MITRE ATT&CK: The Magic of Segmentation
In cybersecurity, nation states, cyber criminals, hacktivists, and rogue employees will be the usual suspects. They can fit into categories like exterior attackers or insider threats nicely.
But think about our essential providers, partners, and providers?
We use them, sometimes inviting them directly into help manage our networks and inner systems. It’s an easy task to overlook them as you possibly can pathways for cyberattacks. However the shocking cyberattack discovered inside December shined a vivid light on offer chain vulnerabilities.
Trust could be exploited
Because the Cybersecurity and Infrastructure Security Agency (CISA) continues investigating, they reported on January 6 that “among the preliminary access vectors because of this activity is really a supply chain compromise.”
In a nutshell, attackers breached a favorite network product, one which organizations around the world trust to control and keep track of their infrastructure. They abused its upgrade program to disguise and deliver malicious program code, impacting a large number of customers which includes high-worth US government agencies.
Not new, but quickly overlooked
In 2018 back, they updated the Enterprise ATT&CK Matrix with Trusted Relationship (T1199) and Supply Chain Compromise (T1195) to improve knowing of these adversary techniques. The latter, Offer Chain Compromise (T1195), targets the manipulation of items before clients receive them. It addresses software development conditions and item update/distribution mechanisms also. Just like the December cyberattack sounds a little, no?
The latter, Trusted Relationship (T1199), is pertinent for the reason that attack too. MITRE defines it such as this: “Adversaries may breach or elsewhere leverage organizations who’ve usage of intended victims. Accessibility through trusted alternative party relationship exploits a preexisting connection that may not really be safeguarded or receives much less scrutiny than regular mechanisms of gaining usage of a network.” With thus very much on cyber defenders’ plates, scrutinizing something update system isn’t apt to be top-of-mind.
There are a great number of unknowns with this particular attack still, however the security lesson is very clear: Trusted relationships should be built on zero trust. Whether it’s our very own employees, suppliers, companions, or service suppliers… we simply can’t have faith in anyone.
Segmentation is zero faith magic
In this website series, the Magic of Mitigations, we’ve highlighted Mitigations simply because MITRE’s suggestions against attacker behavior.
For the Trusted Connection (T1199) technique, MITRE recommends Network Segmentation (M1030) as you of just 2 mitigations. Another is User Account Control (M1052), a Windows configuration step that helps stop adversaries from gaining elevated process access. There’s miracle in both certainly, but let’s concentrate on the first.
Network segmentation is really a simple concept where in fact the network carries just authorized traffic. Individuals and devices can get to only the operational techniques they need, when they then need, and that they’re permitted to gain access to explicitly.
Its magic is zero trust, least privilege accessibility that may contain a cyber breach, stopping the spread associated with infections and malware. Logical segmentation can avoid unauthorized communication between, state, an infected system management program and the attacker’s command-and-control infrastructure – without counting on costly, legacy techniques like inner firewalls, VLANs, atmosphere gaps, or devoted admin networks.
Beyond mitigating Trusted Relationship exploits, MITRE says segmentation defends against most of these adversary techniques too:
- Account Manipulation (T1098)
- Create Account (T1136)
- Data from Configuration Repository (T1602)
- Data Manipulation (T1565)
- Domain Trust Recovery (T1482)
- Exfiltration Over Alternative Protocol (T1048)
- Exploit Public-Facing Application (T1190)
- Exploitation of Remote Services (T1210)
- Man-in-the-Middle (T1557)
- Network Service Scanning (T1046)
- Non-Application Layer Protocol (T1095)
- Non-Standard Port (T1571)
- Remote Service Session Hijacking (T1563)
- Remote Services: Remote Desktop Protocol (T1021)
- Service Stop (T1489)
- Software Deployment Tools (T1072)
How many other security approach addresses so several threat vectors?
The magic requires a little magic
Okay, network segmentation requirements first the sprinkle of pixie dirt.
It uses plan tightrope: Too loose, as well as your organization remains at an increased risk. Too tight, and you may crack something and disrupt services. For critical infrastructure sectors, where uptime is work one, that’s the no-no.
Until recently, a whole lot of function went into choosing the best balance. First, you’d need to monitor network exercise over a long time period, baseline it, determine what’s regular and what isn’t, what’s certified and what isn’t. You’d define segmentation plans then, translating them right into a product user interface – and watch to ensure it’s doing everything you wanted.
From then on, you’re still not really done. You’re adjusting them to aid new deployments continually, system retirements, and numerous other adjustments on the network. It’s rather a never-ending cycle of keep track of, manage, reconfigure, repeat.
The pixie dust and the miracle
At Cisco, we’ve been doing system segmentation for a long period. No, I’m not discussing VLANs. I’m discussing our magic of modern, scalable, manageable segmentation. Our pixie dirt is automation.
We provide deep presence to see and classify everything in the network. We analyze network action to suggest segmentation guidelines based on your products and traffic. We realize micro-segmentation and granular control more than applications and workloads. We make policy enforcement constant and simple, to enable you to act sufficient reason for confidence quickly. And the very best part? Our solutions integrate to interact as a team, making use of threat intelligence to regulate policy quickly and contain new threats.
Have a look at our detailed whitepaper that maps our answers to ATT&CK Business, posted to your Cyber Frameworks web page. And do you need to find out more about ATT&CK, including their most recent ATT&CK v8 updates? Watch our SANS webinar and obtain up to date today.