Active Scanning

Overview: This is the second in a series in which we apply the Tactics of the MITRE ATT&CK framework to Web3 in an effort to use mature cybersecurity concepts to in the emerging space of decentralized applications. We hope that exploring the corollaries and differentiators will help develop a better understanding of where security mitigation and detection can be improved.

When applying Active Scanning, the first of our specific techniques listed under the Enterprise MITRE ATT&CK Reconnaissance tactics, to Web3 projects, some adjustments and considerations need to be made due to the decentralized nature of Web3 applications. Let’s explore how the sub-techniques of “Active scanning” can be adapted to Web3.

Under the general technique of Active Scanning the MITRE ATT&CK framework places three specific sub-techniques:

• Scanning IP Blocks
• Vulnerability Scanning
• Wordlist Scanning

Let’s dive more deeply into these to see what we can find in Web3 that makes sense.

Scanning IP Blocks:

In traditional enterprise environments, scanning IP blocks involves identifying and probing a range of IP addresses to gather information about potential targets. This techniques involves using tools like nmap to feel out out various nodes. Less intrusive and detectable scans such as SYN based ICMP requests and responses can be performed with stealth while far more nuanced and informative scans may reveal all variety of data but increasingly risk detection. However, the very concept of web3 projects is to eliminate centralized networks in favor of interacting with blockchain networks and decentralized systems like IPFS so naturally the question of Scanning IP Blocks as a technique comes into question.

At this point it would seem that such techniques are very much relevant with differences in the specifics. The Web3 cybersecurity expert must be aware of more than just the vulnerabilities for infrastructure and applications like web servers that may host various parts of a projects infrastructure albeit in a greatly reduced capacity. With the introduction of blockchain nodes and the host servers being used as part of the decentralized network we see new areas for concern when it comes to scans that correlate to IP Blocks.

Within MITRE ATT&CK framework the mitigation is categorized as “Pre-Compromise” and that:

“This technique cannot be easily mitigated since it s based on behaviors performed outside the scope of enterprise defense and controls. Efforts should focus on minimizing the amount and sensitivity of data available to external parties.”

In a Web3 context, we know that mitigations are built in by design. Risks caused by centralization and exposure of sensitive data are counteracted by decentralization and cryptographic means. Still there are many parts of Web3 that are not as fully developed in this regard and so projects may still be vulnerable from this direction. Legacy, centralized infrastructure is still utilized and so many projects retain the inherent risks.

When it comes to the MITRE ATT&CK recommendation for detection this becomes even trickier as monitoring of network data looking for uncommon data flows is in Blockchain Network Analysis is still an emerging field. Understanding the topology, nodes, and interactions is still very niche but certainly an area that has evolved greatly in a very short time with work by companies like Chainalysis.

The Web3 cybersecurity professional must be prepared to cast a wide conceptual net in looking at detection for possible threats by others scanning their systems to include analyzing the distribution of nodes, examining network statistics, and identifying potential points of interest, vulnerabilities, or data flows that might be monitored for suspicious activity.

Vulnerability Scanning

Vulnerability scanning in traditional enterprise environments typically involves scanning systems and networks for known vulnerabilities based on outdated components (OWASP A06–2021). This is definitely a problem we have seen repeatedly in Web3 as code reuse through inheritance and libraries is rightfully part and parcel of the ethos. The problem is that this demands updating code as new vulnerabilities are discovered and doing so before these attack vectors are exploited.

This type of scan could also be expanded broadly to include techniques which will be covered more specifically elsewhere such as under the “Gather Victim Host Information” techniques. As defined in the MITRE ATT&CK framework;

“Vulnerability scans typically harvest running software and version numbers via server banners, listening ports, or other network artifacts. Information from these scans may reveal opportunities for other forms of reconnaissance, establishing operational resources and/or initial access.”

In a decentralized Web3 project, where individual users are meant to have control over their own assets and interactions, the concept of vulnerability scanning may involve completely different approaches and new utilities that have not yet been created. To start with lets just break this into two areas that may be scanned for known vulnerabilities, Smart Contracts and Web3 Dependencies.

Scanning Smart Contracts

Web3 applications are often made up of many smart contracts through inheritance, library inclusion and interaction. Scanning of all the smart contracts used in a Web3 project can identify vulnerabilities and potential attack vectors that developers may miss. There are also many issues that can arise from the nature of performing updates in open source systems, which are difficult to change by design. This can result in exposure to known bugs from shared code that have not yet been fully mitigated while a project works through the correction process. To find these types of vulnerabilities one might employ static and dynamic analysis tools specifically targeted at Smart Contract code, identifying potential weaknesses and assessing the potential impact of specific vulnerabilities.

Dependency Analysis

Assessing the dependencies and third-party components utilized within the Web3 project, such as external libraries, Oracle integrations, or token standards is another vector that can be discovered by scanning blockchains and related Web3 systems. Identifying known vulnerabilities or potential risks associated with these dependencies is crucial to ensure the overall security for Web3 projects.

Wordlist Scanning:

Wordlist scanning typically involves conducting targeted searches using wordlists to identify potential sensitive information, such as usernames or passwords. As the MITRE ATT&CK says under this technique,

“Adversaries may iteratively probe infrastructure using brute-forcing and crawling techniques. While this technique employs similar methods to Brute Force, its goal is the identification of content and infrastructure rather than the discovery of valid credentials. Wordlists used in these scans may contain generic, commonly used names and file extensions or terms specific to a particular software. Adversaries may also create custom, target-specific wordlists using data gathered from other Reconnaissance techniques.”

In the context of Web3 projects, generic or commonly used names and file extensions used in wordlist scanning don’t seem particularly applicable. However, there may be some areas that should be addressed, specifically the use of Cloud infrastructure that is not decentralized. The discovery of storage objects may be leveraged by adversaries and if these contain artifacts or data that is leaked it may be a way for an industrious attacker to exfiltrate information, escalate privileges and move laterally. That is why many projects take a security first approach in this arena and why we need to address a couple of areas of concern. Another area of concern is Data Leakage from Smart Contracts. This may involve the use of blockchain events logs that can be discovered by Wordlist scanning and then used later as part of an attack.

Mitigation and Detection for Active Scanning

In terms of mitigation and detection the MITRE ATT&CK framework offers nearly identical conclusions for both Vulnerability and IP scanning, i.e. minimize sensitive data availability and monitor for anomalies. In our analysis we would add the mitigations of diligence in keeping abreast of code security vulnerabilities and applying best practices in design with regards to an efficient update paths for Smart Contracts and Dependencies.

In the Web3 world we find obvious correlations with existing Enterprise cybersecurity risks, but with the added caveat that the open nature of these applications and the alignment of incentives for participants can act as both help and hindrance. Correctly designed there should be a community involved and motivated to monitor and detect risk through active scanning. The expectation is that services and tools will further this effort as the space continues to mature.

To mitigate the problems associated with Wordlist scanning we can engage in thorough and ongoing Data Privacy strategy: Ensuring that the web3 project adheres to best practices that go beyond those imposed by regulators such as General Data Protection Regulation (GDPR) compliance. This involves reviewing the storage and handling of administrator and user data, assessing access controls, and implementing appropriate privacy measures at every step. There have been a number of Web3 projects that have been devastated by the exposure of cryptographic keys in a forgotten file.

Conclusion

In summary, when considering the “Active Scanning” sub-techniques of the MITRE ATT&CK “Reconnaissance” tactic in the context of Web3, adjustments must be made to align with the decentralized nature of these applications. By focusing on blockchain analysis, smart contract auditing, dependency assessment, data privacy reviews, and smart contract data leakage analysis, Web3 projects can be evaluated effectively for potential risks and vulnerabilities. As with many aspects of cybersecurity, the best mitigation is elimination.