Time
8 hours 28 minutes
Difficulty
Beginner
CEU/CPE
10

Video Transcription

00:00
hello and welcome to another application of the minor attack framework discussion. Today, we're going to be looking at browser extension. So with that, let's go ahead and jump on over to our objectives. So the objectives four to today's discussion or is followed.
00:18
So we're going to describe what browser extension is as faras within the minor attack framework
00:23
and how that's used. How have browser extensions been used? What are some mitigation techniques? And, of course, we're going around out with some detection techniques as well. So let's go ahead and jump right in.
00:36
So browser extension, as it is listed in the minor attack framework, is involving things like plug ins or programs that could be added to or provide function to and customization of Internet browsers.
00:52
That's a great thing, right? We love things that make our lives easier, that make our lives more convenient. Password managers are coupon cutters,
01:00
whatever honey token things were doing or something of that nature. But in this case,
01:07
that is not always a great thing. Malicious extensions can be installed through malicious applications and downloads that may seem legitimate through things like social engineering or through some phase of an already installed malicious payload. And so these extensions allow threat actors to do things like a website browsing in the background,
01:26
stealing information a user inputs into the browser commanding control purposes,
01:32
and then for the installation of other tools such as rants or remote access tools. And so there are a lot of different things that browser extensions can achieve. I know that some of my best experiences as far as helping
01:47
folks with system issues just from personal stories that I like to share with other folks
01:53
is any time you have a user that's complaining of slow system, that's having problems and they don't understand it with acting fine yesterday. And so the first thing you do
02:02
and she start to investigate Askew, open up a Web browser. And lo and behold, a good quarter of the top of that has just all these different plug ins and extensions and pieces. And you kind of shake your head and hang it low and, you know, start doing some virus scanning and some other questions and clean up activity.
02:22
So browser extensions have been used and have been around for quite some time.
02:25
So let's talk real quick about an application of that are looking at a particular threat group. So Kim Suki and Google Chrome so information indicates that the group has been active since September of 2013 so they've been around for a little bit.
02:44
A report released in December
02:46
of 2018 indicated that the group infected systems using a Google chrome extension. Kato still passwords cookie information and, of course, do other things to those systems. So several fishing campaigns were essentially conducted using the extension on the academic sector,
03:04
with no information on the victims provided at this time.
03:07
And so it's looking like based on some reading and research,
03:12
that a part of the attack was motivated, of course, by the research the academics were doing, and they're given fields such as biomedical engineering. And so when we think about threat groups, often times they come in different flavors and forms that can be state funded criminal organizations. But they're very sophisticated,
03:30
and so it would make sense
03:31
that they made target research and academia and things of that nature because there could be technologies or discoveries or things that we're working on that they could take advantage of and So
03:44
again, as you'll note here, this keeps coming up. Fishing campaigns and things of that. Nature continued to be a savvy way for these folks to get these extensions in and to take advantage of that good old user trust. Now
03:59
let's talk about some mitigation techniques with respect to browser extensions and what's going on there.
04:04
So set extension white or black lists as appropriate for the business security policy. So again,
04:12
we really want to make sure that policies and procedures are in place to allow us to effectively implement controls and to enforce those controls if we're not implementing controls based on security policies are based on risk management activities than we could really be shooting in the dark and hoping that we're hitting the mark.
04:30
Do not allow the installation of software by standard user accounts and practice lease privilege
04:36
again. Least privileges coming back into that. Make sure that you have to at least maybe elevate your privilege via command. All right, right click or some type of prompt prior to being able to install something so that nothing can just run outright without some type of prompt or warning,
04:54
and then implement regular in user awareness training covering such attack methods again.
04:59
A lot of these things, especially when we're involving phishing attacks and things of that nature
05:04
training and the human element, is going to be the last line of defense when all other technical components fail. And so having that human element, well educated and strong, is going to help us to mitigate these types of risks. But
05:18
I beg to ask a question
05:23
that maybe some of you caught and maybe some of you are thinking about, and I think this is a good time to bring it up.
05:29
So in the previous slide,
05:31
the attack was specific
05:34
to the academic sector.
05:38
And so we're dealing with researchers and students and people of that caliber and nature. So when I was a student and I'm always a student, it feels like
05:48
I used university laptops or desktops as they were available in a lab setting. Maybe,
05:58
But for the most part I did my research and my paper writing and submissions and email checking and all of those things on my personal device.
06:09
So how
06:11
then do we start to protect
06:15
academic information such as, ah, persons thesis or research that could be
06:21
pertinent to bettering our nation or whatever the case may be. Wherever you're at
06:28
right, do we keep that research in a cloud based system that is protected and we don't keep it on local systems? But then, who ultimately owns the research? Is it the property of the person doing the research? The person that is is designing that system or the person that is doing that, or since it's funded by the college,
06:47
does the college or university have ultimate authority and control over the information?
06:54
So as you can see, this particular topic kind of led to some very interesting questions with respect to how we would handle those mitigation techniques. So keep that in mind as you designed security policies and procedures,
07:06
depending on the industry in the area that you're working. And that may change the way in which you have to approach these controls. So let's talk about some detection techniques real quick as well. So you could audit Web browser extensions to ensure that the ones installed or for business purpose on Lee, and that they're not masquerading as legitimate ones.
07:25
We can use network monitoring tools,
07:28
toe look for communications with command and control servers. If we've got a known blacklist of those,
07:33
and then we can monitor for new files written to the registry or portable execution files written to the disk. So all great things again that we can do if we have the tools in place that allow us to do so and the systems belong to the organization. Question. Because again, when we start to blur the lines between
07:53
personally owned devices
07:55
versus the property of an organization or a university, that can make these controls in these detection methodologies a little bit more difficult to implement. So with that in mind, let's go ahead and do a quick check on learning. True or false browser extension attacks are limited to Web browsers like Google Chrome.
08:15
All right, well, if you need some additional time Teoh research or think about this question, please pause the video so browser extension attacks are limited to Web browsers like Google chrome. Well,
08:26
the good news is, is that they are not limited to just where browsers like Google chrome they can be. Any browser that can install an extension
08:35
could be susceptible to these types of attacks and So in this case, this is not a true statement. It is a false statement. Now, with that, let's go ahead and jump over to our summary. So today we looked at and described browser extension browser extensions essentially being applications, plug ins,
08:56
customization
08:56
to the Web browser and your overall browsing experience. We reviewed how browser extensions have been used in ways in which we can still cookies or do things of that nature. Still, passwords still data or use maybe the browser on the system without the knowledge of the end user.
09:13
We reviewed some mitigation techniques again, such as validating
09:18
those particular extensions as faras. That would be more detection. Sorry with mitigation techniques. It would be not allowing the installation of maybe unsigned plug ins or maybe not allowing installation at all without administrative intervention and then for detection techniques. Looking for known bad browser
09:37
four gins as well as maybe auditing for commanding control. At type activity would be beneficial. Do is well,
09:43
so with that in mind, I want to thank you for your time today, and I look forward to seeing you again soon

Up Next

Application of the MITRE ATT&CK Framework

This MITRE ATT&CK training is designed to teach students how to apply the matrix to help mitigate current threats. Students will move through the 12 core areas of the framework to develop a thorough understanding of various access ATT&CK vectors.

Instructed By

Instructor Profile Image
Robert Smith
Director of Security Services at Corsica
Instructor