Introduction

Network sniffing may conjure images of a network-based bloodhound to some, but in the world of information security, it means the ability to capture or monitor information sent over a network. Attackers and malicious hackers use network sniffing to help them in the discovery phase of an attack. This method is listed in MITRE’s ATT&CK matrix. 

This article will detail the network sniffing attack technique, explain what MITRE ATT&CK is, tell you a little about network sniffing, show some real-world examples of network sniffing and provide some tips for mitigation and detection. 


What is MITRE ATT&CK?

MITRE is a not-for-profit corporation dedicated to solving problems for a safer world. Beginning as a systems engineering company in 1958, MITRE has added new technical and organization capabilities to its knowledge base — including cybersecurity.

To this end, MITRE released the MITRE ATT&CK list as a globally accessible knowledge base of adversary techniques and tactics based upon real-world observations. This information can then be used as the basis for the foundation of the development of threat models and methodologies for the cybersecurity product/service community, the private sector and government use. 

More information on the MITRE ATT&CK matrix can be found here.

A little (or more than a little) about network sniffing

Before you understand network sniffing, you have to understand how it fits into the big picture of an attack. Network sniffing belongs to the “discovery” portion of an attack. Basically, this is when attackers are trying to learn about a target network before they commit themselves to the attack. Discovery is a vital part of an attack, as this reconnaissance type of information can determine which attack techniques are used, where to attack, when to attack and more. 

Network sniffing involves using software or other interface to learn about information moving over a network without alerting or redirecting it. When it was still relatively new, only network engineers and others with legitimate purposes used network sniffing. Over time, network sniffers became freely available on the internet, allowing attackers and malicious hackers to add it to their tool kits. 

This miniscule investment of time and effort into applying a network sniffer to a target environment can pay some serious dividends. Sensitive information gathered can involve passwords, login credentials, names of users and other information — especially if moving over an unencrypted, insecure protocol. 

Aside from user information, treasure troves of system and network information can be found, including version numbers, running services and other network characteristics (IP addresses, VLAN IDs and so on) that can assist in later stages of the attack. Attackers can also use name service resolution poisoning techniques to capture website credentials, internal systems and proxies by redirecting legitimate network traffic to an attacker.

There are different ways that network sniffing can help learn about an environment. One example occurs when the software or interface is configured to promiscuous mode, where the network sniffer passively accesses information flowing over the network. If a larger amount of information is desired, span ports or mirror ports (on the network routing switch) can be used to this effect. 

Real-world examples of network sniffing

When an attack technique has been used in different ways by different actors, a great way to examine it is to get a brief idea of the different ways it has been used. 

The following are notable examples of network sniffing being used in the real world by threat groups and others.

APT33

Also known as Elfin, this threat group has attacked targets worldwide and provides us with a standard example of using software to engage in network sniffing. One of the many tools this group uses is called SniffPass, a tool which APT33 has used to great effect for stealing passwords through network sniffing. 

APT28

This notorious threat group, attributed to Russian intelligence as of 2018, has been a thorn in the side of many high-profile victims since it began back in 2004. Known by many names (including Fancy Bear), APT28 used Responder, an open-source tool, to perform NetBIOS name service poisoning. This allowed them to capture hashed passwords and usernames, which led to APT28 accessing legitimate credentials.

Emotet

Emotet is actually a tool, not a threat group, but it has earned a mention on this list. Using a completely different method than those listed above, this tool has the ability to monitor network traffic by hooking network APIs. 

These APIs include:

  • PR_OpenTcpSocket
  • PR_Write
  • PR_Close
  • PR_GetNameForIndentity
  • Closesocket
  • Connect
  • Send
  • WsaSend

Impacket

Impacket is a tool programmed in Python that takes the packet capture approach to network sniffing. Impacket can perform network sniffing by using either the pcapy library or a raw socket to listen for packets in transit. This tool can be used on Windows, Linux and macOS systems.

Mitigation

Network sniffing can be mitigated by using conventional information security means and without too much difficulty. MITRE recommends that encryption best practices are used, including protecting web traffic likely to contain credentials with SSL/TLS. Their second recommendation for mitigation is to use multi-factor authentication, which is becoming an information security mainstay and should not burden an organization too much. 

Detection

Network sniffing can be detected most easily by detecting events that precede network sniffing. Things to keep an eye out for include:

  • At the enclave network level, look out for information flow changes caused by attackers using the man-in-the-middle attack (without it being to or from the compromised system)
  • Gratuitous ARP broadcasts and ARP spoofing
  • Compromised systems can be detected by auditing administrator logins, device images and configuration changes

Conclusion

Network sniffing is a relatively standard method of uncovering information about a target network in the discovery phase of an attack. Chances are if you have been attacked, network sniffing and related practices have probably been used against you. 

The good thing about this attack technique is that it is easy to mitigate and fairly straightforward to detect, which should make you (or your security team) sleep a little easier at night.

 

Sources

  1. MITRE ATT&CK Matrix, MITRE
  2. MITRE ATT&CK: Network Sniffing, MITRE
  3. New Banking Malware Uses Network Sniffing for Data Theft, Trend Micro. 
  4. Elfin: Relentless Espionage Group Targets Multiple Organizations in Saudi Arabia and U.S., Symantec
  5. Impacket, SecureAuth