The views expressed here are those of the author and are not necessarily endorsed by Homeland Security Today, which welcomes a wide range of views in support of securing our homeland. To submit an article for review, email [email protected]
PERSPECTIVE: We need an informed threat defense in the federal contractor community now
On October 4, the federal authorities published a detailed report advisory summarizing a recent cyber intrusion into a US Defense Industrial Base (DIB) organization. The DIB advisory tells us that an Advanced Persistent Threat (APT) actor gained initial access to the organization as early as January 2021 and hid inside the network undisturbed for approximately 11 months. subsequent incident response engagement lasting from November 2021 to January 2022.
This is the latest in a series of recent government warnings about the continued targeting of DIB companies by Russia and other APT actors, as well as warnings that the federal government does not yet have a comprehensive and consolidated strategy to mitigate risks to the industrial base.
Three points from the DIB advisory highlight what should be the core elements of any future DIB strategy:
1. The incident underscores how central identity and authentication systems are to today’s attack surface – in other words, that these systems are not just ways to defend a system, but also constitute a central target for adversaries – and underlines the value of zero trust defenses to mitigate cyberattacks. The DIB advisory tells us that the threat actors “obtained and abused existing account credentials as a means of gaining initial access”, and gained access to an administrative account within four hours of initial access. Later, the hackers were able to “access a higher-privilege service account used by the organization’s multifunctional devices. Threat actors first used the service account to remotely access the organization’s Microsoft Exchange server through Outlook Web Access (OWA) from multiple external IP addresses. We’ve seen shades of the same craft in the recent breach of Uber’s systems, where a valid account was used to gain initial access (in this case via an MFA fatigue technique), and credentials for highly privileged accounts were then found through internal discovery by the threat actor. The mitigations recommended in the DIB breach highlight the value of a zero-trust architecture (ZTA) approach, especially when it comes to identity-related threat vectors. Many mitigation and detection strategies relate to access and authentication, and include steps such as:
- Enforced phishing-resistant MFA on all user accounts.
- Examination of logs for “unable to connect”, such as logins with changed username, user agent strings and IP address combinations or logins where IP addresses do not match geographic location of the expected user.
- Finding “impossible to move”, which occurs when a user connects from multiple geographically distant IP addresses (i.e. a person cannot realistically move between the geographical locations of the two IP addresses over time between connections).
- Identifying suspicious use of privileged accounts.
- Search for unusual activity in generally inactive accounts.
It is also recommended that organizations audit, control, and/or limit the use of scripting and command-line interfaces such as Windows Command Shell, PowerShell, and Python where possible.
2. The DIB opinion also highlights the importance of applying a threat-informed defense. Traditional security approaches emphasize preventative practices such as hardening systems, patching vulnerabilities, and updating anti-virus systems. While these steps are important, most organizations find it impractical to patch all known vulnerabilities, and the increasing complexity of modern technology environments means that this problem will only grow. This constraint emphasizes prioritizing defenses based on behaviors that adversaries are known to use and critical software the systems they are likely to target (including, but not limited to, the identity and access management systems mentioned above). Threat-informed defense applies a deep understanding of adversary craft and technology to protect against, detect, and mitigate cyberattacks. It is a community-based approach that uses MITER Corporation’s Tactics, Techniques and Common Contradictory Knowledge (ATT&CK) framework as its foundation. The framework is a knowledge base and behavioral model that consists of the following basic components:
- Tactics, showing the adversary’s tactical goals step by step through an attack lifecycle (eg discovery, persistence, privilege escalation, defense evasion, etc.);
- Techniques, describing the means by which adversaries achieve each tactical objective; and
- A comprehensive mapping of mitigation and detection data sources for each technique contained in the ATT&CK framework.
While adversaries can change hash values, IP addresses, domains, and other metrics mined in the course of their trade with insignificant effort, it is much more difficult for them to change their tactics, techniques, and procedures (TTP ). Additionally, many adversaries use a common set of TTPs. Orienting defenses around TTPs therefore makes it much more difficult for an adversary to change course. Much of the DIB notice details a detailed timeline of how the incident unfolded, mapped to ATT&CK techniques. Each of these techniques can be combined with mitigation and detection engineering. This way, we can harden systems, patch vulnerabilities, and adjust detection systems based on the TTPs adversaries are actually using.
3. The advisory specifically highlights the importance of validating that security controls are working as intended. In the DIB advisory, CISA, FBI, and NSA “recommend that you continually test your security program, at scale, in a production environment to ensure optimal performance against the MITER ATT&CK techniques identified in this advisory.” Why? There is often a lack of clarity about the types of threat activity a defensive countermeasure actually addresses, particularly based on how it is configured and implemented. Organizations can thus significantly strengthen their cybersecurity programs by validating the extent of performance of protection and detection capabilities against simulated threat activity. Test scripts have already been developed specifically for each of the MITER ATT&CK techniques, and these scripts can be leveraged to validate and refine defenses. The advisory specifically calls it: “The CISA, FBI, and NSA recommend testing your existing inventory of security controls to assess their performance against the ATT&CK techniques described in this advisory. To start:
- Select an ATT&CK technique described in this review.
- Align your security technologies with technology.
- Test your technologies against the technique.
- Analyze the performance of your detection and prevention technologies.
- Repeat the process for all security technologies to obtain a complete set of performance data.
- Adjust your security program, including people, processes, and technologies, based on the data generated by this process. »
There are automated and manual ways for organizations to start testing their security tools and detections. Business Breach and Attack Simulation (BAS) tools exist, and MITER recently released micro-emulation blueprints that can lower the barrier to entry for organizations looking to use a threat-informed approach to validate their defenses. The resulting performance data can provide an exceptionally meaningful measure of the overall effectiveness of defenses against DIB-specific cyber risks.
The vendor community is already facing heightened federal cybersecurity expectations. Suppliers are currently working on how they will comply with pending requirements software supply chain and Ministry of Defense Cybersecurity Maturity Model Certification (CMMC). A threat-informed defense can help prioritize investments in both. Practices such as risk-based multi-factor authentication and conditional access, operational monitoring, and incident detection and response, which are at the heart of informed threat defense, also feature in the supply chain. CMMC software and documentation, as well as control validation practices (see, for example, CA.L2-3.12.3, which states: “Monitor security controls on an ongoing basis to ensure the continued effectiveness of controls. “). By implementing and validating informed threat defense, DIB organizations can not only help meet important outstanding compliance obligations, but also (more importantly) ensure resilience against cyberattacks.