MITRE ATT&CK: Port knocking

Introduction

Ports are like the doors into or out of a network, where information must pass through them to enter or exit an organization’s network. Now, when you knock on a door in physical reality, it is a cue for those on the inside to let you in. Port knocking is a little different: instead of somebody letting you in if you knock, sending packets with the right characteristics will open the port. This has been used as an attack technique and is listed in the MITRE ATT&CK matrix. 

This article will detail the port-knocking attack technique and explore what MITRE ATT&CK is, what port knocking is, where port knocking fits into the overall attack operation, the different ways to port knock and some real-world examples of this attack technique, as well as mitigation and detection techniques for port knocking.

What is MITRE ATT&CK?

MITRE is a not-for-profit corporation dedicated to solving problems for a safer world. Beginning as a systems engineering company in 1958, MITRE has added new technical and organization capabilities to its knowledge base — including cybersecurity.

To this end, MITRE released the MITRE ATT&CK list as a globally accessible knowledge base of adversary techniques and tactics based on real-world observations. This information can then be used as the basis for the foundation of the development of threat models and methodologies for cybersecurity product/service community, the private sector and government use. More information on the MITRE ATT&CK matrix can be found here.

What is port knocking?

For information to be passed through a port, said port needs to first be enabled. This is intended as a barrier to malicious activity, but like many other security safeguards, attackers can bypass this minor security measure. Port knocking is what will open up these closed ports and allow information (Read more...)