Adversaries may gain initial access to target systems by connecting to wireless networks. They may accomplish this by exploiting open Wi-Fi networks used by target devices or by accessing secured Wi-Fi networks — requiring Valid Accounts — belonging to a target organization.[1][2] Establishing a connection to a Wi-Fi access point requires a certain level of proximity to both discover and maintain a stable network connection.
Adversaries may establish a wireless connection through various methods, such as by physically positioning themselves near a Wi-Fi network to conduct close access operations. To bypass the need for physical proximity, adversaries may attempt to remotely compromise nearby third-party systems that have both wired and wireless network connections available (i.e., dual-homed systems). These third-party compromised devices can then serve as a bridge to connect to a target’s Wi-Fi network.[2]
Once an initial wireless connection is achieved, adversaries may leverage this access for follow-on activities in the victim network or further targeting of specific devices on the network. Adversaries may perform Network Sniffing or Adversary-in-the-Middle activities for Credential Access or Discovery.
| ID | Name | Description |
|---|---|---|
| G0007 | APT28 |
APT28 has exploited open Wi-Fi access points for initial access to target devices using the network.[2][1] |
| C0051 | APT28 Nearest Neighbor Campaign |
During APT28 Nearest Neighbor Campaign, APT28 established wireless connections to secure, enterprise Wi-Fi networks belonging to a target organization for initial access into the environment.[2] |
| ID | Mitigation | Description |
|---|---|---|
| M1041 | Encrypt Sensitive Information |
Ensure that all wired and/or wireless traffic is encrypted appropriately. Use best practices for authentication protocols, such as Kerberos, and ensure that web traffic that may contain credentials is protected by SSL/TLS. |
| M1032 | Multi-factor Authentication |
Harden access requirements for Wi-Fi networks through using two or more pieces of evidence to authenticate, such as a username and password in addition to a token from a physical smart card or token generator. |
| M1030 | Network Segmentation |
Network segmentation can be used to isolate infrastructure components that do not require broad network access. Separate networking environments for Wi-Fi and Ethernet-wired networks, particularly where Ethernet-based networks allow for access to sensitive resources. |
| ID | Data Source | Data Component | Detects |
|---|---|---|---|
| DS0018 | Firewall | Firewall Rule Modification |
Monitor for changes made to firewall rules for unexpected modifications to allow specific network traffic that may maliciously modify components of a victim environment in order to move laterally. |
| DS0029 | Network Traffic | Network Connection Creation |
Monitor for newly constructed network connections that are sent to or received by abnormal or untrusted hosts. |
| Network Traffic Flow |
Monitor for network traffic originating from unknown/unexpected hardware devices. Local network traffic metadata (such as source MAC addressing) as well as usage of network management protocols such as DHCP may be helpful in identifying hardware. |