PT Network Attack Discovery

Helps reconstruct the attack timeline and understand the sources and scale of threats

T1542.005: TFTP Boot

Adversaries may abuse netbooting to load an unauthorized network device operating system from a Trivial File Transfer Protocol (TFTP) server. TFTP boot (netbooting) is commonly used by network administrators to load configuration-controlled network device images from a centralized management server. Netbooting is one option in the boot sequence and can be used to centralize, manage, and control device images.

Adversaries may manipulate the configuration on the network device specifying use of a malicious TFTP server, which may be used in conjunction with Modify System Image to load a modified image on device startup or reset. The unauthorized image allows adversaries to modify device configuration, add malicious capabilities to the device, and introduce backdoors to maintain control of the network device while minimizing detection through use of a standard functionality. This technique is similar to ROMMONkit and may result in the network device running a modified image.

Positive Technologies products that cover the technique

Detection

PT NAD can detect and dissect the Trivial File Transfer Protocol (TFTP), which is commonly used by devices for initial download of the firmware over the network.

Examples of PT NAD filters

  • app_proto == "tftp"

Expert Required. The technique is detected only with the combination of «PT Product + Expert»

Detection

IDDS0001Data source and componentFirmware: Firmware ModificationDescription

Monitor for changes to boot information including system uptime, image booted, and startup configuration to determine if results are consistent with expected behavior in the environment. Monitor unusual connections or connection attempts to the device that may specifically target TFTP or other file-sharing protocols.

IDDS0029Data source and componentNetwork Traffic: Network Connection CreationDescription

Monitor for newly constructed network device configuration and system image against a known-good version to discover unauthorized changes to system boot, startup configuration, or the running OS. The same process can be accomplished through a comparison of the run-time memory, though this is non-trivial and may require assistance from the vendor.

IDDS0017Data source and componentCommand: Command ExecutionDescription

Monitor executed commands and arguments in command history in either the console or as part of the running memory to determine if unauthorized or suspicious commands were used to modify device configuration.

Mitigation

IDM1031NameNetwork Intrusion PreventionDescription

Network intrusion detection and prevention systems that use network signatures to identify traffic for specific protocols, such as TFTP, can be used to mitigate activity at the network level. Signatures are often for unique indicators within protocols and may be based on the specific technique used by a particular adversary or tool, and will likely be different across various network configurations.

IDM1028NameOperating System ConfigurationDescription

Follow vendor device hardening best practices to disable unnecessary and unused features and services, avoid using default configurations and passwords, and introduce logging and auditing for detection.

IDM1026NamePrivileged Account ManagementDescription

Use of Authentication, Authorization, and Accounting (AAA) systems will limit actions administrators can perform and provide a history of user actions to detect unauthorized use and abuse. TACACS+ can keep control over which commands administrators are permitted to use through the configuration of authentication and command authorization.

IDM1035NameLimit Access to Resource Over NetworkDescription

Restrict use of protocols without encryption or authentication mechanisms. Limit access to administrative and management interfaces from untrusted network sources.

IDM1047NameAuditDescription

Periodically check the integrity of the running configuration and system image to ensure they have not been modified.

IDM1046NameBoot IntegrityDescription

Enable secure boot features to validate the digital signature of the boot environment and system image using a special purpose hardware device. If the validation check fails, the device will fail to boot preventing loading of unauthorized software.