The majority of attacks that result in successful data breaches are simply not that complex. Many rely on well-known, tried-and-true methods. Indeed, the Verizon DBIR has for many years reported that upwards of 90 percent of attacks were successfully executed because of unpatched and known vulnerabiltiies or misconfigured systems. If we can only learn a few lessons from the latest attacks:
- WannaCry – ransomware attack via unpatched vulnerabilities
- Verizon – misconfigured server
- Equifax – unpatched vulnerability
- Dow Jones – misconfigured server
The lack of knowledge or actionable intelligence to deal with these very preventable intrusions still boggles the mind. If you are wondering where your security focus should be, let’s review the options. Many are focused on detecting the latest malware, often deploying a number of new technologies or what I call "shiny objects." Granted, they are shiny for a reason and may be sufficient. However, if cybersecurity is your focus, then we should focus on technologies and processes that have stood the test of time. How do these attacks happen? Who is performing them? What are their behaviors? Whether it’s a lack of knowledge or skilled practitioners, not focusing on cybercrime behavior (or only concentrating on checking for the latest piece of malware) constitutes a missed opportunity to shore up the enterprise security posture. Aghast, many organizations have lacked the time and expertise to develop the security content – the breach detection rules and configuration hardening policies – needed to deter attacks or identify breaches in a timely manner. Fortunately, there are repositories of attack data available to analyze and build hardening and detection rules to preempt attacks. One such repository is the MITRE Corporation ATT&CK™ – Adversarial Tactics, Techniques & Common Knowledge community. Some refer to this data simply as tactics, techniques, and procedures (TTP). By supercharging breach detection capabilities with the data from MITRE’s ATT&CK framework, organizations can monitor for behaviors that lead up to and possibly prevent a breach.
MITRE’s ATT&CK is a curated knowledge base and model for cyber adversary behavior, reflecting the various phases of an adversary’s lifecycle and the platforms they are known to target. ATT&CK can help organizations quickly detect cyber threats and identify and categorize cyber adversary behaviors. This insight allows a tailored response to a cyber breach and a recovery plan specific to the breach – saving valuable time and resources.
The 10 tactic categories within the ATT&CK framework were derived from the later stages (control, maintain, and execute) of a seven-stage Cyber Attack Lifecycle (first articulated by Lockheed Martin as the Cyber Kill Chain®). This provides a deeper level of granularity in describing what can occur during an intrusion after an adversary has acquired access. Each category contains a list of techniques that an adversary could use to perform that tactic. Techniques are broken down to provide a technical description, indicators, useful defensive sensor data, detection analytics, and potential mitigations. Applying intrusion data to the model then helps focus defense on the commonly used techniques across groups of activity and helps identify gaps in security. Defenders and decision-makers can use the information in ATT&CK for various purposes and not just as a checklist of specific adversarial techniques.
TRIPWIRE AND MITRE
Tripwire has long been an industry leader in developing security content that strengthens the security and ensures the integrity of systems and their configurations. We’ve taken the MITRE ATT&CK TTP’s and turned them into a content pack to harden an operating system, as well as detect an attack in place. What’s exciting from a customer perspective is that Tripwire has taken the best aspects of our hardening content (CIS/DISA policies), as well as our change audit rules and Cyber Crime Controls, to deliver actionable protection. This, on top of our broad policy library (the most comprehensive in the industry), strengthens the effectiveness of foundational controls for cyber-crime prevention. Additionally, we continually add new content, which will allow our customers to better protect their assets, as well as gain more insight into any potential attack they may be facing.
OUT OF-THE-BOX RULES DEFEND AGAINST COMMON ATTACKS
Tripwire’s Cybercrime Controls include a set of in-house developed breach detection rules that immediately detect changes to the most common system attack vectors: local firewall configurations, scheduled tasks, startup tasks and more. Because these items should rarely change, it’s important to be immediately alerted when they do. Cybercrime Controls detect changes to the following server attack vectors:
- Listening Ports
- System Services
- System Drivers
- Startup Tasks
- Scheduled Tasks
- Local Firewall Configurations
- Local Firewall – opmode (open ports of a firewall)
- ARP Tables
- Local User Accounts
- DNS Servers
- IP Routing
- Many others
SECURITY CONFIGURATION MANAGEMENT PREVENTS BREACHES
To prevent a breach, the Cybercrime Controls assess configurations against a set of frequently updated configuration hardening tests. These tests focus on three main areas to protect against host-based attacks that stem from malware:
- Tightening communications with the monitored server so that if an attack occurs, it’s more likely to be detected.
- Reducing the attack surface by disabling services and system components.
- Protecting the audit trail so that if an attack succeeds, forensic data helps you detect it and modify systems to fend off subsequent attacks.
Tripwire studies examples of attacks and malware, classifies their actions and behaviors, and translates those into specific and targeted rules. Many samples come from and are linked back to the MITRE ATT&CK framework. Armed with the assessment results and detection rules, customers can quickly update failed configurations and harden their systems.