The Hornet’s Nest was just Kicked… What’s Your Move?
Boy is 2020 off to a bang, and given the context of this blog, that may or may not be a great choice of words.
If you were a security professional walking into work today, there was probably a pink elephant in your inbox with the word “Iran” in it.
In the political climate we live in, the use of cyber attack, both symmetric and state-sponsored and asymmetric through sympathizers and collaborators, is now a doctrinal norm. Within days of the U.S. attacks on Iran. attacks on Iran, U.S. government websites were defaced in retaliation. Defacing websites for political gain is 1990s-era hactivism tactic, and you can rest assured there’s other activity of concern given the DHS advisory published over the weekend.
The reality is that Iran has a well-funded and state-supported offensive cyber capability, and now they have further motive to use it. Cyber attack is now an integral component of warfare today. In fact, it’s cheaper and easier than any other kind of army to raise. Our government is signaling to the American people and business entities to batten down the hatches because cyber attacks know much fewer boundaries than traditional warfare.
If you’re a security executive or threat intelligence person, you were probably asked “what does this mean for my organization?,”“would they come after us, and if so how?,” and “should we be doing anything?” It’s pretty safe to assume that if you work in any critical infrastructure vertical business line, you should probably have your shields up to the best of your ability right now. Over the past five years, we have seen a substantial increase in the number of state-sponsored attacks directed at “civilian,” or commercial, organizations as methods to achieve secondary access. These attacks have been both direct and indirect assaults, sometimes leveraging 3rd party supply chain providers to achieve their nefarious objectives. State sponsored digital warfare is no longer a game of governments, military, and defense industrial base companies.
So… basically no one is safe potentially, which means you have to put your risk management hat on and think about this through the lens of impact and likelihood.
Answering the questions “am I protected against such an adversary?” and “what should I be doing?” can be quite difficult given these constraints. Nevermind the challenges with understanding your technology environment and your assets, data, and identity entropy or the difficulties in measuring the effectiveness of your security program to connect such a strategy.
There are emerging approaches that can help you answer this question more effectively and objectively, though.
The first step is to understand what you’re up against. MITRE has an immense collection of great information about the methods of these attackers, aligned out of the ATT&CK framework. Crowdstrike is watchful of these groups and frequently blog about their technical methods. Having a rich understanding of the attackers’ methods and preferred (commodity) approaches helps answer those “hows” and “likelihoods.” At a different level, The Chertoff Group has a great position paper outlining the overall global risks and known full spectrum capabilities to be considered in times like these.
Being one of the earliest adopters of MITRE ATT&CK as an integral part of our platform, our analysts have already taken advantage of ATT&CK Navigator and mapped the known Tactics, Techniques, and Procedures (TTPs) that the handful of Iranian actors are known to use: APT33/34/35/39 (aka, RefinedKitten, OilRig, Charming Kitten, Remix Kitten, and Muddy Water).
If you haven’t played with Navigator, it’s a really great resource and I encourage you to spend some time with it. Since we’re focused on Iranian threat actors, a quick study of ATT&CK and a few Threat Intel Blogs gets you up to speed quickly on the associated groups (named above). To visual the common TTPs using ATT&CK Navigator, simply open Navigator and check select threats:
and under Technique Controls, click the Background Color button and select a color of your choice (like below).
This map indicates all known techniques used by these actor groups. These are the techniques you’d likely be exposed to if your organization is attacked; therefore, you should focus on assuring you can defend against them. This will inform the preventive and detective controls that you will need to adequately protect yourself from known behaviors of Iranian hackers.
The next step is to map the controls that you believe you have in place to these TTPs. Defensive logical boundaries, endpoint security solutions and hardening, monitoring, and detection logic, coupled with tight incident response plans, are all investments made to defend against these techniques. Mapping those conceptual controls to these techniques will immediately illuminate where you have major gaps in these attackers’ kill chains.
Now, I know this is not always easy and there’s a ton of prerequisites in asset and application inventory, controls framework alignment, conceptual control to technical control solution mapping… but this is an important exercise, it’s durable, and if you did any functional analysis of the threats your security investments should remediate, you’ll have a baseline.
With this mapping, you can immediately start making decisions about if those gaps against these TTPs are survivable or dealt with in compensating controls.
Some folks stop here, but the unfortunate flaw in this strategy is that this approach assumes 100 percent security control efficacy, which should never be assumed in the complexity of every enterprise. Almost every breach I analyzed in 2018 and 19 indicated that the controls were supposed to be there, but something broke somewhere. The only true way to know how well you’re defended is to take a nod from Sun Tzu and become the attacker. Test your security as an attacker would.
AttackIQ’s automated platform is already populated with safe, ready-to-run-out-of-the-box emulations of 74 percent of these groups’ 114-plus published TTPs. With an automated platform that safely emulates attacker behavior on real production systems your business runs on, you can, at will, exercise your security capability just as the attacker would, BEFORE YOU’RE TARGETED or worse, BREACHED.
With a knowledge of the most probabilistic Threat Actor TTPs you should be worried about (through MITRE ATT&CK), an understanding of what security capabilities you have to defend against them (MAPPING of CONTROLS to ATT&CK), and a set of continuous tests that validate control effectiveness (AttackIQ), you can both radically improve your defenses from the feedback loop it creates and answer your organizational leadership on the risk presented by a threat, your true organizational defensive posture, and specify investments needed – with bonafide evidence.
This is the future of threat informed defense…