Detecting NTP Attacks with Cynamics NDR
NTP (Network Time Protocol) is one of the most common protocols in IP networks and is implemented in most network devices. Its role is to synchronize the device’s time and ensure it is up to date so various time-based mechanisms can function.
While the protocol seems to be highly secure, it contains several exploitations. One of them, which is relatively easy to implement, is tampering with the received time. It means the received NTP message will “look and feel” completely normal but contain an inaccurate time. Thus, the requesting device will be desynchronized from the proper time, which could disorder its operation.
For example, think about your laptop that should send a notification 10 minutes before a meeting. It will send it, but at a different time, and you will miss the meeting. A more critical incident could be that your database server will miss its daily backup, causing your organization to lose data. NTP desynchronization could even be used to harm your entire organization network.
NTP depends on public servers that should be trusted, accurate, secured, and relied on for sending the accurate time. Therefore, many NTP attacks are based on communicating with an illegitimate public server. It has also been found that several NTP pools don’t authenticate their service providers. Thus, it is possible that hosts in the pool are acting as “double agents”, providing incorrect information and attacking the users.
Cynamics next-gen NDR collects small network samples (less than 1%) and covers the entire 100% network. Specifically, our AI threat prediction technology constantly discovers NTP exploitations in clients’ networks. A common issue is endpoints that are querying NTP from public IPs worldwide that have nothing to do with NTP actually. Further research revealed that these endpoints had malware changing their NTP settings to use a malicious public host for the NTP communications, as a command and control, and even a focused data leakage. In other cases, the NTP issue resulted from a naive misconfiguration.
Read this blog to learn more about Cynamics sampling approach.
Cynamics recommends ensuring that all your NTP communications are configured only with highly trusted NTP pools. The best practice in North America is NIST NTP servers. And even better, create a dedicated NTP server that will be responsible for synchronizing your network’ devices instead of having your devices querying NTP directly.
Cynamics clients see their entire network like nothing before, not leaving any part behind as a blindspot. Reach out to us today to begin your free trial to mitigate NTP and other threats in your network.