A new threat matrix outlines attacks against machine learning systems

A report published last year has noted that most attacks against artificial intelligence (AI) systems are focused on manipulating them (e.g., influencing recommendation systems to favor specific content), but that new attacks using machine learning (ML) are within attackers’ capabilities.

attacks machine learning systems

Microsoft now says that attacks on machine learning (ML) systems are on the uptick and MITRE notes that, in the last three years, “major companies such as Google, Amazon, Microsoft, and Tesla, have had their ML systems tricked, evaded, or misled.” At the same time, most businesses don’t have the right tools in place to secure their ML systems and are looking for guidance.

Experts at Microsoft, MITRE, IBM, NVIDIA, the University of Toronto, the Berryville Institute of Machine Learning and several other companies and educational organizations have therefore decided to create the first version of the Adversarial ML Threat Matrix, to help security analysts detect and respond to this new type of threat.

What is machine learning (ML)?

Machine learning is a subset of artificial intelligence (AI). It is based on computer algorithms that ingest “training” data and “learn” from it, and finally deliver predictions, decisions, or accurately classify things.

Machine learning algorithms are used for tasks like identifying spam, detecting new threats, predicting user preferences, performing medical diagnoses, and so on.

Security should be built in

Mikel Rodriguez, a machine learning researcher at MITRE who also oversees MITRE’s Decision Science research programs, says that we’re now at the same stage with AI as we were with the internet in the late 1980s, when people were just trying to make the internet work and when they weren’t thinking about building in security.

We can learn from that mistake, though, and that’s one of the reasons the Adversarial ML Threat Matrix has been created.

“With this threat matrix, security analysts will be able to work with threat models that are grounded in real-world incidents that emulate adversary behavior with machine learning,” he noted.

Also, the matrix will help them think holistically and spur better communication and collaboration across organizations by giving a common language or taxonomy of the different vulnerabilities, he says.

The Adversarial ML Threat Matrix

“Unlike traditional cybersecurity vulnerabilities that are tied to specific software and hardware systems, adversarial ML vulnerabilities are enabled by inherent limitations underlying ML algorithms. Data can be weaponized in new ways which requires an extension of how we model cyber adversary behavior, to reflect emerging threat vectors and the rapidly evolving adversarial machine learning attack lifecycle,” MITRE noted.

The matrix has been modeled on the MITRE ATT&CK framework.

attacks machine learning systems

The group has demonstrated how previous attacks – whether by researchers, read teams or online mobs – can be mapped to the matrix.

They also stressed that it’s going to be routinely updated as feedback from the security and adversarial machine learning community is received. They encourage contributors to point out new techniques, propose best (defense) practices, and share examples of successful attacks on machine learning (ML) systems.

“We are especially excited for new case-studies! We look forward to contributions from both industry and academic researchers,” MITRE concluded.

MITRE Shield shows why deception is security’s next big thing

Seasoned cybersecurity pros will be familiar with MITRE. Known for its MITRE ATT&CK framework, MITRE helps develop threat models and defensive methodologies for both the private and public sector cybersecurity communities.

MITRE Shield

MITRE recently added to their portfolio and released MITRE Shield, an active defense knowledge base that captures and organizes security techniques in a way that is complementary to the mitigations featured in MITRE ATT&CK.

The MITRE Shield framework focuses on active defense and adversary engagement, which takes the passivity out of network defense. MITRE defines active defense as ranging from “basic cyber defensive capabilities to cyber deception and adversary engagement operations,” which “allow an organization to not only counter current attacks, but also learn more about that adversary and better prepare for new attacks in the future.”

This is the first time that deception has been proactively referenced in a framework from MITRE, and yes, it’s a big deal.

As the saying goes, the best defense is a good offense. Cybercriminals continue to evolve their tactics, and as a result, traditional security and endpoint protections are proving insufficient to defend against today’s sophisticated attackers. Companies can no longer sit back and hope that firewalls or mandatory security training will be enough to protect critical systems and information. Instead, they should consider the “active defense” tactics called for in MITRE Shield to help level the playing field.

Why deception?

The key to deception technology – and why it’s so relevant now – is that it goes beyond simple detection to identify and prevent lateral movement, notoriously one of the most difficult aspects of network defense. The last several months have been especially challenging for security teams, with the pandemic and the sudden shift to remote work leaving many organizations more vulnerable than before. Cybercriminals are acutely aware of this and have been capitalizing on the disruption to launch more attacks.

In fact, the number of data breaches in 2020 has almost doubled (compared to the year before), with more than 3,950 incidents as of August. But what this number doesn’t account for are the breaches that may still be undetected, in which attackers gained access to a company’s network and are performing reconnaissance weeks, or potentially months, before they actually launch an attack.

As they move through a network laterally, cybercriminals stealthily gather information about a company and its assets, allowing them to develop a plan for a more sophisticated and damaging attack down the line. This is where deception and active defense converge – hiding real assets (servers, applications, routers, printers, controllers and more) in a crowd of imposters that look and feel exactly like the real thing. In a deceptive environment, the attacker must be 100% right, otherwise they will waste time and effort collecting bad data in exchange for revealing their tradecraft to the defender.

Deception exists in a shadow network. Traps don’t touch real assets, making it a highly valued solution for even the most diverse environments, including IT, OT and Internet of Things devices. And because traps are not visible to legitimate users or systems and serve only to deceive attackers, they deliver high fidelity alerts and virtually no false positives.

How can companies embrace MITRE Shield using deception?

MITRE Shield currently contains 34 deception-based tactics, all mapped to one of MITRE’s eight active defense categories: Channel, Collect, Contain, Detect, Disrupt, Facilitate, Legitimize and Test. Approximately one third of suggested tactics in the framework are related to deception, which not only shows the power of deception as an active defense strategy, but also provides a roadmap for companies to develop a successful deception posture of their own.

There are three tiers of deceptive assets that companies should consider, depending on the level of forensics desired:

1. Low interaction, which consists of simple fake assets designed to divert cybercriminals away from the real thing, using up their time and resources.

2. Medium interaction, which offers greater insights into the techniques used by cybercriminals, allowing security teams to identify attackers and respond to the attack.

3. High interaction, which provides the most insight into attacker activity, leveraging extended interaction to collect information.

While a company doesn’t have to use all of the deception-based tactics outlined in MITRE Shield to prevent attacks, low interaction decoys are a good place to start, and can be deployed in a matter of minutes. Going forward, CISOs should consider whether it’s time to rethink their security strategy to include more active defense tactics, including deception.

Your best defense against ransomware: Find the early warning signs

As ransomware continues to prove how devastating it can be, one of the scariest things for security pros is how quickly it can paralyze an organization. Just look at Honda, which was forced to shut down all global operations in June, and Garmin, which had its services knocked offline for days in July.

Ransomware isn’t hard to detect but identifying it when the encryption and exfiltration are rampant is too little too late. However, there are several warning signs that organizations can catch before the real damage is done. In fact, FireEye found that there is usually three days of dwell time between these early warning signs and detonation of ransomware.

So, how does a security team find these weak but important early warning signals? Somewhat surprisingly perhaps, the network provides a unique vantage point to spot the pre-encryption activity of ransomware actors such as those behind Maze.

Here’s a guide, broken down by MITRE category, of the many different warning signs organizations being attacked by Maze ransomware can see and act upon before it’s too late.

Initial access

With Maze actors, there are several initial access vectors, such as phishing attachments and links, external-facing remote access such as Microsoft’s Remote Desktop Protocol (RDP), and access via valid accounts. All of these can be discovered while network threat hunting across traffic. Furthermore, given this represents the actor’s earliest foray into the environment, detecting this initial access is the organization’s best bet to significantly mitigate impact.

ATT&CK techniques

Hunt for…

T1193 Spear-phishing attachment
T1192 Spear-phishing link

  • Previously unseen or newly registered domains, unique registrars
  • Doppelgangers of your organization / partner’s domains or Alexa top 500
T133 External Remote Services
  • Inbound RDP from external devices
T1078 Valid accounts
  • Exposed passwords across SMB, FTP, HTTP, and other clear text usage
T1190 Exploit public-facing application
  • Exposure and exploit to known vulnerabilities

Execution

The execution phase is still early enough in an attack to shut it down and foil any attempts to detonate ransomware. Common early warning signs to watch for in execution include users being tricked into clicking a phishing link or attachment, or when certain tools such as PsExec have been used in the environment.

ATT&CK techniques

Hunt for…

T1024 User execution

  • Suspicious email behaviors from users and associated downloads
T1035 Service execution
  • File IO over SMB using PsExec, extracting contents on one system and then later on another system
T1028 Windows remote management
  • Remote management connections excluding known good devices

Persistence

Adversaries using Maze rely on several common techniques, such as a web shell on internet-facing systems and the use of valid accounts obtained within the environment. Once the adversary has secured a foothold, it starts to become increasingly difficult to mitigate impact.

ATT&CK techniques

Hunt for…

T1100 Web shell

  • Unique activity connections (e.g. atypical ports and user agents) from external connections
T1078 Valid accounts
  • Remote copy of KeePass file stores across SMB or HTTP

Privilege escalation

As an adversary gains higher levels of access it becomes significantly more difficult to pick up additional signs of activity in the environment. For the actors of Maze, the techniques used for persistence are similar to those for privileged activity.

ATT&CK techniques

Hunt for…

T1100 Web shell

  • Web shells on external facing web and gateway systems
T1078 Valid accounts
  • Remote copy of password files across SMB (e.g. files with “passw”)

Defense evasion

To hide files and their access to different systems, adversaries like the ones who use Maze will rename files, encode, archive, and use other mechanisms to hide their tracks. Attempts to hide their traces are in themselves indicators to hunt for.

ATT&CK techniques

Hunt for…

T1027 Obfuscated files or information

  • Adversary tools by port usage, certificate issuer name, or unknown protocol communications
T1078 Valid accounts
  • New account creation from workstations and other non-admin used devices

Credential access

There are several defensive controls that can be put in place to help limit or restrict access to credentials. Threat hunters can enable this process by providing situational awareness of network hygiene including specific attack tool usage, credential misuse attempts and weak or insecure passwords.

ATT&CK techniques

Hunt for…

T110 Brute force

  • RDP brute force attempts against known username accounts
T1081 Credentials in files
  • Unencrypted passwords and password files in the environment

Discovery

Maze adversaries use a number of different methods for internal reconnaissance and discovery. For example, enumeration and data collection tools and methods leave their own trail of evidence that can be identified before the exfiltration and encryption occurs.

ATT&CK techniques

Hunt for…

T1201 Password policy discovery

  • Traffic of devices copying the password policy off file shares
  • Enumeration of password policy
T1018 Remote system discovery

T1087 Account discovery

T1016 System network configuration discovery

T1135 Network share discovery

T1083 File and directory discovery

  • Enumeration for computer names, accounts, network connections, network configurations, or files

Lateral movement

Ransomware actors use lateral movement to understand the environment, spread through the network and then to collect and prepare data for encryption / exfiltration.

ATT&CK techniques

Hunt for…

T1105 Remote file copy

T1077 Windows admin shares

  • Suspicious SMB file write activity
  • PsExec usage to copy attack tools or access other systems
  • Attack tools copied across SMB
T1076 Remote Desktop Protocol

T1028 Windows remote management

T1097 Pass the ticket

  • HTTP POST with the use of WinRM user agent
  • Enumeration of remote management capabilities
  • Non-admin devices with RDP activity

Collection

In this phase, Maze actors use tools and batch scripts to collect information and prepare for exfiltration. It is typical to find .bat files or archives using the .7z or .exe extension at this stage.

ATT&CK techniques

Hunt for…

T1039 Data from network share drive

  • Suspicious or uncommon remote system data collection activity

Command and control (C2)

Many adversaries will use common ports or remote access tools to try and obtain and maintain C2, and Maze actors are no different. In the research my team has done, we’ve also seen the use of ICMP tunnels to connect to the attacker infrastructure.

ATT&CK techniques

Hunt for…

T1043 Common used port

T1071 Standard application layer protocol

  • ICMP callouts to IP addresses
  • Non-browser originating HTTP traffic
  • Unique device HTTP script like requests
T1105 Remote file copy
  • Downloads of remote access tools through string searches
T1219 Remote access tools
  • Cobalt strike BEACON and FTP to directories with cobalt in the name

Exfiltration

At this stage, the risk of exposure of sensitive data in the public realm is dire and it means an organization has missed many of the earlier warning signs—now it’s about minimizing impact.

ATT&CK techniques

Hunt for…

T1030 Data transfer size limits

  • External device traffic to uncommon destinations
T1048 Exfiltration over alternative protocol
  • Unknown FTP outbound
T1002: Data compressed
  • Archive file extraction

Summary

Ransomware is never good news when it shows up at the doorstep. However, with disciplined network threat hunting and monitoring, it is possible to identify an attack early in the lifecycle. Many of the early warning signs are visible on the network and threat hunters would be well served to identify these and thus help mitigate impact.

Open source tool Infection Monkey allows security pros to test their network like never before

Guardicore unveiled new capabilities for Infection Monkey, its free, open source breach and attack simulation (BAS) tool that maps to the MITRE ATT&CK knowledge base and tests network adherence to the Forrester Zero Trust framework.

Infection Monkey open source

Infection Monkey is a self-propagating testing tool that hundreds of information technology teams from across the world use to test network adherence to the zero trust framework, and find weaknesses in their on-premises and cloud-based data centers.

Over the past four years, Infection Monkey has gained significant momentum and popularity amongst the cybersecurity community. With more than 3,200 stars on Github, Infection Monkey is trusted by large enterprises, educational institutions, and more, and has garnered praise from distinguished industry analysts such as Dr. Chase Cunningham, principal analyst at Forrester.

“In cyberspace and in cyber warfare exploitation, attacks succeed because they locate and leverage the weak points in systems and networks. In order to defend from this type of attack cycle, it is necessary to continually test the system for those likely weak points. But this can be difficult, especially when dealing with large infrastructures that are bridged between cloud, non-cloud, on premises, off premises, and a wide variety of other potential configurations. Infection Monkey is one of the most well-aligned tools that fits this need. I’m a huge fan.” – from Chase Cunningham’s Cyber Warfare – Trust, Tactics, and Strategies.

Expanded MITRE ATT&CK techniques and reporting

Cybersecurity experts and enterprise DevSecOps teams continue to rely on the MITRE-developed ATT&CK framework as the foundation for network security tests and assessments.

Infection Monkey 1.9.0 now offers a total of 32 MITRE ATT&CK techniques available for testing. These new attack techniques enable cybersecurity professionals to exhaustively test their network like never before while also empowering them to easily communicate steps towards actionable remediation with all relevant stakeholders, from IT to the C-suite.

Improved Usability

As the cybersecurity skills gap continues to widen and IT teams find themselves short-staffed, Infection Monkey 1.9.0 received several interface improvements that ensure the tool can be easily implemented – and most importantly valuable – with no additional staff or education.

Infection Monkey’s user interface has been significantly upgraded for configuration, making it easier than ever to set up a variety of different test scenarios on the network. In addition, Infection Monkey 1.9.0 now runs more stealthily to avoid interruptions in attack simulations, and improve coverage rates.

Secure by default

Guardicore is committed to ensuring that Infection Monkey offers the highest standards of quality and safety as a tool. Deployed in enterprise production data centers and cloud deployments, delivering a secure and stable tool is a top priority.

Therefore, Infection Monkey 1.9.0 now requires a secure login by default and has also been verified as secure by Synk.io, a security firm that continuously scans for vulnerabilities in software dependencies. Users can be confident that the tool is safe and secure for deployment.

“Our mission with Infection Monkey is to equip cybersecurity professionals with a valuable open source tool that helps improve their security posture against cybercriminals,” said Shay Nehmad, Team Lead and Open Source Software Developer, Guardicore. “With this new version, we have made it easier than ever to use the tool’s sophisticated features.”

Qualys unveils Multi-Vector EDR, a new approach to endpoint detection and response

Qualys today announced Qualys Multi-Vector EDR. Taking a new multi-vector approach to Endpoint Detection and Response (EDR), Qualys now brings the unifying power of its highly scalable cloud platform to EDR.

Qualys unveils Multi-Vector EDR

Traditional EDR solutions singularly focus on endpoints’ malicious activities to hunt and investigate cyberattacks. Qualys’ multi-vector approach provides critical context and full visibility into the entire attack chain to provide a comprehensive, more automated and faster response to protect against attacks.

Multi-Vector EDR enables security teams to unify multiple context vectors like asset and software inventory, end-of-life visibility, vulnerabilities and exploits, misconfigurations, network traffic summary, MITRE ATT&CK tactics and techniques, malware, endpoint telemetry, and network reachability by leveraging the Qualys backend to correlate with threat intelligence for accurate detection, investigation and response – ALL, in a single, cloud-based app with a single lightweight agent.

Qualys Multi-Vector EDR overview

Cloud Agent Telemetry Collection – Widely deployed Qualys cloud agents have been enhanced to collect large amounts of telemetry that is sent to the Qualys Cloud Platform on a real-time basis allowing deep analysis in the shortest timeframe. This approach helps customers eliminate an additional EDR agent on their endpoints.

Multi-Vector Detection – Leveraging the highly scalable data lake as part of the Qualys Cloud Platform, security analysts can quickly correlate additional vectors like software inventory, patch levels, vulnerability threat intelligence, and misconfigurations with endpoint telemetry like file, process, registry, network and mutex data. This approach eliminates the need for threat hunters to access multiple security solutions for context.

Investigate and Prioritize – By augmenting in-house MITRE ATT&CK-based detections with other context vectors enriched with third-party threat feeds, security teams can receive real-time alerts, investigate and prioritize security incidents, and threat hunt via intuitive workflows that take into account asset criticality and network attack paths.

Respond and Prevent – Qualys Multi-Vector EDR uses multi-layered response strategies to remediate threats and mitigate the risk in real time. In addition to traditional EDR response actions, Qualys Multi-Vector EDR orchestrates workflows for patching exploitable vulnerabilities and remediating misconfigurations across the environment to prevent attacks on other endpoints. To augment Multi-Vector EDR, endpoint protection capabilities like anti-malware/anti-virus are being added to the agent in Q4 2020.

“Qualys Multi-Vector EDR gives a broader view beyond the endpoint, which is necessary to eliminate false positives and more effectively prevent lateral movement. This is possible because Qualys Multi-Vector EDR is native to the cloud platform and collects vast amounts of telemetry from multiple sensors while capturing network information. The Qualys Cloud Agent, combined with the highly scalable Cloud Platform and forthcoming Incident Response capabilities, offers a unique opportunity for MSSPs to consolidate their managed services technology stack and orchestrate the appropriate response for faster and effective protection,” said Vishal Salvi, Chief Information Security Officer at Infosys.

“Qualys Multi-Vector EDR represents a major extension to both the Qualys Cloud Platform and our agent technology,” said Philippe Courtot, chairman and CEO of Qualys. “Adding context and correlating billions of global events with threat intelligence, analytics and machine learning results in a truly groundbreaking approach to EDR that not only stops sophisticated multi-vector attacks, but also automatically orchestrates the appropriate response all from a single solution, thus greatly reducing the time to respond while drastically reducing cost.”

McAfee MVISION Cloud now maps threats to MITRE ATT&CK

McAfee introduced MITRE ATT&CK into McAfee MVISION Cloud, the company’s Cloud Access Security Broker (CASB), delivering a precise method to hunt, detect and stop cyberattacks on cloud services.

MVISION Cloud MITRE ATT&CK

Empowering SecOps teams

This new integration gives SecOps teams a direct source of cloud vulnerabilities and threats mapped to the tactics and techniques of ATT&CK. McAfee is the first CASB provider to tag and visualize cloud security events within an ATT&CK.

“Many SecOps teams leverage repeatable processes and frameworks such as ATT&CK to mitigate risk and respond to threats to their endpoints and networks, but so far cloud threats and vulnerabilities have presented an unfamiliar paradigm,” said Rajiv Gupta, senior vice president and general manager of Cloud Security, McAfee. “By translating cloud threats and vulnerabilities into the common language of ATT&CK, MVISION Cloud allows security teams to extend their processes and runbooks to the cloud, understand and preemptively respond to cloud vulnerabilities, and improve enterprise security.”

According to data from McAfee research, most enterprises average more than 485 external threat incidents per month on their cloud services. The ATT&CK integration brings cloud attacks into focus and provides the opportunity to identify gaps in protection and make policy and configuration changes directly from McAfee MVISION Cloud.

MITRE ATT&CK with McAfee MVISION Cloud

The ATT&CK integration with McAfee MVISION Cloud introduces new capabilities to mitigate the risk of cloud attacks and vulnerabilities, including the ability to:

  • Advance from reactive to proactive: McAfee MVISION Cloud allows SecOps teams to visualize not only executed threats in the ATT&CK framework, but also potential attacks they can stop across multiple Software-as-a-Service (SaaS), Platform-as-a-Service (PaaS) and Infrastructure-as-a-Service (IaaS) environments
  • Break silos: SecOps teams can now bring pre-filtered cloud security incidents into their Security Information Event Management/Security Orchestration, Automation and Response platforms via API, mapped to the same ATT&CK framework they use for device and network threat investigation
  • Take direct action: McAfee MVISION Cloud now takes Cloud Security Posture Management (CSPM) to a new level, providing security managers with cloud service configuration recommendations for SaaS, PaaS and IaaS environments, which address specific ATT&CK adversary techniques

With the introduction of ATT&CK into McAfee MVISION Cloud, there is no longer the need to manually sort and map incidents to a framework like ATT&CK or to learn and operationalize a separate framework for cloud threats and vulnerabilities, which can be cumbersome and time consuming – especially as cloud-native threats become more abundant.

Security teams using MVISION Cloud now have all of their threat incidents automatically mapped to ATT&CK, allowing them to see all cloud attacks that have been fully executed; attacks in progress in order to take action; as well as the ability to combine incidents, anomalies, threats and vulnerabilities into one holistic, familiar view.

MITRE’s CTNS names five national security officials to its newly established advisory board

MITRE’s Center for Technology & National Security (CTNS), created to enhance MITRE’s engagement with senior government leadership, named five highly esteemed national security officials to its newly established advisory board.

The new advisory board members will help guide the center’s efforts to provide our nation’s military and intelligence leaders with data-driven research, analysis, and insights to help them navigate the rapidly evolving technology landscape.

The advisory board includes:

  • General (Ret.) John Campbell, former vice chief of staff of the U.S. Army
  • The Honorable Lisa Disbrow, former undersecretary of the U.S. Air Force
  • Admiral (Ret.) Bill Gortney, former commander, U.S. Northern Command
  • Vice Admiral (Ret.) Bob Murrett, former director, National Geospatial-Intelligence Agency
  • The Honorable Bob Work, former deputy secretary of defense

“CTNS builds on the experience and expertise of thousands of our nation’s most respected scientific and engineering minds,” said Bill LaPlante, senior vice president for the MITRE National Security Sector.

“MITRE has provided trusted national security solutions for more than 60 years. CTNS gives us another way to apply our unique, unbiased vantage point and technical skills to support defense and intelligence communities with bold, innovative solutions as they face adversaries and environments that are more challenging than ever.”

“We’re looking forward to collaborating with this exceptional group of leaders,” said James Swartout, the center’s executive director.

“We created the Center for Technology and National Security to enhance our engagement with our nation’s defense and security ecosystem, connecting it to the breadth and depth of MITRE’s thought leadership and technical capabilities.

“We want CTNS to amplify systems-thinking solutions from across MITRE. It will advance recommendations to stay ahead of our adversaries and deliver on our mission: solving problems for a safer world.”

CTNS brings together experts and leading authorities from government, academia, industry, media, and policy institutes to inform discussion about the impact of emerging technologies on national security and the future of warfare.

It does this through publications, educational programs, speaking engagements, and hosted events. Recent papers have addressed using deception to protect military networks from cyberattacks, slowing China’s 5G market expansion while accelerating U.S. efforts, and developing a new battle command architecture to address multi-domain operations.

Guardicore Infection Monkey now maps its actions to MITRE ATT&CK knowledge base

Guardicore unveiled new capabilities for its open source Infection Monkey breach and attack simulation tool, used by thousands to review and analyze how their environments may be vulnerable to lateral movement and attacks.

Guardicore Infection Monkey

The latest version of Guardicore Infection Monkey now maps its actions to the MITRE ATT&CK knowledge base, providing a new report with the utilized techniques and recommended mitigations, to help security and network infrastructure teams simulate APT attacks and mitigate real attack paths intelligently.

“The MITRE ATT&CK knowledge base is a globally-recognized, comprehensive matrix of tactics and techniques observed in millions of actual attacks, used by enterprise network defenders to better classify attacks and assess risks,” said Pavel Gurvich, Co-founder and CEO, Guardicore.

“By leveraging the universally accepted framework, Guardicore Infection Monkey is now equipped to help security teams quickly and safely test network defenses and how they map to specific advanced persistent threats.

“With clear and easy to understand reporting that identifies weak policies and provides prescriptive instructions to remedy them, Infection Monkey automates assessment of security posture and enables system tuning for better defense.”

Infection Monkey with MITRE ATT&CK reporting

Increasingly, cybersecurity experts and enterprise DevSecOps teams use the publicly available, MITRE-developed ATT&CK framework as a basis for network security tests and assessments.

Already deployed by users in ATT&CK simulations, the latest version is now equipped to test specific ATT&CK techniques in order to provide more insight about how those techniques were used and to offer prescriptive recommendations on how to better protect the network.

The end result is a platform where ATT&CK tests can be readily configured, automatically launched and results aggregated into a single, easy to read and digest report.

Guardicore Infection Monkey enables cybersecurity and infrastructure architects to automate testing of network defenses by attempting to communicate with machines residing in different segments of the enterprise network, demonstrating policy violations, and generating test results with actionable recommendations for remediation.

With prescriptive reporting that can be easily implemented without any additional staff or education, Guardicore Infection Monkey offers security leaders the ability to illustrate where defenses fall short and the measures necessary to rectify them.

Donwload

Developed under the GPLv3 license, Guardicore Infection Monkey source code is currently available from the GitHub repository. Added capabilities for ATT&CK features are available now for immediate download. Guardicore Infection Monkey is available for bare metal Linux and Windows servers, AWS, Azure, VMWare and Docker environments, and private clouds.

CWE list now includes hardware security weaknesses

The Mitre Corporation has released version 4.0 of the Common Weakness Enumeration (CWE) list, which has been expanded to include hardware security weaknesses.

hardware security weaknesses

About CWE

The Common Weakness Enumeration (CWE) is a category system for weaknesses and vulnerabilities.

The project is sponsored by Mitre and supported by US-CERT and the National Cyber Security Division of the US Department of Homeland Security.

Thee CWE list is community-developed and “serves as a common language, a measuring stick for security tools, and as a baseline for weakness identification, mitigation, and prevention efforts.”

Hardware security weaknesses

Until now, the CWE list categorized only software weaknesses but, due to popular demand, has been now expanded to cover security issues that can be encountered in hardware design, including:

  • Manufacturing and life cycle management concerns
  • Security flow issues
  • Integration issues
  • Privilege separation and access control issues
  • General circuit and logic design concerns
  • Core and compute issues
  • Memory and storage issues
  • Peripherals, on-chip fabric, and interface/IO problems
  • Security primitives and cryptography issues
  • Power, clock, and reset concerns
  • Debug and test problems
  • Cross-cutting problems

This addition can come in handy to hardware designers to better understand potential mistakes that can be made in specific areas of their IP design, as well as to educators to teach future professionals about the types of mistakes that are commonly made in hardware design.

ATT&CK for ICS: Knowledge base of techniques used by cyber adversaries

MITRE released an ATT&CK knowledge base of the tactics and techniques that cyber adversaries use when attacking ICS that operate some of the nation’s most critical infrastructures including energy transmission and distribution plants, oil refineries, wastewater treatment facilities, transportation systems, and more.

The impacts from these attacks range from disruption to operational productivity to serious harm to human life and the surrounding environment.

ATT&CK for ICS

Building on strong foundations

ATT&CK for ICS builds on the foundation of the globally accessible, freely available MITRE ATT&CK knowledge base, which has been widely adopted by sophisticated cybersecurity teams from around the world to understand adversary behavior and tradecraft and systematically advance defensive capabilities.

“Asset owners and defenders want deep knowledge of the tradecraft and technology that adversaries use in affecting industrial control systems to help inform their defenses,” said Otis Alexander, a lead cybersecurity engineer focusing on ICS cybersecurity at MITRE. “Adversaries may try to interrupt critical service delivery by disrupting industrial processes. They may also try to cause physical damage to equipment. With MITRE ATT&CK for ICS, we can help mitigate the catastrophic failures that affect property or human life.”

Threats to ICS systems

Recent threats to ICS systems include cyber attacks on the Ukrainian grid that shut down power over short periods in 2015 and 2016. The NotPetya campaign in 2017 caused an estimated $10 billion in damage to Ukrainian energy firms as well as airports, banks, other major companies, and government agencies.

Other examples include a former employee of a firm that installed radio-controlled sewage equipment in Australia who used a laptop and radio transmitter to cause pumping station failures that spilled more than 200,000 gallons of raw sewage into parks, waterways, and the grounds of a resort, killing marine life, damaging the waters, and creating a terrible stench.

Some aspects of the existing ATT&CK knowledge base for enterprise IT systems are applicable to ICS, and in many cases may represent an entry point into those ICS systems for adversaries.

The focus of ATT&CK for ICS

ATT&CK for ICS adds the behavior adversaries use within ICS environments. It highlights the unique aspects of the specialized applications and protocols that ICS system operators typically use, and adversaries take advantage of, to interface with physical equipment.

The knowledge base can play several key roles for defenders, including helping establish a standard language for security practitioners to use as they report incidents. With expertise in this domain in short supply, it can also help with the development of incident response playbooks, prioritizing defenses as well as finding gaps, reporting threat intelligence, analyst training and development, and emulating adversaries during exercises.

Austin Scott, principal ICS security analyst at Dragos, said, “ATT&CK for ICS shines a light into the unique threat behaviors leveraged by adversaries targeting Industrial Control System environments. We understand the critical importance ICS threat behaviors play in an effective cybersecurity strategy and we’re proud to contribute to this program and community resource. It is a huge win for the front-line ICS network defenders who now have a common lexicon for categorizing ICS specific techniques to support reporting and further analysis.”

More than 100 participants from 39 organizations reviewed, provided comments, or contributed to ATT&CK for ICS prior to launch. These organizations consisted of a wide range of private and public entities including cyber intelligence and security companies that focus on ICS, industrial product manufacturers, national labs, research institutes, universities, Information Sharing and Analysis Centers, and government agencies supporting public and private critical infrastructure.

Christopher Glyer, chief security architect at FireEye, said, “The ATT&CK framework has been instrumental for cyber defense teams in codifying a lexicon describing how cyber attacks are conducted as well as centralizing examples of research and threat intelligence reports regarding real-world use of attacker techniques. The ICS ATT&CK framework creates a forum for establishing how ICS intrusions are unique/different from enterprise IT intrusions and will enable ICS operations and security teams to better protect these mission critical systems.”