What Is Real: Incident Responders Face Uptick in Time Stamp Manipulation


By Rick McElroy, Principal Cybersecurity Strategist, VMware

In one of my all-time favorite movies The Matrix, Morpheus asks Neo, "What is real? How do you define real?" As our physical worlds and digital worlds continue to blend, I think from a cyber perspective it's time we start to dive into what is truly real.

Let's start by defining what makes something real digitally. It truly comes back to the integrity of the data. As defenders, we are used to applying the CIA triad to information security and technology. CIA, "confidentiality, integrity and availability," is a model designed to guide policies for information security within an organization. We spend a large amount of our time on two key areas of the triad – confidentiality and availability, – but what about the integrity of the data itself or the underlying infrastructure that the data relies on?

Data integrity is the assurance that digital information is uncorrupted and can only be accessed or modified by those authorized to do so. Integrity involves maintaining the consistency, accuracy and trustworthiness of data over its entire lifecycle.[1]

In short, data integrity aims to prevent unintentional changes to information, but what if the changes are upstream of the system?

In this case, let's call the system a SOC platform that ingests data from network sources, endpoint sources, identity and authentication sources, and system logs to attempt to answer the contextual security question (i.e. am I breached and if so, what is breached?).

This system relies on any number of downstream systems to provide a "single source of truth" around attacker behaviors and situational awareness. These systems however all rely on a single point of failure: time.

In VMware's 2021 Global Incident Response Threat Report, we found the severity of attacks skyrocketed. Respondents indicated that targeted victims now experience integrity and destructive attacks more than 50% of the time. Cybercriminals are achieving this through emerging techniques, like the manipulation of time stamps, or Chronos attacks, which nearly 60% of respondents observed.

The manipulation of Network Time Protocol (NTP) and digital time itself are nothing new. Attacks on NTP date way back to 2002, most notably, the Tardis and Trinity College attack. These issues have largely been used to facilitate network outages and DDOS attacks, but this isn't what the boots on the ground are seeing these days. The time-based attacks are geared toward a couple of end goals.

  • Deception and evasion of both security controls and strong detections in place by the Security Operations Team.
  • Manipulation of time to prevent incident response activities like cert revocation
  • Market and financial manipulation
  • Execution of timing attacks on crypto currencies

Environmental manipulations including time are becoming more and more common for one reason. It makes detection and response harder as it undermines the confidence teams have in those data sets. Imagine a scenario where a threat hunter is looking for a specific set of behaviors within a well-defined timeline. As an attacker, if I can manipulate time and time stamps, as an attacker I can essentially make myself invisible to any query that relies on time.

Recommendations for incident responders

  • Audit for accuracy requirements of downstream systems including:
    • How time is obtained by systems
    • How it is distributed
    • How it is utilized by applications and systems in the environment
    • Deploy endpoint detection and response with specific emphasis on time manipulation

This audit should focus on all time-based dependencies with an emphasis on the redundancy and resiliency of time

  • Update threat models to understand possible attack vectors and scenarios that may be used to disrupt or manipulate the timing infrastructure of your organization
  • Real world testing of time manipulation

Download the full Global Incident Response Threat Report and read more about the ways in which attackers are manipulating reality here.

[1] TechTarget, SearchDataCenter: searchdatacenter.techtarget.com/definition/integrity

Sustaining Partners