threats, cause system failures or crashes, and limit the functionality of software and systems.
M1500
Mitigation
Verify third-party artifacts and open-source libraries
Verify third-party artifacts used in code are trusted and have not been infected by a malicious actor before use. This can be accomplished, for example, by comparing the checksum of the dependency to its checksum in a trusted source. If a difference arises, this may be a sign that someone interfered and added malicious code. If this dependency is used, it will infect the environment and could end in a massive breach, leaving the organization exposed to data leaks and more.
M1501
Mitigation
Require SBOM from all third-party suppliers
An SBOM for every third-party artifact helps to ensure an artifact is safe to use and fully compliant. This file lists all important metadata, especially all the dependencies of an artifact, and allows for verification of each dependency. If one of the dependencies/artifacts is attacked or has a new vulnerability (e.g., the “SolarWinds” or even “log4j” attack), it is easier to detect what has been affected by this incident because dependencies in use are listed in the SBOM file
M1502
Mitigation
Define trusted package managers and repositories
When pulling a package by name, the package manager might look for it in several package registries, some of which may be untrusted or badly configured. If the package is pulled from such a registry, there is a higher likelihood that it could prove malicious. In order to avoid this, configure packages to be pulled from trusted package registries.
M1503
Mitigation
Implement SCA analysis
Component Analysis is the process of identifying potential areas of risk from the use of third-party and open-source software and hardware components. The best option for implementing SCA analysis is integration of SCA analysis tools into your CI/CD environment in order to scan your source code dependencies before the release.

Detections

id

type

summary

description

D1510
Detection
Implement Intrusion Detection System and anti-malware
An intrusion detection system (IDS) is a security tool designed to detect and alert on unauthorized access to a computer system or network. Implementing intrusion detection systems (IDS) and anti-malware software can help to identify and block malicious activity. IDS is a critical security tool that helps organizations to detect and respond to security incidents in a timely manner. By providing real-time monitoring and analysis of network traffic, IDS can help organizations to stay ahead of potential threats and reduce the risk of a security breach.
D1520
Detection
Implement endpoint detection and response system
An endpoint detection and response (EDR) system is a security tool designed to detect and respond to security incidents on endpoints, such as desktops, laptops, servers, and mobile devices. There are several reasons why an EDR system is essential for maintaining the security of endpoints: 1. Threat Detection: EDR can detect and alert on a wide range of threats, including malware, ransomware, and other types of attacks that may not be detected by traditional antivirus software. 2. Rapid Incident Response: EDR can help security teams to rapidly detect, investigate, and respond to security incidents on endpoints. EDR systems can provide detailed information about the scope and impact of an attack, enabling security personnel to respond quickly and effectively. 3. Behavioral Analysis: EDR can monitor endpoint behavior to detect and alert on suspicious or anomalous activity. This helps security teams to identify and respond to threats that may be missed by traditional signature-based detection. 4. Endpoint Visibility: EDR provides visibility into endpoint activity, including processes, network connections, and file activity. This helps security teams to identify potential attack vectors and take proactive measures to prevent future incidents.

References

  1. https://www.cyberark.com/resources/blog/the-anatomy-of-the-solarwinds-attack-chain
  2. https://portswigger.net/daily-swig/software-supply-chain-attacks-everything-you-need-to-know
  3. https://www.littlefish.co.uk/insights/backdoor-vulnerability-supply-chain-attacks/