On October 4, federal authorities released a detailed advisory summarizing a recent cyber intrusion at a U.S. Defense Industrial Base (DIB) organization. The DIB advisory tells us that an advanced persistent threat (APT) actor gained initial access to the organization as early as January 2021 and lurked inside the network undisturbed for approximately 11 months, with the subsequent incident response engagement lasting from November 2021 to January 2022.
This comes as the latest in a series of recent alerts from the government about persistent targeting of DIB companies by Russia and other APT actors, as well as warnings that the federal government does not yet have a consolidated and comprehensive strategy to mitigate risks to the industrial base.
Three points in the DIB advisory highlight what should be central elements of any future DIB strategy:
1. The incident underscores how identity and authentication systems are a central element of today’s attack surface – in other words, that these systems are not just means of defending a system, but also constitute a central target for adversaries – and highlights the value of zero-trust defenses in mitigating against cyber attacks. The DIB advisory tells us that threat actors “obtained and abused credentials of existing accounts as a means of gaining Initial Access,” and gained access to an administrative account within four hours of initial access. Later, threat actors were able to “access a higher privileged service account used by the organization’s multifunctional devices. The threat actors first used the service account to remotely access the organization’s Microsoft Exchange server via Outlook Web Access (OWA) from multiple external IP addresses.” We saw shades of the same tradecraft in the recent breach of Uber’s systems, where a valid account was used to obtain initial access (in that case, via an MFA-fatigue technique), and credentials for highly privileged accounts were later found through internal discovery by the threat actor. Recommended mitigations in the DIB breach highlight the value of a zero-trust-architecture (ZTA) approach, particularly as related to identity-related threat vectors. Many of the mitigation and detection-related strategies relate to access and authentication, and include such steps as:
- Enforcing phishing-resistant MFA on all user accounts.
- Reviewing logs for “impossible logins,” such as logins with changing username, user agent strings, and IP address combinations or logins where IP addresses do not align to the expected user’s geographic location.
- Searching for “impossible travel,” which occurs when a user logs in from multiple IP addresses that are a significant geographic distance apart (i.e., a person could not realistically travel between the geographic locations of the two IP addresses in the time between logins).
- Identifying suspicious privileged account use.
- Searching for unusual activity in typically dormant accounts.
It is also recommended that organizations audit, control and/or limit use of scripting and command line interfaces such as Windows Command Shell, PowerShell and Python where possible.
2. The DIB advisory also underscores the importance of applying a threat-informed defense. Traditional security approaches emphasize preventive practices such as hardening systems, remediating vulnerabilities and updating antivirus systems. While these steps are important, most organizations find it infeasible, as a practical matter, to fix every known vulnerability, and the increasing complexity of modern technology environments means this problem will only grow. This constraint puts a premium on prioritizing defenses based on behaviors that adversaries are known to use and critical software systems they are likely to target (including but not limited to identity and access management systems noted above). Threat-informed defense applies a deep understanding of adversary tradecraft and technology to protect against, detect, and mitigate cyber attacks. It’s a community-based approach and utilizes the MITRE Corporation’s Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK) framework as its underpinning. The framework is a knowledge-base and behavioral model that consists of the following core components:
- Tactics, denoting step-by-step tactical adversary goals during an attack lifecycle (e.g., discovery, persistence, privilege escalation, defense evasion, etc.);
- Techniques, describing the means by which adversaries achieve each tactical goal; and
- A comprehensive mapping of mitigations and detection data sources to each technique contained in the ATT&CK framework.
While adversaries can change hash values, IP addresses, domains and other indicators leveraged as part of their tradecraft with trivial effort, it is much more difficult for them to change their tactics, techniques and procedures (TTPs). Moreover, many adversaries use a common set of TTPs. Orienting defenses around TTPs thus makes it substantially harder for an adversary to change course. Much of the DIB advisory details a blow-by-blow chronology of how the incident unfolded, mapped to ATT&CK techniques. Each of these techniques can be mapped to mitigation and detection engineering. In this way, we can harden systems, fix vulnerabilities, and tune detection systems based on TTPs adversaries actually use.
3. The advisory specifically calls out the importance of validating that security controls are operating as intended. In the DIB advisory, CISA, FBI, and NSA “recommend continually testing your security program, at scale, in a production environment to ensure optimal performance against the MITRE ATT&CK techniques identified in this advisory.” Why? There is often a lack of clarity on what types of threat activity a defensive countermeasure actually addresses, particularly depending on how it is configured and implemented. Organizations can thus meaningfully strengthen their cybersecurity programs by validating the extent of protective and detective capabilities’ performance against simulated threat activity. Testing scripts have already been developed specific to each of the MITRE ATT&CK techniques, and these scripts can be leveraged to validate and hone defenses. The advisory specifically calls this out: “CISA, FBI, and NSA recommend testing your existing security controls inventory to assess how they perform against the ATT&CK techniques described in this advisory. To get started:
- Select an ATT&CK technique described in this advisory.
- Align your security technologies against the technique.
- Test your technologies against the technique.
- Analyze the performance of your detection and prevention technologies.
- Repeat the process for all security technologies to obtain a set of comprehensive performance data.
- Tune your security program, including people, processes, and technologies, based on the data generated by this process.”
There are both automated and manual ways for organizations to start testing their security tools and detections. Commercial Breach and Attack Simulation (BAS) tools exist, and MITRE recently released Micro Emulation Plans that can lower the barrier to entry for organizations looking to use a threat-informed approach to validating their defenses. Resulting performance data can provide an exceptionally meaningful measure of the aggregate effectiveness of defenses for DIB-specific cyber risks.
The vendor community is already dealing with heightened federal cybersecurity expectations. Vendors are currently working through how they will comply with pending software supply chain and Department of Defense Cybersecurity Maturity Model Certification (CMMC) requirements. A threat-informed defense can help prioritize investments in both. Practices such as multi-factor, risk-based authentication and conditional access, operational monitoring and incident detection and response, which are central to a threat-informed defense, also feature in software supply chain and CMMC documentation, as do controls validation practices (see, e.g., CA.L2-3.12.3, which states: “Monitor security controls on an ongoing basis to ensure the continued effectiveness of the controls.”). By implementing and validating a threat-informed defense, DIB organizations can not only help meet important pending compliance obligations, but also (more importantly) ensure resilience against cyber attacks.
The views expressed here are the writer’s and are not necessarily endorsed by Homeland Security Today, which welcomes a broad range of viewpoints in support of securing our homeland. To submit a piece for consideration, email [email protected].