Dark Mode
Capec-700 Detail
Network Boundary Bridging
Standard Communications Software Hardware Likelihood: Medium Typical Severity: High
Parents: 161
An adversary which has gained elevated access to network boundary devices may use these devices to create a channel to bridge trusted and untrusted networks. Boundary devices do not necessarily have to be on the network’s edge, but rather must serve to segment portions of the target network the adversary wishes to cross into.
Network boundary devices are network devices such as routers and firewalls which segment networks by restricting certain types of traffic from flowing through the device. Network boundary devices are often directly accessible through a portal page for management purposes. An adversary’s goal when conducting network boundary bridging is to connect networks which are being segmented by the device. To do so, the adversary must first compromise the network boundary device.
| External ID | Source | Link | Description |
|---|---|---|---|
| CAPEC-700 | capec | https://capec.mitre.org/data/definitions/700.html | |
| T1599 | ATTACK | https://attack.mitre.org/wiki/Technique/T1599 | Network Boundary Bridging |
| REF-746 | reference_from_CAPEC | https://www.cisa.gov/uscert/ncas/alerts/TA18-106A | CISA, Russian State-Sponsored Cyber Actors Targeting Network Infrastructure Devices, 2018--04---16 |
Explore
-
Identify potential targets: An adversary identifies network boundary devices that can be compromised.
| Techniques |
|---|
| The adversary traces network traffic to identify which devices the traffic flows through. Additionally, the adversary can identify devices using fingerprinting methods or locating the management page to determine identifying information about the device. |
Experiment
-
Compromise targets: The adversary must compromise the identified targets in the previous step.
| Techniques |
|---|
| Once the device is identified, the adversary can attempt to input known default credentials for the device to gain access to the management console. |
| Adversaries with sufficient identifying knowledge about the target device can exploit known vulnerabilities in network devices to obtain administrative access. |
Exploit
-
Bridge Networks: The adversary changes the configuration of the compromised network device to connect the networks the device was segmenting. Depending on the type of network boundary device and its capabilities, bridging can be implemented using various methods.
| Techniques |
|---|
| The adversary can abuse Network Address Translation (NAT) in firewalls and routers to manipulate traffic flow to their own design. With control of the network device, the adversary can manipulate NAT by either using existing configurations or creating their own to allow two previously unconnected networks to communicate. |
| Some network devices can be configured to become a proxy server. Adversaries can set up or exploit an existing proxy server on compromised network devices to create a bridge between separate networks. |
- The adversary must have control of a network boundary device.
- The adversary requires either high privileges or full control of a boundary device on a target network.
| Medium |
|---|
| The adversary must understand how to manage the target network device to create or edit policies which will bridge networks. |
| Integrity | Authorization | Access Control | Confidentiality |
|---|---|---|---|
| Alter Execution Logic | Alter Execution Logic | Read Data | Read Data |
| Hide Activities | Hide Activities | Bypass Protection Mechanism | Bypass Protection Mechanism |
- In November 2016, a Smart Install Exploitation Tool was released online which takes advantage of Cisco’s unauthenticated SMI management protocol to download a target’s current configuration files. Adversaries can use this tool to overwrite files to modify the device configurations, or upload maliciously modified OS or firmware to enable persistence. Once the adversary has access to the device’s configurations, they could modify it to redirect network traffic through other network infrastructure.