The article emphasizes the importance of the MITRE Engenuity ATT&CK Evaluations for security leaders in navigating the complex cybersecurity landscape. These evaluations simulate real-world threats to test how vendors’ solutions detect, respond to, and report adversary tactics, techniques, and procedures (TTPs). The evaluations leverage the globally recognized MITRE ATT&CK framework, which categorizes TTPs into a structured model, helping organizations assess and address security gaps effectively.
Key factors that set MITRE ATT&CK Evaluations apart include their focus on real-world conditions, transparent results, and alignment with the ATT&CK framework. Unlike traditional assessments, these evaluations emulate attack scenarios, enabling vendors to demonstrate their capabilities under realistic conditions. The transparency of the results allows organizations to evaluate performance metrics directly, helping security leaders choose solutions tailored to their unique threat environments.
The 2023 MITRE ATT&CK Evaluation highlighted notable advancements, with Cynet achieving 100% visibility and analytic coverage without configuration changes—a first in the evaluation’s history. For 2024, MITRE plans to introduce more targeted evaluations, testing vendor solutions against adaptable ransomware-as-a-service variants and North Korean state-sponsored tactics, expanding coverage to Linux, Windows, and macOS platforms.
Cybersecurity leaders are encouraged to closely monitor the upcoming results, which will offer valuable insights into the strengths and weaknesses of vendor solutions. By leveraging these findings, organizations can refine their defenses, mitigate risks, and strengthen resilience against evolving threats. The Cynet-hosted webinar provides an opportunity to understand and act on these evaluations, making them a critical resource for informed decision-making.
The redesigned Atomic Red Team website features a new browser interface, improved search capabilities, and easier test execution
Red Canary’s Atomic Red Team is an open-source framework designed to help security teams test their detection capabilities against adversary tactics defined in the MITRE ATT&CK framework. It provides small, portable tests, enabling organizations to simulate specific attacker techniques in a controlled environment. This framework empowers defenders to validate their security controls, identify gaps in detection, and better understand malicious behaviors. Atomic Red Team offers a highly flexible approach, supporting manual execution via command-line scripts or automated tools like Invoke-Atomic, a PowerShell module that simplifies running tests
The platform focuses on making security testing accessible to teams of all sizes by offering easy-to-follow documentation and a community-driven approach. Tests are mapped to MITRE ATT&CK tactics, allowing users to tailor simulations to their environment while ensuring compliance with security protocols. By leveraging these tests, organizations can proactively enhance their detection capabilities, address visibility gaps, and prepare for real-world threats effectively
The new site provides several long-requested feature additions such as an easier method to execute the sometimes complex command lines in your environment, more detailed searching and filtering capabilities, and a generally more streamlined interface. This convenient interface ensures that even a casual user can learn about and launch tests in their own environment to help improve their security posture.
The cyber intrusion into MITRE’s environment was a meticulously planned and executed operation, highlighting the attackers’ advanced technical capabilities and understanding of virtualized environments. The attackers exploited specific vulnerabilities in Ivanti Connect Secure (ICS), identified as CVE-2023-46805 and CVE-2024-21887. These vulnerabilities allowed unauthorized access to the VMware infrastructure, providing the attackers with a foothold within the network.
Initial Penetration and Exploitation: The attackers began by identifying and exploiting weaknesses in the Ivanti Connect Secure (ICS) infrastructure. The vulnerabilities in question were zero-day exploits, meaning they were unknown to the vendor and had no existing patches or mitigations at the time of the attack. By exploiting these vulnerabilities, the attackers could bypass authentication mechanisms and gain administrative access to the virtualized environment.
Deployment of Rogue Virtual Machines (VMs): Once inside the network, the attackers created and deployed rogue VMs. These VMs were crafted to mimic legitimate virtual machines, allowing them to blend into the existing infrastructure and evade detection. The deployment of rogue VMs served multiple purposes:
Persistence: Rogue VMs provided a stable and resilient presence within the network, ensuring that the attackers could maintain access over an extended period.
Evasion: By operating within the virtualized environment, the rogue VMs could bypass traditional security measures that focus on physical or network-based threats.
Expansion: The rogue VMs acted as a base for further malicious activities, including data exfiltration, lateral movement within the network, and the deployment of additional malware.
Command and Control (C2) Operations: The attackers established robust C2 channels to maintain control over the rogue VMs. These channels allowed the attackers to issue commands, receive data, and monitor the status of their malicious operations. The C2 infrastructure was designed to be resilient, utilizing techniques such as encryption and redundancy to avoid detection and disruption.
TECHNICAL DEEP DIVE: UNDERSTANDING THE ATTACK
To fully appreciate the sophistication of the attack, it is essential to delve into the technical aspects of the methodologies employed by the attackers.
Vulnerability Exploitation:
The vulnerabilities exploited, CVE-2023-46805 and CVE-2024-21887, were critical flaws within the Ivanti Connect Secure (ICS) software. These flaws allowed the attackers to execute arbitrary code and gain administrative privileges within the virtualized environment.
The attackers used a combination of social engineering, phishing, and advanced scanning techniques to identify vulnerable systems. Once identified, they deployed custom exploit scripts to gain access.
Rogue VM Deployment:
The deployment process involved creating VMs that were virtually identical to legitimate ones, making detection difficult. The attackers leveraged existing VM templates and modified them to include their malicious payloads.
These rogue VMs were configured to operate with minimal resource usage, further reducing the likelihood of detection through performance monitoring.
Rogue VMs are created and managed through service accounts directly on the hypervisor, rather than through the vCenter administrative console. As a result, these VMs do not appear in the inventory.
The adversary created their own rogue VMs within the VMware environment, leveraging compromised vCenter Server access. They wrote and deployed a JSP web shell (BEEFLUSH) under the vCenter Server’s Tomcat server to execute a Python-based tunneling tool, facilitating SSH connections between adversary-created VMs and the ESXi hypervisor infrastructure.
By deploying rogue VMs, adversaries can evade detection by hiding their activities from centralized management interfaces like vCenter. This allows them to maintain control over compromised systems while minimizing the risk of discovery.
Persistence Mechanisms:
To ensure persistence, the attackers implemented several techniques within the rogue VMs. These included installing rootkits and other low-level malware that could survive reboots and updates.
The attackers also manipulated the VM management tools to hide the presence of the rogue VMs from administrators.
Evasion Tactics:
The attackers employed various evasion tactics to avoid detection by security tools. These included using encrypted communication channels, obfuscating malicious code, and leveraging legitimate administrative tools to carry out their activities.
They also frequently rotated their command and control servers to avoid being blacklisted or shut down.
IMPLICATIONS FOR CYBERSECURITY
The MITRE cyber intrusion serves as a stark reminder of the evolving tactics used by cybercriminals and the vulnerabilities inherent in virtualized environments. This incident highlights several critical areas for improvement in cybersecurity practices:
Enhanced Vulnerability Management: Organizations must adopt rigorous vulnerability management practices to identify and remediate vulnerabilities promptly. This includes regular patching, conducting vulnerability assessments, and staying informed about emerging threats.
Advanced Detection Mechanisms: Traditional security measures are often inadequate in virtualized environments. Organizations need to implement advanced detection mechanisms that can identify anomalous activities within virtualized infrastructures. This includes behavior-based monitoring, anomaly detection, and machine learning algorithms to identify suspicious activities.
Comprehensive Security Training: Human factors remain a significant vulnerability in cybersecurity. Comprehensive training programs for employees can help reduce the risk of social engineering and phishing attacks, which are often the initial vectors for intrusions.
Robust Incident Response Plans: Having a well-defined incident response plan is crucial for mitigating the impact of cyber intrusions. This plan should include procedures for identifying, containing, and eradicating threats, as well as recovery strategies to restore normal operations.
DETECTING ADVERSARY ACTIVITY IN VMWARE ECOSYSTEM
In VMware’s environment, spotting adversary activity demands meticulous scrutiny. For instance, adversaries might enable SSH on hypervisors and log in by routing traffic through the vCenter Server. This technique underscores the importance of monitoring SSH activity for signs of unauthorized access.
WHAT TO LOOK FOR:
Anomalous SSH Enablement: Keep a close watch for unexpected occurrences of “SSH login enabled” messages. Any activation of SSH outside the normal administrative cycle could indicate malicious activity.
Unusual SSH Sessions: Monitor for deviations from the expected pattern of SSH sessions being opened. Look out for instances where “SSH session was opened for” messages occur unexpectedly or at unusual times.
NOTABLE ATT&CK TECHNIQUES: DEPLOYING ROGUE VMS
Moving forward to January 7, 2024, the adversary accessed VMs and deployed malicious payloads, the BRICKSTORM backdoor and the BEEFLUSH web shell. The adversary also used a default VMware account, VPXUSER, to make seven API calls that enumerated a list of mounted and unmounted drives.
The adversary bypassed detection mechanisms by deploying rogue VMs, as VPXUSER, directly onto hypervisors using SFTP to write files then executed them with /bin/vmx. By doing this, these rogue VMs were not discoverable via vCenter, the ESXi web interface, and even some on-hypervisor command-line utilities that query the API.
These rogue VMs contained the BRICKSTORM backdoor and persistence mechanisms, configured with dual network interfaces for communication with both the Internet/C2 and core administrative subnets within the prototyping network.
LEVERAGING THE VPXUSER ACCOUNT
Adversaries often can leverage the VPXUSER account to perform various administrative tasks, such as enumerating VMs, accessing configuration settings, and interacting with the underlying hypervisor infrastructure. Additionally, adversaries may deploy rogue VMs directly onto hypervisors to evade detection mechanisms and maintain persistence within the environment. Rogue VMs, which are created and operated without proper authorization and management by the hypervisor, provide adversaries with a stealthy foothold for conducting malicious activities. These VMs can bypass visibility controls within VMware management interfaces, making them difficult to detect and mitigate.
DETECTING ROGUE VMS
Safeguarding against rogue VMs and any ensuing persistence demands a vigilant approach. Simply using the hypervisor management interface to manage VMs is often insufficient and can be pointless when it comes to dealing with rogue VMs. This is because rogue VMs operate outside the standard management processes and do not adhere to established security policies, making them difficult to detect and manage through the GUI alone. Instead, one needs special tools or techniques to identify and mitigate the risks associated with rogue VMs effectively.
WHAT TO LOOK FOR:
Command-Line Usage: Utilize the following commands on an ESXi hypervisor to identify unregistered VMs:
vim-cmd vmsvc/getallvms
esxcli vm process list | grep Display
Comparison of VM Lists: Compare the output of vim-cmd (API-based VM check) with the list of running VMs obtained from esxcli. Differences in the list of VMs between the output of a vim-cmd (that will check for VMs via the API) and the list of running VMs that esxcli sees (which directly queries the host hypervisor) indicate a potential problem. A VM running on a hypervisor that is not seen via the registered VM data via API warrants further investigation as a possible unregistered/rogue VM.
DETECTING VMWARE PERSISTENCE
To address the persistence of these rogue VMs, it is crucial to scrutinize the hypervisor’s startup scripts.
WHAT TO LOOK FOR:
Persistence Mechanism: Monitor for modification of the legitimate /etc/rc.local.d/local.sh file to include the following line:
Persistence Identification: Search for invocations of the /bin/vmx binary within /etc/rc.local.d/ or more specifically by manually reviewing the local.sh startup script with the following commands:
grep -r \/bin\/vmx /etc/rc.local.d/
cat /etc/rc.local.d/local.sh
The infiltration of MITRE’s network through VMware vulnerabilities underscores the need for heightened vigilance and advanced security measures in virtualized environments. As attackers continue to refine their techniques, organizations must evolve their defenses to protect against these sophisticated threats. By adopting comprehensive security practices, staying informed about emerging vulnerabilities, and fostering a culture of cybersecurity awareness, organizations can better defend against future intrusions.
Cybercriminal tactics continue to grow in number and advance in ability; in response, many organisations have seen the need to reach a security posture where their teams can proactively combat threats.
Threat hunting plays a pivotal role in modern organizations’ cybersecurity strategies. It involves actively searching for signs of advanced threats and vulnerabilities beyond passive defense mechanisms. The MITRE ATT&CK Framework is an industry-standard threat hunters can use to proactively ensure they have protection against new and evolving attacks. Automating these processes for threat hunting can advance any security team’s capabilities.
However, it can be challenging to integrate or collect security data for effective threat hunting. The number of security technologies often results in fragmented data and hinders a comprehensive threat-hunting approach. Automated threat hunting has become a solution that can advance the capabilities of any security team.
Understanding Disparate Security Technologies
Modern organisations employ a variety of security technologies to safeguard their digital assets. These include firewalls, intrusion detection systems, antivirus software, and endpoint protection. While effective, the sheer number of disparate security technologies poses challenges in centralising security data. Each solution generates logs and alerts, creating data silos.
The Problem of Non-integrated Security Data
Scattered security data creates several difficulties. Security teams grapple with a deluge of data from diverse sources, making identifying relevant threat indicators and patterns challenging. The absence of comprehensive visibility into potential threats leaves organisations vulnerable to increasingly advanced adversaries, who will exploit these data gaps. Inefficiencies plague threat-hunting processes because analysts must manually correlate data from various sources, slowing response times and increasing the likelihood of missing critical threats.
The Concept of Automated Threat Hunting
Automated threat hunting remediates the challenges inherent in integrating disparate security data. Security systems use advanced algorithms to streamline and enhance the threat hunting process. Automated threat hunting empowers security teams to pull security data from different technologies on demand, ensuring they have the right data.
Automating the MITRE ATT&CK Framework for Threat Hunting
Organizations should enhance the use of MITRE ATT&CK Frameworks in their threat hunting processes and techniques with automation to free up time and improve detection.
Automation #1: Pre-Built Response Playbooks
MITRE ATT&CK provides updated data sets of indicators of compromise (IOC) and techniques, tactics, and procedures (TTPs) that adversaries use. Threat hunters use this data to create procedures and processes around known threats to properly respond. Automation can save this set of procedures as a pre-defined playbook, which can be applied in the future for the same threat. It will also search across all data sources in your security environment for a comprehensive visibility into threats.
Automation #2: Collecting the Right Hunt Data
When collecting security data during a hunt, it’s common to collect too much or too little information. Pinpointing the right data saves time and increases hunt accuracy. MITRE ATT&CK frameworks ensure you have the correct data sources by telling you which to collect from logs, security systems, and threat intelligence. Automation allows you to save parameters for data collection of the right sources to apply for future hunts.
Automation #3: Penetration Testing/Red Teaming
Cyberattacks and tactics change all the time, and red/blue teaming are great exercises that help you understand where your proactive abilities are and your defence against them. Automation can provide a great lift here by automating simulations of known TTPS from MITRE Frameworks to fine-tune detection and response management.
Advantages of Automating Threat Hunting
Automating threat hunting allows security teams to effortlessly access security data from diverse technologies when needed, streamlining hunting and procedures, while reducing manual effort. Security analysts can swiftly identify suspicious activities and patterns, resulting in quicker threat detection. The accelerated detection and response to security incidents are crucial in today’s threat landscape. Automated threat hunting expedites the identification of threats, enabling organisations to respond promptly and mitigate potential damage.
The Role of the Security Operations Platform
A security operations platform offers a wide range of capabilities. It centralises security data from disparate technologies and provides security teams with a unified, real-time view of their environment, thus facilitating improved threat detection and response. An essential aspect of this platform is its ability to query security data from all technologies. This functionality ensures that all artifacts, regardless of their source, are examined, making it an invaluable tool in the hunt for threats.
Conclusion
Automating threat hunting via a security operations platform enhances efficiency, augments visibility, and expedites incident response. As we look to the future of cybersecurity, the seamless integration of security data will remain central to effective threat hunting, ensuring that organizations stay ahead of evolving cyber threats.
MITRE ATT&CK, a common language for cybersecurity professionals to communicate with each other and better understand real-world adversary behaviors, celebrates its 10th anniversary this fall. In this Help Net Security interview, project leader Adam Pennington discusses the framework, how defenders can best use it, and what’s next.
What were the main drivers behind the creation of the MITRE ATT&CK framework back in 2013?
The framework was born out of an internal exercise performed at MITRE’s Ft. Meade, Md. site in 2013. We put sensors on desktop computers to analyze a series of red and blue team cyber operations, which wasn’t common back then. White team observers noticed that the red team’s actions weren’t representative of real-world adversary behavior. When they requested that the red team adjust their tactics, they lacked a unified language to explain themselves.
The white team changed course by pulling actual cyber-attack scenarios from honey pots of real data for the blue and red teams to design operations around. Ultimately, the exercise culminated with a basic Excel spreadsheet outlining different intrusion techniques using a common language. It was incredibly helpful to us internally, so on the chance it would be useful to the rest of the world, we released it publicly as MITRE ATT&CK.
How has the framework evolved over the past decade, especially in the last five years, where we’ve seen a surge in its popularity?
What started out as an Excel spreadsheet identifying one adversary and one tactic has transformed into a framework referenced and contributed to by users across the world. By the time it reached the public, there were around 100 behaviors, and in 2016 we began tracking groups and software based on open-source threat intelligence reporting. In 2018, we amassed enough interest to launch ATT&CKcon (the fourth iteration of the user conference will run Oct. 24-25 at MITRE’s McLean, Va., headquarters).
In the last five years, we’ve expanded the core framework with ATT&CK for industrial control systems, mobile, Linux, various cloud platforms (Office 365, Azure, etc.), network devices (computer switches and routers), and more. We continue to make information digestible and user friendly by including both what adversary tactics are, and techniques users can employ to defend against them. To that end, we recently added pseudocode analytics directly to ATT&CK that people can use in their defenses as an “easy button.”
How does the framework stay up to date with real-world observations and contributions? How often is it updated?
As I’m answering this question, we’ve gotten at least one contribution from a community member via email—evidence that we receive updates often! ATT&CK is heavily community driven. Our framework isn’t effective without users keeping us abreast of the latest threats.
Additionally, we monitor social media, public reports from various government entities, and updates from incident response firms. Behind the scenes, we have large teams maintaining and organizing information for each respective arena.
We release a new version of ATT&CK every six months. After trying out shorter and longer timeframes, we found six months to be the sweet spot satisfying both organizations that bake ATT&CK into their products and defenses and those who want information fast.
Given the evolving nature of cyber threats, what long-term value does the MITRE ATT&CK framework offer to cybersecurity professionals?
ATT&CK continues to evolve right alongside adversaries, but historically this is a space that changes slowly over time. Bad actors exhibit relatively routine methods once they’ve gained entry into a network. Even though the exact piece of software, IP address, or even the human on the other end may differ, there are fundamental attack sequences that don’t often fluctuate. Behaviors documented in ATT&CK a decade ago are still seen today.
On the other hand, there are new spaces ripe for intrusion like cloud-based products. We’re expanding the framework in step with new technologies.
For organizations that find the initial implementation process complex, what advice do you have to ease this learning curve?
Start with bite size pieces. Time and time again, we’ve seen cybersecurity teams from small organizations attempt to comprehensively integrate ATT&CK into their defenses, just to quickly realize they’re in over their heads. The framework is not one-size-fits-all.
To solve for this challenge, we recommend multiple strategies focused on starting small. The framework is divided into techniques, so an organization may begin with a single tactic relevant to their system. For example, if you’re concerned with identity management, you can dig into how adversaries are stealing passwords and identify overlap between their behaviors. Once you reach those prioritization points, it’s easier work backwards and add protections against them.
What are some of the less obvious applications of the framework that professionals in the cybersecurity industry should be aware of?
We’re pleasantly surprised to see how ATT&CK is being leveraged in academic environments, from high schools to universities. One high school in Virginia invited our team to come in and speak to the work, which they previously integrated into their curriculum.
Several private sector organizations also have woven the framework into employee education. I recently spoke to somebody whose company regularly discusses a “technique of the week” pulled from the ATT&CK database.
What future enhancements or expansions do you envision for the MITRE ATT&CK framework?
As adversaries explore new exploitation methods, we’ll be there cataloging their every move. Our team continues to advance threat intelligence reporting on spaces growing in popularity, such as Linux and operating systems beyond Windows.
The goal is, and has always been, to build a community of cyber defenders. We know ATT&CK is a boon for larger organizations, but we’re working on ways to make it more accessible for smaller and less-resourced entities.
CrowdStrike achieved the highest coverage across the last two consecutive MITRE Engenuity ATT&CK® Evaluations. We achieved 100% protection, 100% visibility and 100% analytic detection coverage in the Enterprise Round 5 evaluation — which equates to 100% prevention and stopping the breach. We also achieved the highest detection coverage in the Managed Security Services Providers testing.
However, interpreting the results of the Round 5 test can quickly become very confusing, with endless representations of test results from every provider. Unlike other third-party analysts, MITRE doesn’t place vendors on a quadrant or graph, or provide a comparative score. It leaves interpretation up to each vendor and customers themselves — meaning you’ll be flooded with claims of “winning” the evaluation.
In MITRE, there are no winners or leaders, only raw data on a vendor’s coverage against either a known or unknown adversary. Without better guidelines and enforcement from MITRE, the results will continue to confuse customers, given the wildly different solutions being tested and approaches to the evaluation.
Evaluations like MITRE can help clarify your choice. We use the evaluations to further sharpen the capabilities of the CrowdStrike Falcon® platform, as well as ensure our customers understand our point of view on cybersecurity: Stopping the breach requires complete visibility, detection and protection that you can actually use in a real-world scenario.
How Should You Interpret the Results?
First, it’s important to understand the nuances of the two types of evaluations run by MITRE: open-book and closed-book tests.
Open-book testing for known attackers: The MITRE ATT&CK Enterprise Evaluations, such as the recent Round 5, give vendors months of advance notice on the adversary being emulated and their tactics, techniques and procedures (TTPs), and then measure for coverage in a noiseless lab environment.
Not all results are equal, which is hard to see in a comparative chart like this, as vendors have the opportunity to tune their systems in advance and apply configuration changes on-the-fly with teams of experts who may be working behind the scenes 24/7 during the testing period. For instance, we’ve seen vendors make updates to operating systems for the test, while others manually fix verdicts or add new context and detections.
Round 5 emulated Turla, which CrowdStrike classifies as VENOMOUS BEAR, a sophisticated Russia-based adversary. Given their advanced tactics, few vendors were able to identify all of their tradecraft, with the average visibility being 83%. High-quality analytic detection of Tactic and Technique were even less, with the average dropping to 66% — with CrowdStrike achieving full 100% coverage with analytic detections.
High-quality analytics are extremely important, as they provide insight into what an adversary is attempting to achieve and how they are attempting to achieve it. High-quality analytic detection provides the context that analysts need, letting them spend less time trying to determine if the alert is a true or false positive, and also provides insight into what an adversary is trying to do. With tactic and technique detections, security analysts can spend more doing what matters: stopping breaches.
In a comparative chart like the one above, it isn’t possible to see if the capability provided is noisy annotated telemetry or important context added to a high-fidelity alert.
Closed-book testing for unknown attackers: MITRE’s Managed Security Services Providers test is a truer measure of how vendors will protect a customer in the real world, with no do-overs or chances to hunt for additional evidence. The only notification vendors receive in advance is a start date, with no visibility into the adversary being emulated or their TTPs. MITRE runs the test, and you get a coverage score.
To find the cybersecurity partner for you, it’s worth reviewing and correlating performance across many different tests that use different TTPs and force products to behave differently to find the true outcome of the platform. Ensure you look at the results of both open-book and closed-book tests, including those that measure false positives and performance, and know exactly what vendors did to achieve their results. Most importantly, make sure you can achieve those same outcomes in your enterprise. Sophisticated adversaries don’t provide the luxury of a heads-up, and customers won’t have potentially dozens of people working behind the scenes on their deployment in the real world.
Stopping Breaches Matters
Next, it’s critical to evaluate how effectively a vendor can stop adversaries without manual intervention. In the open-book Round 5 test, the average blocking rate was 86%, compared to CrowdStrike’s 100% protection. Even more important than the coverage is understanding how the scores were achieved.
When digesting the MITRE results, ask vendors these three questions, and ask them to prove it:
Did they use easily bypassed signatures or custom detections requiring prior knowledge?
Are the analytic detections and protections high-fidelity and suitable at enterprise scale?
How can I reproduce this result in my own environment?
For comparison, the CrowdStrike Falcon platform stopped 13 of the 13 scenarios with no prior knowledge, using advanced AI and behavior detection. Our AI-powered prevention will be just as effective in your environment as in MITRE’s testing, against both known and unknown adversaries in the real world.
How Do You Bring It All Together?
At the end of the day, how a platform achieved its results matters as much as coverage itself. With open-book tests like the Enterprise Evaluation Round 5, you could hire enough experts to manually add custom tags, detections and context to achieve perfect coverage. That’s why you’ll see vendors shouting their coverage from the rooftops — as at face value many did well.
All comparative charts, including the ones we’ve shown above, only tell part of the story. What’s important is looking at the details: how you do it matters as much as what you do. If you can’t actually achieve the results in your environment, it’s simply a number on a comparative chart. It can’t stop adversaries and it can’t stop breaches.
Ask your provider, including us, how they achieved their scores — and ensure it wasn’t a herculean manual effort that could never work in the real world. It’s also important to understand exactly what the full bill-of-materials looks like to reproduce the results. Some vendors require a complex point product deployment, others an expensive combination of software and network security hardware, and others a significant headcount investment to operate.
The factor to consider most carefully are vendors that use custom test configurations that are impossible to reproduce in a real-world production environment. With CrowdStrike, our platform will always be delivered via our single lightweight agent that’s easy to deploy, easy to manage and never requires a reboot. We consolidate cybersecurity, with better outcomes, at a much better ROI.
We stand behind our platform and the way we delivered our superior coverage across both MITRE’s open-book and closed-book testing for known and unknown adversaries — providing true breach prevention for the real world.
We encourage everyone in the industry to follow MITRE’s intention: Its testing yields valuable raw data that needs to be applied in your environment — with the context around how a vendor achieved its results — to be meaningful. And to our friends at MITRE, the time is now to shut down the endless noise and ensure customers understand your purpose: to make the world safer with better-informed decisions.
Initially perceived as primarily targeting large corporations, advanced persistent threat (APT) attacks, often backed by state actors, have witnessed a notable surge in incidents against small and medium-sized enterprises. This expanding scope signifies that no entity is exempt, as the dynamic evolution of attack methods demands a proactive stance and ongoing fortification of security measures. This endeavor places a persistent burden on resources, especially when factoring in the diverse array of tactics, techniques, and procedures (TTPs) employed within these attacks.
Uncommon TTPs
With time, money and other resources on their side, APTs such as Cozy Bear (aka APT29), OceanLotus (aka APT32), and Grim Spider (aka APT-C-37) conduct technically intricate, cutting-edge attacks that potentially threaten any organization. One victim can also be collateral damage for an attack on a larger target.
While some of their TTPs – such as spear phishing, credential theft, living off the land (LOL), and data exfiltration – are well-known and widely documented, less common TTPs that APTs may use can wreak just as much havoc. These include:
Watering hole attacks: These attacks involve compromising websites that the target organization’s employees or individuals frequently visit. The attackers inject malicious code into these legitimate websites, causing visitors to download malware unknowingly. It’s a tactic that allows APTs to gain access to the target organization through the users’ systems without directly attacking them. One well-known attack involved the website of the US Department of Labor in 2013, where malicious code was injected to infect visitors’ systems and target government employees and contractors.
Island hopping: In these attacks, APTs target not only the primary victim organization but also other organizations within their supply chain, partners, or affiliates. By compromising less secure third-party companies first, they can use them as stepping stones to reach the ultimate target and avoid direct detection. Cozy Bear targeted the Democratic National Committee in 2016 and later used island hopping techniques to breach other US government agencies.
Fileless malware:Fileless malware resides in the system’s memory, leaving little to no trace on the hard drive. It leverages legitimate processes and tools to carry out malicious activities, making it challenging for traditional security solutions to detect. Fileless malware can be delivered through malicious scripts (such as macros and PowerShell commands), malicious registry entries, LOLBins, LOLScripts, WMI/WSH, and reflective DDL-injection (to highlight the most common ones). APT32 (OceanLotus) used fileless malware to compromise multiple organizations in Southeast Asia, including government agencies and private companies while evading detection and attribution.
Hardware-based attacks: APTs may use hardware-based attacks, such as compromising firmware, hardware implants, or manipulating peripheral devices, to gain persistence and evade traditional security measures. These attacks can be difficult to detect and remove without specialized tools and expertise. A notable example is the Equation Group‘s malware for reprogramming hard drives’ firmware.
Zero-day exploits: APTs may deploy zero-day exploits to target previously unknown vulnerabilities in software or hardware. These attacks can be highly effective as no patches or defenses against them are available. Who could forget the Stuxnet attack? Stuxnet was a sophisticated and targeted worm that exploited multiple zero-day vulnerabilities in industrial control systems, making it highly effective and challenging to detect.
Memory-based attacks: Memory-based attacks exploit vulnerabilities in software to gain access to sensitive data stored in the computer’s RAM. These attacks can bypass traditional security measures that focus on file-based threats. APT32, believed to be based in Vietnam, is known for using fileless malware and “living off the land” techniques to operate stealthily in the computer’s memory and evade traditional security measures.
DNS tunneling: APTs may use DNS tunneling to exfiltrate data from the victim’s network. This technique involves encoding data in DNS requests or responses, allowing the attackers to bypass perimeter security measures that may not inspect DNS traffic thoroughly. Cozy Bear used DNS tunneling to communicate with their command-and-control servers and steal sensitive information from targeted organizations in a stealthy manner.
Advanced anti-forensic techniques: APTs invest significant efforts in covering their tracks and erasing evidence of their presence. They may employ advanced anti-forensic techniques to delete logs, manipulate timestamps, or encrypt data to hinder investigation and response efforts. One well-known advanced anti-forensic techniques attack by the Equation Group involved using a rootkit called “DoubleFantasy” to hide and persistently maintain their presence on infected systems, making it extremely challenging for analysts to detect and analyze their activities.
Multi-platform or custom malware: APTs employ malware capable of targeting both Windows and macOS systems to maximize its reach. They can also deploy tailored malware, such as the Scanbox reconnaissance framework to gather intelligence. An example is APT1 (also known as Comment Crew or Unit 61398), which utilized custom malware to infiltrate and steal sensitive data from various organizations worldwide, particularly in the United States.
Password spraying: Password spraying attacks are used to gain initial access by attempting to use a few common passwords against multiple accounts. APT33 (Elfin) targeted organizations in the Middle East and globally, using password spraying to compromise email accounts and gain a foothold for further cyber-espionage activities.
APTs are here to stay
Organizations can make APT groups’ lives more difficult. Here’s how:
Defense-in-depth strategy: A comprehensive defense-in-depth strategy is crucial to combat APTs. This includes implementing multiple layers of security controls, such as strong perimeter defenses, network segmentation, endpoint protection, intrusion detection systems, data encryption, access controls, and continuous monitoring for anomalies.
Threat intelligence and sharing: Ideally, organizations should actively participate in threat intelligence sharing communities and collaborate with industry peers, government agencies, and security vendors. Sharing information about APTs and their techniques can help detect and mitigate attacks more effectively.
Employee education and awareness: Regular security awareness programs, phishing simulations, and training sessions can educate employees about the latest threats, social engineering techniques, and safe computing practices.
Incident response and recovery: Despite preventive measures, organizations should have a well-defined incident response plan. This includes incident detection, containment, eradication, and recovery procedures to minimize the impact of APT attacks and restore normal operations.
These TTPs underscore the diverse and advanced technical skills exhibited by different threat groups. Organizations can bolster their defenses and protect against APT incursions by studying their tactics, techniques, and procedures.
Continuous vigilance, threat intelligence, and incident response readiness are crucial elements in preparing for and sometimes thwarting these persistent and highly skilled adversaries. Understanding real-world APT attacks’ technical intricacies and TTPs is vital for organizations to enhance their defense strategies and safeguard against these persistent threats.
MITRE ATT&CK (Adversarial Tactics, Techniques, and Common Knowledge) is a widely adopted framework and knowledge base that outlines and categorizes the tactics, techniques, and procedures (TTPs) used in cyberattacks. Created by the nonprofit organization MITRE, this framework provides security professionals with insights and context that can help them comprehend, identify, and mitigate cyber threats effectively.
The techniques and tactics in the framework are organized in a dynamic matrix. This makes navigation easy and also provides a holistic view of the entire spectrum of adversary behaviors. As a result, the framework is more actionable and usable than if it were a static list.
According to Etay Maor, Senior Director of Security Strategy at Cato Networks, “The knowledge provided in the MITRE ATT&CK framework is derived from real-world evidence of attackers’ behaviors. This makes it susceptible to certain biases that security professionals should be aware of. It’s important to understand these limitations.”
Novelty Bias – Techniques or actors that are new or interesting are reported, while techniques that are being used over and over are not.
Visibility Bias – Intel report publishers have visibility biases that are based on how they gather data, resulting in visibility for some techniques and not others. Additionally, techniques are also viewed differently during incidents and afterward.
Producer Bias – Reports published by some organizations may not reflect the broader industry or world as a whole.
Victim Bias – Some victim organizations are more likely to report, or to be reported on, than others.
Availability Bias – Report authors often include techniques that quickly come to mind in their reports.
MITRE ATT&CK Defender Use Cases
The MITRE ATT&CK framework helps security professionals research and analyze various attacks and procedures. This can help with threat intelligence, detection and analytics, simulations, and assessment and engineering. The MITRE ATT&CK Navigator is a tool that can help explore and visualize the matrix, enhancing the analysis for defensive coverage, security planning, technique frequency, and more.
Etay Maor adds, “The framework can go as deep as you want it to be or it can be as high level as you want it to be. It can be used as a tool to show the mapping and if we’re good or bad at certain areas, but it could go as deep as understanding the very specific procedure and even the line of code that was used in a specific attack.”
Here are a few examples of how the framework and the Navigator can be used:
Threat Actor Analysis
Security professionals can leverage MITRE ATT&CK to investigate specific threat actors. For example, they can drill down into the matrix and learn which techniques are used by different actors, how they are executed, which tools they use, etc. This information helps investigate certain attacks. It also expands the researchers’ knowledge and way of thinking by introducing them to additional modes of operation attackers take.
At a higher level, the framework can be used to answer C-level questions about breaches or threat actors. For example, if asked- “We think we might be a target for Iranian nation state threat actors.” The framework enables drilling down into Iranian threat actors like APT33, showing which techniques they use, attack IDs, and more.
Multiple Threat Actor Analysis
Apart from researching specific actors, the MITRE ATT&CK framework also allows analyzing multiple threat actors. For example, if a concern is raised that “Due to recent political and military events in Iran we believe there will be a retaliation in the form of a cyber attack. What are the common attack tactics of Iranian threat actors?”, the framework can be used to identify common tactics used by a number of nation-state actors.
Here’s what a visualized multiple threat actor analysis could look like, with red and yellow representing techniques used by different actors and green representing an overlap.
Gap Analysis
The MITRE ATT&CK framework also helps analyze existing gaps in defenses. This enables defenders to identify, visualize and sort which ones the organization does not have coverage for.
Here’s what it could look like, with colors used for prioritization.
Atomic Testing
Finally, the Atomic Red Team is an open source library of tests mapped to the MITRE ATT&CK framework. These tests can be used for testing your infrastructure and systems based on the framework, to help identify and mitigate coverage gaps.
The MITRE CTID (Center for Threat-Informed Defense)
The MITRE CTID (Center for Threat-Informed Defense) is an R&D center, funded by private entities, that collaborates with both private sector organizations and nonprofits. Their objective is to revolutionize the approach to adversaries through resource pooling and emphasizing proactive incident response rather than reactive measures. This mission is driven by the belief, inspired by John Lambert, that defenders must shift from thinking in lists to thinking in graphs if they want to overcome attackers’ advantages.
Etay Maor comments, “This is very important. We need to facilitate collaboration between the Defenders across different levels. We’re very passionate about this.”
A significant initiative within this context is the “Attack Flow” project. Attack Flow tackles the challenge faced by defenders, who often focus on individual, atomic attacker behaviors. Instead, Attack Flow uses a new language and tools to describe the flow of ATT&CK techniques. These techniques are then combined into patterns of behavior. This approach enables defenders and leaders to gain a deeper understanding of how adversaries operate, so they can refine their strategies accordingly.
MITRE ATT&CK is a knowledge base of adversary tactics and techniques based on real-world observations. ATT&CK is open and available to any person or organization for use at no charge. Below you can find a collection of MITRE ATT&CK tools and resources available for free.
eBook: Getting Started with ATT&CK
This free eBook pulls together the content from blog posts on threat intelligence, detection and analytics, adversary emulation and red teaming, and assessments and engineering onto a single, convenient package.
CALDERA
CALDERA is a cyber security platform designed to easily automate adversary emulation, assist manual red-teams, and automate incident response. It is built on the MITRE ATT&CK framework and is an active research project at MITRE.
The framework consists of two components:
The core system. This is the framework code, consisting of what is available in this repository. Included is an asynchronous command-and-control (C2) server with a REST API and a web interface.
Plugins. These repositories expand the core framework capabilities and provide additional functionality. Examples include agents, reporting, collections of TTPs, etc.
Whitepaper: Best Practices for MITRE ATT&CK Mapping
CISA uses ATT&CK as a lens through which to identify and analyze adversary behavior. CISA created this guide with the Homeland Security Systems Engineering and Development Institute (HSSEDI), a DHS-owned federally funded research and development center (FFRDC), which worked with the MITRE ATT&CK team.
CASCADE
CASCADE is a research project at MITRE which seeks to automate much of the investigative work a “blue-team” team would perform to determine the scope and maliciousness of suspicious behavior on a network using host data.
The prototype CASCADE server has the ability to handle user authentication, run analytics, and perform investigations. The server runs analytics against data stored in Splunk/ElasticSearch to generate alerts. Alerts trigger a recursive investigative process where several ensuing queries gather related events. Supported event relationships include parent and child processes (process trees), network connections, and file activity. The server automatically generates a graph of these events, showing relationships between them, and tags the graph with information from the ATT&CK project.
Metta
Metta is an information security preparedness tool. This project uses Redis/Celery, Python, and vagrant with VirtualBox to do adversarial simulation. This allows you to test your host based instrumentation but may also allow you to test any network based detection and controls depending on how you set up your vagrants. The project parses YAML files with actions and uses Celery to queue these actions up and run them one at a time without interaction.
Sandbox Scryer
Sandbox Scryer is an open-source tool for producing threat hunting and intelligence data from public sandbox detonation output. The tool leverages the MITRE ATT&CK Framework to organize and prioritize findings, assisting in assembling IOCs, understanding attack movement and hunting threats. By allowing researchers to send thousands of samples to a sandbox for building a profile for use with the ATT&CK technique, Sandbox Scryer can help solve use cases at scale.
Whitepaper: Finding Cyber Threats with ATT&CK-Based Analytics
This whitepaper presents a methodology for using the MITRE ATT&CK framework, a behavioral-based threat model, to identify relevant defensive sensors and build, test, and refine behavioral-based analytic detection capabilities using adversary emulation. This methodology can be applied to enhance enterprise network security through defensive gap analysis, endpoint security product evaluations, building and tuning behavioral analytics for a particular environment, and performing validation of defenses against a common threat model using a red team emulating known adversary behavior.
Atomic Red Team
Atomic Red Team is a library of tests mapped to the MITRE ATT&CK framework. Security teams can use Atomic Red Team to quickly, portably, and reproducibly test their environments. You can execute atomic tests directly from the command line, no installation required.
Red Team Automation (RTA)
RTA provides a framework of scripts designed to allow blue teams to test their detection capabilities against malicious tradecraft, modeled after MITRE ATT&CK.
RTA is composed of python scripts that generate evidence of over 50 different ATT&CK tactics, as well as a compiled binary application that performs activities such as file time stopping, process injections, and beacon simulation as needed.
Mapping CVEs to MITRE ATT&CK
Vulcan Cyber’s research team has created this site to showcase an ongoing project to map documented CVEs to relevant tactics and techniques from the MITRE ATT&CK matrix. You can search for CVES based on specific techniques and vice versa. For more information about this project, please read the associated whitepaper.
CrowdStrike achieved 99% detection coverage by conclusively reporting 75 of the 76 adversary techniques during the MITRE ATT&CK evaluation.
Leveraging the power of the CrowdStrike Falcon® platform with integrated threat intelligence and patented tooling, the CrowdStrike Falcon® Complete and CrowdStrike® Falcon OverWatch™ managed threat hunting teams identified the adversary and associated tradecraft within minutes.
Closed-book evaluations such as this provide the most realistic reflection of how a security vendor would perform in a customer environment. CrowdStrike’s combination of market-leading technology and elite human expertise led the evaluation, which is the gold standard in managed detection and response testing.
MITRE does not rank or rate participants; the following is CrowdStrike’s analysis of the results provided by MITRE Engenuity.
In this Help Net Security video, Dmitry Bestuzhev, Most Distinguished Threat Researcher at BlackBerry, talks about some of the most interesting tactics, techniques, and procedures employed by cybercriminals in recent months.
From the basics to advanced techniques, here’s what you should know.
Cybersecurity has been compared to a never-ending game of whack-a-mole, with an ever-changing cast of threats and threat actors. While the attacks that make headlines may change from year to year, the basic fact remains: Any network, no matter how obscure the organization it supports, most likely will come under attack at some point. Thus, attaining and maintaining a strong security posture is of critical importance for organizations of any size.
An organization’s security posture, however, is constantly changing. Employees join or leave the company; endpoints are added and discarded; and network and security technologies are deployed, decommissioned, configured, and updated. Each change in network elements can represent a potential attack vector for malware and other threats.
That’s why security teams should review their security processes periodically and keep aligned with new developments in defensive and offensive testing and modeling. Doing so can help move the needle on security maturity from the most basic to an advanced, much stronger security posture, and from a reactive to a proactive model.
The Basics: Vulnerability Scanning
The first step most IT organizations undertake is vulnerability scanning, which seeks out potential weaknesses in the network and endpoints that could be exploited by attackers. There’s a wide variety of scanners available as open source or commercial software, as managed services, and on cloud platforms like AWS and Alibaba. Some of the more popular scanners include Nessus, Burp Suite, Nmap, and Qualys, though each has its own area of focus. Several offer automatic patch remediation, as well.
Another consideration is whether to perform an external scan — which can discover potential vulnerabilities that hackers can exploit — or internal scanning that can find potential paths attackers would take once inside the network. Many, if not most, IT teams will do both.
While vulnerability scanning is relatively easy to use, it’s not the end-all, be-all of a security strategy. For example, scanning might not detect subtle misconfigurations or the more complicated attack paths that advanced persistent threats (APTs) might take. They’re also often prone to false positives and must be updated consistently.
Overall, though, vulnerability scanning is an important baseline step. Once it’s running well, the next step is penetration testing.
Penetration Testing
Penetration testing typically entails human ethical hackers who attempt to gain access to the network interior, much as an outside hacker would. Here, too, there’s a wide variety of tools and services available — many of the aforementioned vulnerability scanners offer tools that can be used in pen testing. Others include Metasploit, Kali Linux, Cobalt.io, and Acunetix.
Run periodically, pen testing can uncover weaknesses that aren’t found by vulnerability scanners. Furthermore, human-managed pen testing can explore more complex pathways and technique combinations that hackers increasingly leverage to exploit victims, such as phishing.
Not surprisingly, the biggest trends impacting networking and cybersecurity are essentially the same trends noted in penetration testing this year: rampant ransomware attacks, the newly distributed workforce, and the rise of Web applications and cloud usage to support remote workers. Each of these trends will require thoughtful consideration in choosing tools and designing plans for penetration testing.
While penetration testing can provide a great deal of benefit, it’s a good idea to periodically review the wealth of information on best practices available online.
Red Team/Purple Team
The third step in the quest for security maturity is usually the establishment of a red team that will manually attempt to attack and penetrate the organization’s security defenses. This may be a completely separate team, or it may be closely allied with the blue team (the defenders) in a combination called a purple team. As another option, some vendors offer red-team services on a subscription or one-off basis.
A red team will imitate the tactics, techniques, and procedures (TTPs) that attackers use — which usually turns up more points of vulnerability than penetration testing can reveal. The blue team can then begin to resolve these weaknesses, further hardening the network against attack.
But too often, red and blue teams devolve into an adversarial relationship that’s counterproductive. It’s also quite expensive to set up a red team, and given the shortage of cybersecurity professionals, it may not be feasible. Therefore, many CISOs are investigating two newer trends: adversary emulation and adversary simulation.
Using Adversary TTPs for Good
There are vast, freely available libraries of common tactics, techniques, and procedures used during attacks, such as MITRE’s ATT&CK framework. Adversary emulation and simulation leverage these libraries to evaluate security based on intelligence for specific attacks and then simulating the TTPs used.
For example, MITRE developed a sample adversary emulation plan for APT3, an advanced persistent threat that previously targeted mostly US entities. The emulation plan covers three phases from command-and-control setup to initial access; from host compromise through to execution; and data collection through exfiltration. The Center for Threat-Informed Defense has posted other emulation plans.
Adversary emulation lets security teams assess their defenses against real-world attacks. It can also be used to test the security infrastructure’s detection and response rates.
Looking Ahead
Security vendors are moving beyond simply advocating the concept of MITRE’s ATT&CK and MITRE Shield. Many vendors are leveraging one or both to improve their own products and services. For example, some security vendors map anomalies and events to the ATT&CK framework, making it easier for security teams to respond.
MITRE’s CALDERA also deserves attention. It provides an intelligent, automated adversary emulation system that can be programmed for a specific attack profile and launched into the network to test its defenses. Caldera can also be used to train blue teams on detecting and remediating specific attacks.
Keeping abreast of developments in key security processes is important for security teams as they strive to defend the network against changing threats. By so doing, they can move the organization closer to a far stronger security posture.
The “0ktapus” cyberattackers set up a well-planned spear-phishing effort that affected at least 130 orgs beyond Twilio and Cloudflare, including Digital Ocean and Mailchimp.
The hackers who breached Twilio and Cloudflare earlier in August also infiltrated more than 130 other organizations in the same campaign, vacuuming up nearly 10,000 sets of Okta and two-factor authentication (2FA) credentials.
That’s according to an investigation from Group-IB, which found that several well-known organizations were among those targeted in a massive phishing campaign that it calls 0ktapus. The lures were simple, such as fake notifications that users needed to reset their passwords. They were sent via texts with links to static phishing sites mirroring the Okta authentication page of each specific organization.
“Despite using low-skill methods, [the group] was able to compromise a large number of well-known organizations,” researchers said in a blog post today. “Furthermore, once the attackers compromised an organization, they were quickly able to pivot and launch subsequent supply chain attacks, indicating that the attack was planned carefully in advance.”
Such was the case with the Twilio breach that occurred Aug. 4. The attackers were able to social-engineer several employees into handing over their Okta credentials used for single sign-on across the organization, allowing them to gain access to internal systems, applications, and customer data. The breach affected about 25 downstream organizations that use Twilio’s phone verification and other services — including Signal, which issued a statement confirming that about 1,900 users could have had their phone numbers hijacked in the incident.
The majority of the 130 companies targeted were SaaS and software companies in the US — unsurprising, given the supply chain nature of the attack.
For instance, additional victims in the campaign include email marketing firms Klaviyo and Mailchimp. In both cases, the crooks made off with names, addresses, emails, and phone numbers of their cryptocurrency-related customers, including for Mailchimp customer DigitalOcean (which subsequently dropped the provider).
In Cloudflare’s case, some employees fell for the ruse, but the attack was thwarted thanks to the physical security keys issued to every employee that are required to access all internal applications.
Lior Yaari, CEO and co-founder of Grip Security, notes that the extent and cause of the breach beyond Group IB’s findings are still unknown, so additional victims could come to light.
“Identifying all the users of a SaaS app is not always easy for a security team, especially those where users use their own logins and passwords,” he warns. “Shadow SaaS discovery is not a simple problem, but there are solutions out there that can discover and reset user passwords for shadow SaaS.”
Time to Rethink IAM?
On the whole, the success of the campaign illustrates the trouble with relying on humans to detect social engineering, and the gaps in existing identity and access management (IAM) approaches.
“The attack demonstrates how fragile IAM is today and why the industry should think about removing the burden of logins and passwords from employees who are susceptible to social engineering and sophisticated phishing attack,” Yaari says. “The best proactive remediation effort companies can make is to have users reset all their passwords, especially Okta.”
The incident also points out that enterprises increasingly rely on their employees’ access to mobile endpoints to be productive in the modern distributed workforce, creating a rich, new phishing ground for attackers like the 0ktapus actors, according to Richard Melick, director of threat reporting at Zimperium.
“From phishing to network threats, malicious applications to compromised devices, it’s critical for enterprises to acknowledge that the mobile attack surface is the largest unprotected vector to their data and access,” he wrote in an emailed statement.
The MITRE shared the list of the 2022 top 25 most common and dangerous weaknesses, it could help organizations to assess internal infrastructure and determine their surface of attack.
The presence of these vulnerabilities within the infrastructure of an organization could potentially expose it to a broad range of attacks.
“Welcome to the 2022 Common Weakness Enumeration (CWE™) Top 25 Most Dangerous Software Weaknesses list (CWE™ Top 25). This list demonstrates the currently most common and impactful software weaknesses. Often easy to find and exploit, these can lead to exploitable vulnerabilities that allow adversaries to completely take over a system, steal data, or prevent applications from working.” reads the announcement published by Mitre.
“Many professionals who deal with software will find the CWE Top 25 a practical and convenient resource to help mitigate risk. This may include software architects, designers, developers, testers, users, project managers, security researchers, educators, and contributors to standards developing organizations (SDOs).”
Improper Control of Generation of Code (‘Code Injection’)
3.32
4
+3
Mitre also shared trends Year-over-Year: 2019 to 2022 Lists; the first trend is a significant changes from the 2019 Top 25 to the 2022 Top 25. Drops in high-level classes such as CWE-119 and CWE-200 are steep, while the shift and increase to Base-level weaknesses is most apparent for weaknesses such as CWE-787 and CWE-502.
The second trend in year-over-year changes from 2019 to 2022 is a relative ve stability in the top 10 from 2021 to 2022, along with the steady rise of CWE-502: “Deserialization of Untrusted Data” over all four years.
We all know that cyberthreats have become more frequent, stealthier and more sophisticated. What’s more, the traditional, reactive approach to detecting threats by hunting indicators of compromise (IoCs) using markers like IP addresses, domains and file hashes is quickly becoming outdated—threats are only detected once a compromise is achieved and attackers are readily able to alter these markers to evade detection.
To overcome this issue, the cybersecurity community came up with the concept of anomaly-based detection, a technique that leverages statistical analysis, big data and machine learning to detect atypical events. However, this approach often results in a high rate of false positives. What is considered normal versus what is anomalous is not always precise. To identify malicious trends and patterns, vast amounts of data must be captured from sources across the entire computing environment, requiring large-scale investments in data collection and processing.
TTPs: Behavior-Based Detection
The concept of TTPs (tactics, techniques and procedures) was popularized by David Bianco’s The Pyramid Of Pain. Bianco stressed that threat hunters must move away from static IoCs like domains and IPs, as those are difficult to keep up with. For example, attackers can easily use a domain generation algorithm (DGA) to generate fake domain names and IP addresses to evade detection. Additionally, the cybersecurity industry also must shift from signature-based malware detection, as today’s malware is polymorphic; which means the same malware is capable of creating different signatures with each infection. Therefore, the focus should be on the TTPs of attackers because these are difficult to change quickly.
What is the MITRE ATT&CK Framework?
Researchers at MITRE Corporation and security vendors noted that, unlike IoCs, adversary techniques do not change frequently because of the limitations of targeted technologies (e.g., Windows, macOS, mobile devices), and are common across multiple adversaries. That’s why in 2013, they created the MITRE ATT&CK framework. ATT&CK stands for adversarial tactics, techniques and common knowledge—one of the industry’s most curated and globally-accessible knowledge bases of common adversary behavior. The sole aim of the project is to map typical adversary TTPs so that there is a common language for both red and blue teams while proactively hunting for cybersecurity threats.
The framework consists of 14 different tactics along with several techniques attackers use to achieve those tactics. A tactic refers to a general goal the adversary is trying to establish while the technique refers to the means the adversary will adopt to accomplish the tactic. Tactics explain the “why” while techniques explain the “how.” Each technique is further divided into sub-techniques that explain in greater detail how an adversary executes a specific technique.
Tactics listed in the ATT&CK matrix are presented in a linear format, starting from the time an adversary conducts reconnaissance to the point when they achieve their final goal— exfiltration or impact. ATT&CK not only provides appropriate categorization for adversary actions but also details recommendations on how organizations can defend against them.
Why is ATT&CK Important?
The MITRE ATT&CK framework can be used worldwide across multiple security disciplines such as intrusion detection, threat hunting and intelligence, security engineering and risk management. Some key benefits or use cases for the ATT&CK framework can include:
Attacker emulation: Simulates attack scenarios to test security solutions and verify defense capabilities.
Penetration testing: Acts as a frame of reference when conducting red team or purple team exercises and studying or mapping adversarial behaviors.
Forensics and investigations: Aids Incident Response teams in finding missing attacker activity.
Behavioral analytics: Provides contextual, behavioral information that security teams and vendors can use to identify hidden, unrelated anomalies and patterns.
Security maturity and gap assessments: Helps determine what parts of the enterprise lack defenses against adversary behaviors and what parts of the organization need prioritized investments.
Product evaluations: Helps evaluate a security tool’s detection capabilities and breadth of detection coverage.
The standard for technology integrations: Serves as a common standard that helps connect and communicate disparate security tools, leading to an integrated defense approach.
ATT&CK is truly a gold mine of resources when it comes to adversary techniques and MITRE welcomes contributions from the cybersecurity industry to keep the framework updated with the latest TTPs (ATT&CK just announced their latest version, v11, in April 2022).
That said, ATT&CK isn’t perfect. MITRE acknowledges that sometimes biases exist in the minds of security analysts. That’s why in addition to ATT&CK, it is recommended that you leverage other threat intelligence reports as well as tools that allow full visibility into the network and security posture of your organization.
Regardless of where you are in your cybersecurity maturity journey, it is never too late to realign your security, redefine your security processes and rethink your security metrics in terms of the MITRE ATT&CK framework.
According to the Verizon 2021 Data Breach Investigations Report, insiders are responsible for around 22% of security incidents. That is clearly a significant number and insider threats are quickly becoming one of the most common cybersecurity threats organizations face today. The challenge that continues to remain high with insider threats is that it is difficult to differentiate between normal and abnormal user behavior for any user since they already have access to the environment compared to external threats. Therefore, it makes a very important case to correlate content, threat and behavior to make an accurate prediction for an insider threat.
The significance of insider threats can be seen in the last update by MITRE where the version of ATT&CK for Enterprise contains 14 Tactics, 185 Techniques, and 367 Sub-techniques, among which are those used in insider threat attacks. In this analysis, we’ll look at a selection of the techniques published in the update and examine how they are used, the motivations and the types of attacks they are used for.
What is Considered an Insider Threat?
An insider threat is a security threat that originates internally from within an organization. It’s usually someone who uses their authorized access—intentionally or unintentionally—to compromise an organization’s network, data or devices. Due to the authorized access, the attacker doesn’t need to raise a request or hack some credentials to gain access. There are three most common categories of an inside attacker.
Malicious Insider – As the name suggests, the malicious insider is an employee or contractor who conducts nefarious activities that may or may not be financially motivated to gain or steal information.
Compromised Insider – This is a scenario where user credentials are compromised with the attacker using the compromised account to gain or steal information. In most cases the main target of these attacks are employees who are easily targeted via phishing.
Negligent Insider – Negligent insiders are people who make errors and disregard policies, which place their organizations at risk. There is a huge uptick in this type of attacks as we see more and more configuration errors, which results in exposing internal data of the organization to the public.
Historically, vulnerability management and threat management have been separate disciplines, but in a risk-focused world, they need to be brought together. Defenders struggle to integrate vulnerability and threat information and lack a consistent view of how adversaries use vulnerabilities to achieve their goals. Without this context, it is difficult to appropriately prioritize vulnerabilities.
To bridge vulnerability management and threat management, the Center for Threat-Informed Defense, with support from participants including AttackIQ and JP Morgan Chase, developed a methodology to use the adversary behaviors described in MITRE ATT&CK® to characterize the impact of vulnerabilities from CVE®. Vulnerability reporters and researchers can use the methodology to describe the impact of vulnerabilities more clearly and consistently. When used in a vulnerability report, ATT&CK’s tactics and techniques enable defenders to quickly understand how a vulnerability can impact them, helping defenders integrate vulnerability information into their risk models and identify appropriate compensating security controls.
This methodology aims to establish a critical connection between vulnerability management, threat modeling, and compensating controls. CVEs linked to ATT&CK techniques can empower defenders to better assess the true risk posed by specific vulnerabilities in their environment. We have applied the methodology and mapped several hundred CVEs to ATT&CK to validate the model and demonstrated its value. To fully realize our goal, we need community support to apply the methodology at scale.