Praise
Mitre Att&ck framework has been a real game changer for detection engineering and for my friends in the Security Operations Center!
First big benefit is that it allows defenders to rapidly parse and understand threat intelligence as it's in a known pre-understood format! Threat intelligence not leveraging Mitre Att&ck framework is just plain annoying to read.
New TTPs can be added without messing up the "attack chain" format. These TTP "abuse cases" can be mapped to "use cases" or playbooks in the SOC.
Att&ck is very useful for SOC teams responding to security incidents resultant from control gaps or control failures especially leveraging Endpoint Detection & Response/XDR and Security Information Event Management technologies.
The desire for improvement
Now about D3fend, wouldn't it be great to have a similar extensible frame of reference for security architects who are building in defense in depth and attack chain disruption that we could use internationally, between clients etc.
The challenges
1. We operate in a microsoft monoculture. What institutions and enterprises do not utilise entraID, Microsoft365 and Windows 11 for their end user productivity environment? How to avoid this being a microsoft best practices summary?
2. A lot of security for this monoculture is delivered via bolt on third party security products or now optional microsoft security products. How to be vendor neutral? I have a personal preference for "OS native endpoint security"
3. This environment is not secure by default due to the desire by microsoft to support backwards compatibility "out of the box". Resulting in whacky scenarios where we are deploying "deception technology" to protect legacy identity technology.
4. COTS vs in house developed applications - Maybe we don't dive into secure application development in the SDLC, DevSecOps and the like in this model.
5. Vulnerability Management - let's exclude technologies that help us identify root causes
Key controls
Thank goodness that there are certain key controls that are partially effective against a number of "abuse cases"
These are:
1. Reducing root causes:
a) Patching Applications on Endpoint and Servers
b) Patching Operating Systems on Endpoint and Servers
c) Removing tech and security debt in IDAM - kill your Active Directory!
d) Patching Network Appliances
2. Protective Technologies
a) Secure Email Gateway
b) Secure Web Gateway
c) Application Control
d) Antimalware
e) Secrets management and secrets scanning delivering enforcement of their use
f) Cloud Identity & Access Management - that establishes a perimeter in public cloud hosting - governed by Cloud Infrastructure Entitlement Management (CIEM) capability in a CNAPP
g) Software Composition Analysis - detect and prevent known bad supply chain attacks
3.Technologies that prevent attacker lateral movement and app access after they get a foothold on an endpoint or a DMZ hosted system or in the bowels of an database via SQL injection.
a) IDaaS with Multi Factor Authentication and Conditional Access -Zero Trust Policy Enforcement Point
b) Zero Trust Network Access (because VPN appliances suck and identity driven access to network attack surface is very powerful esp. if implemented per application leveraging Identity Governance & Administration technology)
c) Macrosegmentation and Next Generation Firewall
d) Microsegmentation
4. Detective Technologies
a) Endpoint Detection & Response and XDR
b) SIEM and SOAR and EUBA
Abuse cases
We want to illustrate the attack chain disruption possible with these key controls across a set of abuse cases or attack chains:
1. Phishing email with link or attachment
2. Exploit of known vulnerability in an internet facing network appliance - eek - what controls apart from patching help with this!
3. Exploit of known vulnerability in COTS software
4. Supply Chain attack with phone home to C&C infrastructure
5. Stolen/leaked creds against API
Proposed working model for improvement
Abuse Case | Root Cause Remediation | Protective Technologies | Lateral Deeper Movement Prevention | Detective Technologies |
---|---|---|---|---|
Phishing Link in Email to actions on objective | N/A | Secure Email Gateway - Known Bad Sender Secure Email Gateway - Known Bad link Secure Email Gateway - Sandbox Secure Web Gateway - Known Bad URL Secure Web Gateway - Sandbox |
||
N/A | N/A | |||
Malware attachment in Email to actions on objective | Patch Endpoint Operating System Patch End User apps on Operating System |
Secure Email Gateway - Sandbox | N/A | N/A |
Exploit on internet facing appliance to actions on objective | Patch VPN Appliance or Use Auto Patch ZNTA | ? | ? | Logs? |
Supply Chain Attack | Y | Secure Web Gateway - least privilege internet access for workload identities Software Composition Analysis - block known bad update to cached repo Software Composition Analysis - antimalware scan of repo |
N/A | N/A |