InfoSec and Compliance – With 20 years of blogging experience, DISC InfoSec blog is dedicated to providing trusted insights and practical solutions for professionals and organizations navigating the evolving cybersecurity landscape. From cutting-edge threats to compliance strategies, this blog is your reliable resource for staying informed and secure. Dive into the content, connect with the community, and elevate your InfoSec expertise!
The MITRE ATT&CK framework is fundamentally about understanding the blind spots within your environment. It provides a structured, real-world playbook of how attackers actually operateâfar beyond theoretical security models. Instead of guessing what threats might look like, it helps organizations see how adversaries move, persist, and exploit weaknesses across systems.
At its core, ATT&CK exposes gaps in your defenses. For every listed technique, the key question becomes: Could this happen in my environment without triggering an alert? If the answer is even âmaybe,â that uncertainty signals a control weakness. This approach shifts security teams from compliance-driven checkbox exercises to a more honest evaluation of detection and response capabilities.
For example, when you detect suspicious PowerShell activity tied to T1059.001 PowerShell, the framework guides your investigation. You donât just look at the isolated eventâyou analyze the full attack chain. What came before, such as phishing via T1566 Phishing? What might follow, like credential dumping using T1003 Credential Dumping or lateral movement through T1021 Remote Services? This interconnected view allows defenders to anticipate attacker behavior rather than simply react to alerts.
By mapping real adversary techniques against your actual security controls, ATT&CK turns abstract security strategies into practical defense mechanisms. It forces alignment between what you think you can detect and what you actually can detect in real-world scenarios.
Perspective: Most organizations today claim ATT&CK alignment, but in practice, they only map controls on paperâthis is compliance theater. The real value comes from operationalizing it through testing (e.g., purple teaming or adversary simulation). For instance, a company may have endpoint detection tools in place and believe they can detect PowerShell abuse. But when a simulated attacker runs obfuscated scripts, no alerts fire. Thatâs the gap ATT&CK is meant to uncover.
A practical example: imagine a mid-sized SaaS company that has email security and endpoint protection deployed. On paper, phishing (T1566) and credential dumping (T1003) are âcovered.â However, during a red team exercise, a phishing email bypasses filters, a user executes a macro, and PowerShell is used to pull credentialsâwithout detection. The organization realizes their logging is incomplete and alerting rules are too weak. That insightânot the framework itselfâis where ATT&CK delivers value.
Bottom line: ATT&CK isnât about documentationâitâs about visibility. Once you truly understand where youâre blind, you can finally start seeingâand defendingâclearly.
blog post coming out later this week with more about these changes (watch this space!), but in the meantime Cat Self’s ATT&CKcon 6.0 talk covered many of the details.
At DISC InfoSec, we help organizations navigate this landscape by aligning AI risk management, governance, security, and compliance into a single, practical roadmap. Whether you are experimenting with AI or deploying it at scale, we help you choose and operationalize the right frameworks to reduce risk and build trust. Learn more at DISC InfoSec.
The cyber intrusion into MITREâs environment was a meticulously planned and executed operation, highlighting the attackersâ advanced technical capabilities and understanding of virtualized environments. The attackers exploited specific vulnerabilities in Ivanti Connect Secure (ICS), identified as CVE-2023-46805 and CVE-2024-21887. These vulnerabilities allowed unauthorized access to the VMware infrastructure, providing the attackers with a foothold within the network.
Initial Penetration and Exploitation: The attackers began by identifying and exploiting weaknesses in the Ivanti Connect Secure (ICS) infrastructure. The vulnerabilities in question were zero-day exploits, meaning they were unknown to the vendor and had no existing patches or mitigations at the time of the attack. By exploiting these vulnerabilities, the attackers could bypass authentication mechanisms and gain administrative access to the virtualized environment.
Deployment of Rogue Virtual Machines (VMs): Once inside the network, the attackers created and deployed rogue VMs. These VMs were crafted to mimic legitimate virtual machines, allowing them to blend into the existing infrastructure and evade detection. The deployment of rogue VMs served multiple purposes:
Persistence: Rogue VMs provided a stable and resilient presence within the network, ensuring that the attackers could maintain access over an extended period.
Evasion: By operating within the virtualized environment, the rogue VMs could bypass traditional security measures that focus on physical or network-based threats.
Expansion: The rogue VMs acted as a base for further malicious activities, including data exfiltration, lateral movement within the network, and the deployment of additional malware.
Command and Control (C2) Operations: The attackers established robust C2 channels to maintain control over the rogue VMs. These channels allowed the attackers to issue commands, receive data, and monitor the status of their malicious operations. The C2 infrastructure was designed to be resilient, utilizing techniques such as encryption and redundancy to avoid detection and disruption.
TECHNICAL DEEP DIVE: UNDERSTANDING THE ATTACK
To fully appreciate the sophistication of the attack, it is essential to delve into the technical aspects of the methodologies employed by the attackers.
Vulnerability Exploitation:
The vulnerabilities exploited, CVE-2023-46805 and CVE-2024-21887, were critical flaws within the Ivanti Connect Secure (ICS) software. These flaws allowed the attackers to execute arbitrary code and gain administrative privileges within the virtualized environment.
The attackers used a combination of social engineering, phishing, and advanced scanning techniques to identify vulnerable systems. Once identified, they deployed custom exploit scripts to gain access.
Rogue VM Deployment:
The deployment process involved creating VMs that were virtually identical to legitimate ones, making detection difficult. The attackers leveraged existing VM templates and modified them to include their malicious payloads.
These rogue VMs were configured to operate with minimal resource usage, further reducing the likelihood of detection through performance monitoring.
Rogue VMs are created and managed through service accounts directly on the hypervisor, rather than through the vCenter administrative console. As a result, these VMs do not appear in the inventory.
The adversary created their own rogue VMs within the VMware environment, leveraging compromised vCenter Server access. They wrote and deployed a JSP web shell (BEEFLUSH) under the vCenter Serverâs Tomcat server to execute a Python-based tunneling tool, facilitating SSH connections between adversary-created VMs and the ESXi hypervisor infrastructure.
By deploying rogue VMs, adversaries can evade detection by hiding their activities from centralized management interfaces like vCenter. This allows them to maintain control over compromised systems while minimizing the risk of discovery.
Persistence Mechanisms:
To ensure persistence, the attackers implemented several techniques within the rogue VMs. These included installing rootkits and other low-level malware that could survive reboots and updates.
The attackers also manipulated the VM management tools to hide the presence of the rogue VMs from administrators.
Evasion Tactics:
The attackers employed various evasion tactics to avoid detection by security tools. These included using encrypted communication channels, obfuscating malicious code, and leveraging legitimate administrative tools to carry out their activities.
They also frequently rotated their command and control servers to avoid being blacklisted or shut down.
IMPLICATIONS FOR CYBERSECURITY
The MITRE cyber intrusion serves as a stark reminder of the evolving tactics used by cybercriminals and the vulnerabilities inherent in virtualized environments. This incident highlights several critical areas for improvement in cybersecurity practices:
Enhanced Vulnerability Management: Organizations must adopt rigorous vulnerability management practices to identify and remediate vulnerabilities promptly. This includes regular patching, conducting vulnerability assessments, and staying informed about emerging threats.
Advanced Detection Mechanisms: Traditional security measures are often inadequate in virtualized environments. Organizations need to implement advanced detection mechanisms that can identify anomalous activities within virtualized infrastructures. This includes behavior-based monitoring, anomaly detection, and machine learning algorithms to identify suspicious activities.
Comprehensive Security Training: Human factors remain a significant vulnerability in cybersecurity. Comprehensive training programs for employees can help reduce the risk of social engineering and phishing attacks, which are often the initial vectors for intrusions.
Robust Incident Response Plans: Having a well-defined incident response plan is crucial for mitigating the impact of cyber intrusions. This plan should include procedures for identifying, containing, and eradicating threats, as well as recovery strategies to restore normal operations.
DETECTING ADVERSARY ACTIVITY IN VMWARE ECOSYSTEM
In VMwareâs environment, spotting adversary activity demands meticulous scrutiny. For instance, adversaries might enable SSH on hypervisors and log in by routing traffic through the vCenter Server. This technique underscores the importance of monitoring SSH activity for signs of unauthorized access.
WHAT TO LOOK FOR:
Anomalous SSH Enablement: Keep a close watch for unexpected occurrences of âSSH login enabledâ messages. Any activation of SSH outside the normal administrative cycle could indicate malicious activity.
Unusual SSH Sessions: Monitor for deviations from the expected pattern of SSH sessions being opened. Look out for instances where âSSH session was opened forâ messages occur unexpectedly or at unusual times.
NOTABLE ATT&CK TECHNIQUES: DEPLOYING ROGUE VMS
Moving forward to January 7, 2024, the adversary accessed VMs and deployed malicious payloads, the BRICKSTORM backdoor and the BEEFLUSH web shell. The adversary also used a default VMware account, VPXUSER, to make seven API calls that enumerated a list of mounted and unmounted drives.
The adversary bypassed detection mechanisms by deploying rogue VMs, as VPXUSER, directly onto hypervisors using SFTP to write files then executed them with /bin/vmx. By doing this, these rogue VMs were not discoverable via vCenter, the ESXi web interface, and even some on-hypervisor command-line utilities that query the API.
These rogue VMs contained the BRICKSTORM backdoor and persistence mechanisms, configured with dual network interfaces for communication with both the Internet/C2 and core administrative subnets within the prototyping network.
LEVERAGING THE VPXUSER ACCOUNT
Adversaries often can leverage the VPXUSER account to perform various administrative tasks, such as enumerating VMs, accessing configuration settings, and interacting with the underlying hypervisor infrastructure. Additionally, adversaries may deploy rogue VMs directly onto hypervisors to evade detection mechanisms and maintain persistence within the environment. Rogue VMs, which are created and operated without proper authorization and management by the hypervisor, provide adversaries with a stealthy foothold for conducting malicious activities. These VMs can bypass visibility controls within VMware management interfaces, making them difficult to detect and mitigate.
DETECTING ROGUE VMS
Safeguarding against rogue VMs and any ensuing persistence demands a vigilant approach. Simply using the hypervisor management interface to manage VMs is often insufficient and can be pointless when it comes to dealing with rogue VMs. This is because rogue VMs operate outside the standard management processes and do not adhere to established security policies, making them difficult to detect and manage through the GUI alone. Instead, one needs special tools or techniques to identify and mitigate the risks associated with rogue VMs effectively.
WHAT TO LOOK FOR:
Command-Line Usage: Utilize the following commands on an ESXi hypervisor to identify unregistered VMs:
vim-cmd vmsvc/getallvms
esxcli vm process list | grep Display
Comparison of VM Lists: Compare the output of vim-cmd (API-based VM check) with the list of running VMs obtained from esxcli. Differences in the list of VMs between the output of a vim-cmd (that will check for VMs via the API) and the list of running VMs that esxcli sees (which directly queries the host hypervisor) indicate a potential problem. A VM running on a hypervisor that is not seen via the registered VM data via API warrants further investigation as a possible unregistered/rogue VM.
DETECTING VMWARE PERSISTENCE
To address the persistence of these rogue VMs, it is crucial to scrutinize the hypervisorâs startup scripts.
WHAT TO LOOK FOR:
Persistence Mechanism: Monitor for modification of the legitimate /etc/rc.local.d/local.sh file to include the following line:
Persistence Identification: Search for invocations of the /bin/vmx binary within /etc/rc.local.d/ or more specifically by manually reviewing the local.sh startup script with the following commands:
grep -r \/bin\/vmx /etc/rc.local.d/
cat /etc/rc.local.d/local.sh
The infiltration of MITREâs network through VMware vulnerabilities underscores the need for heightened vigilance and advanced security measures in virtualized environments. As attackers continue to refine their techniques, organizations must evolve their defenses to protect against these sophisticated threats. By adopting comprehensive security practices, staying informed about emerging vulnerabilities, and fostering a culture of cybersecurity awareness, organizations can better defend against future intrusions.
The MITRE shared the list of the 2022 top 25 most common and dangerous weaknesses, it could help organizations to assess internal infrastructure and determine their surface of attack.
The presence of these vulnerabilities within the infrastructure of an organization could potentially expose it to a broad range of attacks.
âWelcome to the 2022 Common Weakness Enumeration (CWE™) Top 25 Most Dangerous Software Weaknesses list (CWE™ Top 25). This list demonstrates the currently most common and impactful software weaknesses. Often easy to find and exploit, these can lead to exploitable vulnerabilities that allow adversaries to completely take over a system, steal data, or prevent applications from working.â reads the announcement published by Mitre.
âMany professionals who deal with software will find the CWE Top 25 a practical and convenient resource to help mitigate risk. This may include software architects, designers, developers, testers, users, project managers, security researchers, educators, and contributors to standards developing organizations (SDOs).â
Improper Control of Generation of Code (âCode Injectionâ)
3.32
4
+3
Mitre also shared trends Year-over-Year: 2019 to 2022 Lists; the first trend is a significant changes from the 2019 Top 25 to the 2022 Top 25. Drops in high-level classes such as CWE-119 and CWE-200 are steep, while the shift and increase to Base-level weaknesses is most apparent for weaknesses such as CWE-787 and CWE-502.
The second trend in year-over-year changes from 2019 to 2022 is a relative ve stability in the top 10 from 2021 to 2022, along with the steady rise of CWE-502: âDeserialization of Untrusted Dataâ over all four years.
We all know that cyberthreats have become more frequent, stealthier and more sophisticated. Whatâs more, the traditional, reactive approach to detecting threats by hunting indicators of compromise (IoCs) using markers like IP addresses, domains and file hashes is quickly becoming outdatedâthreats are only detected once a compromise is achieved and attackers are readily able to alter these markers to evade detection.
To overcome this issue, the cybersecurity community came up with the concept of anomaly-based detection, a technique that leverages statistical analysis, big data and machine learning to detect atypical events. However, this approach often results in a high rate of false positives. What is considered normal versus what is anomalous is not always precise. To identify malicious trends and patterns, vast amounts of data must be captured from sources across the entire computing environment, requiring large-scale investments in data collection and processing.
TTPs: Behavior-Based Detection
The concept of TTPs (tactics, techniques and procedures) was popularized by David Biancoâs The Pyramid Of Pain. Bianco stressed that threat hunters must move away from static IoCs like domains and IPs, as those are difficult to keep up with. For example, attackers can easily use a domain generation algorithm (DGA) to generate fake domain names and IP addresses to evade detection. Additionally, the cybersecurity industry also must shift from signature-based malware detection, as todayâs malware is polymorphic; which means the same malware is capable of creating different signatures with each infection. Therefore, the focus should be on the TTPs of attackers because these are difficult to change quickly.
What is the MITRE ATT&CK Framework?
Researchers at MITRE Corporation and security vendors noted that, unlike IoCs, adversary techniques do not change frequently because of the limitations of targeted technologies (e.g., Windows, macOS, mobile devices), and are common across multiple adversaries. Thatâs why in 2013, they created the MITRE ATT&CK framework. ATT&CK stands for adversarial tactics, techniques and common knowledgeâone of the industryâs most curated and globally-accessible knowledge bases of common adversary behavior. The sole aim of the project is to map typical adversary TTPs so that there is a common language for both red and blue teams while proactively hunting for cybersecurity threats.
The framework consists of 14 different tactics along with several techniques attackers use to achieve those tactics. A tactic refers to a general goal the adversary is trying to establish while the technique refers to the means the adversary will adopt to accomplish the tactic. Tactics explain the âwhyâ while techniques explain the âhow.â Each technique is further divided into sub-techniques that explain in greater detail how an adversary executes a specific technique.
Tactics listed in the ATT&CK matrix are presented in a linear format, starting from the time an adversary conducts reconnaissance to the point when they achieve their final goalâ exfiltration or impact. ATT&CK not only provides appropriate categorization for adversary actions but also details recommendations on how organizations can defend against them.
Why is ATT&CK Important?
The MITRE ATT&CK framework can be used worldwide across multiple security disciplines such as intrusion detection, threat hunting and intelligence, security engineering and risk management. Some key benefits or use cases for the ATT&CK framework can include:
Attacker emulation: Simulates attack scenarios to test security solutions and verify defense capabilities.
Penetration testing: Acts as a frame of reference when conducting red team or purple team exercises and studying or mapping adversarial behaviors.
Forensics and investigations: Aids Incident Response teams in finding missing attacker activity.
Behavioral analytics: Provides contextual, behavioral information that security teams and vendors can use to identify hidden, unrelated anomalies and patterns.
Security maturity and gap assessments: Helps determine what parts of the enterprise lack defenses against adversary behaviors and what parts of the organization need prioritized investments.
Product evaluations: Helps evaluate a security toolâs detection capabilities and breadth of detection coverage.
The standard for technology integrations: Serves as a common standard that helps connect and communicate disparate security tools, leading to an integrated defense approach.
ATT&CK is truly a gold mine of resources when it comes to adversary techniques and MITRE welcomes contributions from the cybersecurity industry to keep the framework updated with the latest TTPs (ATT&CK just announced their latest version, v11, in April 2022).
That said, ATT&CK isnât perfect. MITRE acknowledges that sometimes biases exist in the minds of security analysts. Thatâs why in addition to ATT&CK, it is recommended that you leverage other threat intelligence reports as well as tools that allow full visibility into the network and security posture of your organization.
Regardless of where you are in your cybersecurity maturity journey, it is never too late to realign your security, redefine your security processes and rethink your security metrics in terms of the MITRE ATT&CK framework.
A recent article from Gartner states that, “Audit Chiefs Identify IT Governance as Top Risk for 2021.” I agree that IT governance is important but I question how much does the IT governance board understand about the day to day tactical risks such as the current threats and vulnerabilities against a companies attack surface? How are the tactical risks data being reported up to the board? Does the board understand the current state of threats and vulnerabilities or is this critical information being filtered on the way up?
If the concept of hierarchy of needs was extended to cyber security it may help business owners and risk management teams asses how to approach implementing a risk management approach for the business.
There are three key questions to ask:
How confident are you in your organizationâs ability to inventory and monitor IT assets?Â
How confident are you in your organizationâs ability to âdetect unauthorized activityâ?Â
How confident are you in your organizationâs ability to identify and respond to true positive incidents within a reasonable time to respond?Â
Source: medium
Layers 1-2 – Inventory and Telemetry – The first two layers are related to asset inventory which is part of the CIS Controls 1-2. How can you defend the vulnerable Windows 2003 server that is still connected to your network at a remote site?
Layers 3-4 – Detection and Triage – These layers are related to a SOC/SIEM/SOAR program which will allow the cyber security team to begin to detect threats through logging and monitoring.
Layers 5-10 – Threats, Behaviors, Hunt, Track, Act – The final layers are threat hunting, tracking and incident response and this is where the MITRE framework is very helpful to identify threats, understand the data sources, build use cases and prepare the incident response playbooks based on real world threat intelligence.
