An adversary which has gained elevated access to network boundary devices may use these devices to create a channel to bridge trusted and untrusted networks. Boundary devices do not necessarily have to be on the network\u00e2\u0080\u0099s edge, but rather must serve to segment portions of the target network the adversary wishes to cross into.
Description
Attack Execution Flow
3
1
Step 1
Explore[Identify potential targets] An adversary identifies network boundary devices that can be compromised.
The adversary traces network traffic to identify which devices the traffic flows through. Additionally, the adversary can identify devices using fingerprinting methods or locating the management page to determine identifying information about the device.
AI Translation
[Identifica potenziali obiettivi] Un avversario identifica dispositivi di confine di rete che possono essere compromessi.
L'avversario traccia il traffico di rete per identificare attraverso quali dispositivi il traffico passa. Inoltre, l'avversario può identificare dispositivi utilizzando metodi di fingerprinting o localizzando la pagina di gestione per determinare informazioni identificative sul dispositivo.
Attack Techniques
-
The adversary traces network traffic to identify which devices the traffic flows through. Additionally, the adversary can identify devices using fingerprinting methods or locating the management page to determine identifying information about the device.
2
Step 2
Experiment[Compromise targets] The adversary must compromise the identified targets in the previous step.
Once the device is identified, the adversary can attempt to input known default credentials for the device to gain access to the management console.
Adversaries with sufficient identifying knowledge about the target device can exploit known vulnerabilities in network devices to obtain administrative access.
AI Translation
[Obiettivi di compromissione] L'avversario deve compromettere gli obiettivi identificati nel passaggio precedente.
Una volta identificato il dispositivo, l'avversario può tentare di inserire credenziali di default note per il dispositivo al fine di ottenere l'accesso alla console di gestione.
Gli avversari con conoscenze sufficienti sul dispositivo target possono sfruttare vulnerabilità note nei dispositivi di rete per ottenere accesso amministrativo.
Attack Techniques
-
Once the device is identified, the adversary can attempt to input known default credentials for the device to gain access to the management console.
-
Adversaries with sufficient identifying knowledge about the target device can exploit known vulnerabilities in network devices to obtain administrative access.IT: Una volta identificato il dispositivo, l'attaccante può tentare di inserire le credenziali di default note per ottenere l'accesso alla console di gestione.
3
Step 3
Exploit[Bridge Networks] The adversary changes the configuration of the compromised network device to connect the networks the device was segmenting. Depending on the type of network boundary device and its capabilities, bridging can be implemented using various methods.
The adversary can abuse Network Address Translation (NAT) in firewalls and routers to manipulate traffic flow to their own design. With control of the network device, the adversary can manipulate NAT by either using existing configurations or creating their own to allow two previously unconnected networks to communicate.
Some network devices can be configured to become a proxy server. Adversaries can set up or exploit an existing proxy server on compromised network devices to create a bridge between separate networks.
AI Translation
[Bridge Networks] L'adversario modifica la configurazione del dispositivo di rete compromesso per collegare le reti che il dispositivo stava segmentando. A seconda del tipo di dispositivo di confine di rete e delle sue capacità, il bridging può essere implementato utilizzando vari metodi.
L'adversario può sfruttare il Network Address Translation (NAT) nei firewall e router per manipolare il flusso di traffico a proprio vantaggio. Con il controllo del dispositivo di rete, l'adversario può manipolare il NAT utilizzando configurazioni esistenti o creando le proprie, per consentire la comunicazione tra due reti precedentemente non connesse.
Alcuni dispositivi di rete possono essere configurati per diventare un proxy server. Gli adversari possono configurare o sfruttare un proxy server esistente sui dispositivi di rete compromessi per creare un ponte tra reti separate.
Attack Techniques
-
Some network devices can be configured to become a proxy server. Adversaries can set up or exploit an existing proxy server on compromised network devices to create a bridge between separate networks.
-
The adversary can abuse Network Address Translation (NAT) in firewalls and routers to manipulate traffic flow to their own design. With control of the network device, the adversary can manipulate NAT by either using existing configurations or creating their own to allow two previously unconnected networks to communicate.IT: Alcuni dispositivi di rete possono essere configurati per diventare un proxy server. Gli adversary possono configurare o sfruttare un proxy server esistente su dispositivi di rete compromessi per creare un ponte tra reti separate.
Mitigations
6
Design: Follow The Principle Of Least Privilege And Restrict Administrative Duties To As Few Accounts As Possible. Ensure These Privileged Accounts Are Secured With Strong Credentials Which Do Not Overlap With Other Network Devices.
Configuration: Change The Default Configuration For Network Devices To Harden Their Security Profiles. Default Configurations Are Often Enabled With Insecure Features To Allow Ease Of Installation And Management. However, These Configurations Can Be Easily Discovered And Exploited By Adversaries.
Design: Ensure Network Devices Are Storing Credentials In Encrypted Stores
Configuration: When Possible, Configure Network Boundary Devices To Use Mfa.
Implementation: Perform Integrity Checks On Audit Logs For Network Device Management And Review Them To Identify Abnormalities In Configurations.
Implementation: Prevent Network Boundary Devices From Being Physically Accessed By Unauthorized Personnel To Prevent Tampering.
Consequences
Security Scopes Affected
Access Control
Authorization
Confidentiality
Integrity
Potential Impacts
Alter Execution Logic
Bypass Protection Mechanism
Hide Activities
Read Data
Relationships
Parent CAPECs
Related ATT&CK Techniques
1
T1599
Network Boundary Bridging
Adversaries may bridge network boundaries by compromising perimeter network devices or internal devices responsible for network segmentation. Breaching these devices …
Resources Required
1
The adversary requires either high privileges or full control of a boundary device on a target network.