Industry Perspectives Blog Briefings on critical cyber security topics critical for the security professional.
- Low Sophistication Threat Actors Continue to Target OTby Luke McNamara on June 17, 2021 at 3:30 pm
In this episode of Eye on Security, I had Daniel Kapellmann Zafra, a manager on Mandiant’s Cyber Physical Threat Intelligence team, on to discuss a recent blog post he and his team released on the trend of lower sophistication threat actors targeting operational technology (OT). We started by discussing a blog post they published last year that explored this trend—specifically the usage of ransomware by financially motivated actors against OT—and we talk about what Daniel is seeing change in this space. Our conversation touches on the various motivations that appear to be shaping this activity, and what it could mean if we continue to see this type of targeting by hacktivists, opportunistic threat actors, and more. One of the things that I think really comes across in this episode is the thoughtful analysis that Daniel and his team apply to ascertaining the drivers of this trend and where it may be going. It’s an insightful look into an area of threat activity we will likely continue to see headlines around this year. Listen to the podcast right now.
- Top Cyber Threats to Latin America and the Caribbeanby Juan Carlos Garcia Caparros on May 24, 2021 at 5:00 pm
Cyber threat activity affects governments, businesses, and societies across Latin America and the Caribbean. Mandiant Threat Intelligence has observed financially motivated actors pursuing a variety of schemes in the region, including social engineering to trick individuals and businesses into transferring money to attacker-controlled accounts, and recruiting insiders at banks and telecommunications companies to facilitate money laundering and SIM swapping. State-sponsored actors linked to China, Russia, and Iran deploy cyber espionage and information operations to gather intelligence and persuade audiences to support their interests. This blog post examines the specific threats and targets Mandiant observes in region. Financially Motivated Threats We judge that financially motivated cyber threat activity is very common and has a serious impact on individuals and organizations in Latin America and the Caribbean. In addition to campaigns by actors that operate globally, such as FIN11 and UNC2053, we also track activity by regional actors. During the past several years we have noted Brazilian cybercrime actors expand the geographic scope of their targeting to include North America and Europe. We also observed evidence of increased collaboration between the Brazilian cybercrime community and those of other Latin American countries, including Mexico and Peru. Both trends could increase the threat posed by regional actors as they gain access to additional resources and expertise. Ransomware Since at least 2017, ransomware incidents have steadily become more frequent and worldwide, and this trend has only accelerated during the coronavirus pandemic. Not only is ransomware more common, but threat actor innovations over the past several years have significantly increased the potential cost and damage of a ransomware infection. For example, throughout 2020, Mandiant Threat Intelligence observed threat actors incorporate data theft and extortion into ransomware operations, advertising stolen data on actor-operated websites. We noted that advertisements for data stolen from Latin America and the Caribbean organizations during ransomware incidents increased 550% from the first quarter of 2020 to the first quarter of 2021. This activity affected many countries, most frequently Brazil, Mexico, and Colombia (see Figure 1), and nearly every industry category, including the manufacturing, retail, and energy & utilities sectors. We identified websites associated with more than 15 different varieties of ransomware advertising data allegedly stolen from regional organizations; PYSA, SODINOKIBI, and EGREGOR were among the most prolific. For more details, please download the report in Mandiant Advantage. Figure 1: Percentage of ransomware data theft advertisements in LAC by country State-Sponsored Operations While our observations suggest that state-sponsored campaigns in the region are less frequent than cybercrime, these operations have the potential to cause significant damage. We have seen Chinese attackers engage in operations likely intended to monitor developments relevant to its Belt to Road initiative, which seeks to expand China’s trading routes. We noted multiple campaigns seeking to deploy EVILNUGGET malware against government targets, for example ahead of regional trade summits, as well as against construction and transportation entities. We have also observed information operations associated with the Liberty Front Press network expressing support for Iran-sympathetic leaders in Venezuela and Bolivia. Next Steps for CISOs Latin America and the Caribbean face significant adversary activity, and organizations operating in the region should take steps to defend against and mitigate the effects of these threats. Best practices such as enforcing multifactor authentication, segmenting networks, regular patching, and adhering to the principle of least privilege can help reduce exposure to many common threat activity types. Tabletop exercises can also help security teams to identify potential gaps in their security architecture and emergency plans. Organizations may also focus their efforts and using the actionable insights from Mandiant Threat Intelligence, available through Mandiant Advantage. Intelligence helps organizations achieve visibility across the threat landscape and prioritize threats that are most critical. We collect global Breach, Machine, Operational, and Adversarial intelligence to deliver the same real-time threat data and analytics on which our global experts rely.
- Pandemic Impacts to the Cyber Threat Landscapeby Luke McNamara on May 4, 2021 at 5:30 pm
In the latest episode of Eye on Security, I had Jens Monrad, Head of Mandiant Threat Intelligence, EMEA, join me for a conversation on how the threat landscape has changed in the past year and how it continues to be impacted by the ongoing pandemic. We reviewed the cyber events of the past year: pandemic-themed phishing, multiple APT campaigns against vaccine research and development, and ransomware targeting healthcare systems. Jens revealed that the biggest change still impacting the cyber threat landscape is the sheer volume of people working from home. He also highlighted the potential increase in the cyber criminal ecosystem due to job losses, and how individuals might turn to cybercrime in order to make money. Check out the episode now to hear how the pandemic has impacted APT activity and disinformation campaigns. Jens also shares a unique piece of advice on the threat landscape that is helpful to remember as we all work to better secure our environments. For additional information on how the pandemic and more is influencing the cyber threat landscape, check out our latest M-Trends 2021 report.
- The “Big Four”: Spotlight on Russiaby Luke McNamara on April 12, 2021 at 7:30 pm
We are wrapping up our “Big Four” series with a country that has been one to watch for quite some time: Russia. And who better to join me for this episode than our Vice President for Mandiant Threat Intelligence, John Hultquist. We started off this episode discussing how Russian cyber threat activity evolved to what we know today, from the days of Moonlight Maze and Agent.BTZ. We then shifted the conversation to some of the most notable Russian threat groups and the difficulties of assigning attribution at the organizational sponsorship level. While many APT groups from the “Big Four” may blend together various types of threat activity, Russia has utilized a particularly interesting mix of cyber espionage, information operations, and disruptive attacks over the years. John brought up many notable Russian incidents, including the Olympics, the Ukrainian power grid, the targeting of elections, and the SolarWinds supply chain breach. We also discussed some of the challenges in communicating threat intelligence to both customers and wider audiences. To cap off the series, John delved into how organizations should think about not only Russian threat activity, but the operations and campaigns from North Korea, Iran, and China. You can stay ahead of threat actors like those from the “Big Four” by joining Mandiant Advantage Free where you’ll have access to up-to-the-minute threat intelligence.
- The “Big Four”: Spotlight on Chinaby Luke McNamara on March 24, 2021 at 4:45 pm
The third installment of our “Big Four” series on China is filled with so much great information that it’s our longest episode yet. Lloyd Brown, Principal Analyst for our Custom Intel Team, and Scott Henderson, Principal Analyst for our Cyber Espionage Team, joined me to peel back the layers of China’s cyber capabilities. Similar to past episodes in this series, we started at the beginning of China’s cyber operations—dating back to 2003. Scott and Lloyd took me through a detailed look at all the stages of China’s operations, including the shift in 2015/2016 from being “clumsy and noisy” to stealthy. Lloyd brings up a great point that’s worth hearing about their use of CVE exploits (which came into play with the recent Microsoft Exchange server exploits). We also discussed how China’s cyber activity is driven by economic interests such as the Belt and Road initiative, the nature of their operations surrounding global elections, APT41’s cybercrime activity in addition to cyber espionage, and where they think China’s operations are headed. You’ll definitely want to stick around to the very end. Since our initial recording occurred before the Microsoft Exchange exploits, I decided to follow up with Lloyd to get his take on HAFNIUM and the UNC groups we’re tracking related to that activity. Listen to the episode today, and also catch up on our previous episodes on North Korea and Iran. Know the threats that affect your organization with up-to-the-minute threat intelligence by signing up for Mandiant Advantage Free.
- How To Avoid the Costly Risks of Cloud Misconfigurationsby Stephen Schumm on March 22, 2021 at 4:30 pm
Misconfigurations in cloud services present a significant risk, costing organizations worldwide an estimated $5 trillion. Federal agencies face even greater risks. Vulnerabilities from cloud misconfigurations that are exploited by attackers can impact national intelligence or citizen data. The exposure of this information could have far-reaching implications in terms of the safety and privacy of individuals and systems. With that in mind, here are some key considerations to minimize these risks. The Challenges Associated With Cloud Configurations Many federal agencies are taking advantage of the speed and cost efficiencies of public cloud services such as AWS, Google Cloud and Azure. Although these providers ensure secure infrastructure, the organization must protect what’s inside—including applications, workloads and data. That means they’re also responsible for the configurations of whatever is uploaded to the cloud. That can be a tall order for several reasons: Lack of skillsets. The cloud is built on dynamic services and infrastructure that requires unique skills and expertise. Not all federal agencies have or can attract sufficient in-house talent to ensure proper cloud configurations. Lack of coordination. Cloud security typically falls under the remit of three groups: DevOps, security, and cloud infrastructure teams. If these groups don’t collaborate and tightly integrate their work, misconfigurations are likely. Lack of visibility. Gaining insight across cloud services can be a daunting task. The environment is dynamic, with near-continuous changes, updates and movement of workloads. If the organization doesn’t have a “single pane of glass” to quickly identify simple misconfigurations, vulnerabilities are a constant risk. In addition to these challenges, federal agencies must focus on regulatory compliance around data protection. It’s a complex maze of continually auditing to ensure the adherence to regulations such as FISMA, DISA STIGS, and NIST standards. Overcoming Misconfiguration Challenges Federal agencies require continuous visibility across their cloud services, and a way to automatically notify teams when a misconfiguration is identified. Doing so not only improves cloud security, it also enhances collaboration and governance. FireEye Cloudvisory gives federal agencies that necessary visibility. Cloudvisory is a cloud-native security solution that unifies controls to minimize vulnerabilities such as misconfigurations. Cloudvisory provides CISOs with a single pane of glass for: Deep visibility across cloud workloads and applications. This allows organizations to view network traffic, auto-discover cloud assets in public, private and hybrid clouds, and improve threat detection and alerting. Staff can drill down into risk analysis and cloud security analytics to quickly identify misconfigurations and improve the agency’s security posture. Continuous compliance. Cloudvisory allows federal agencies to better achieve compliance assurance. It uses automation and built-in, customizable compliance checks for faster analysis, detection and remediation of risks and vulnerabilities that may arise from misconfigurations. Governance and control. Cloudvisory automatically recommends least-privilege policies to protect cloud workloads, while also continually detecting changes and threats. In addition, Cloudvisory easily integrates with Mandiant Threat Intelligence. It provides comprehensive data into current, past and possible future threat activity. Combined, these solutions reduce the complexity around cloud security—making teams more efficient, coordinated and prepared. Download The Catch 22 of Cloud Misconfigurations to see how FireEye helps federal agencies optimize their cloud environments to minimize risks.
- An Inside Look Into How Reddit Fights Cyber Threatsby Luke McNamara on March 17, 2021 at 5:00 pm
How does Reddit handle malicious or suspicious coordinated activity on their platform? I asked Aylea Baldwin, Threat Intelligence Lead at Reddit, to answer that question and more during this episode of Eye on Security. During our discussion Aylea shared a few ways Reddit is unique compared to other social media networks—its tolerance for varying levels of behavior on different communities, the lack of user data collection, and the way posts are amplified through voting. The voting feature is unique to Reddit and I was curious to know how threat actors leverage it as part of their influence campaigns. As it turns out, the answer to that question isn’t so simple since foreign actors have to get buy-in from people to up-vote their posts. We ended our conversation with Aylea’s thoughts on the future of disinformation and deepfake technology, which is a concern in the security and many other industries, and something that can have a huge influence on sites such as Reddit. Listen to the full episode now.
- Tackling Digital Safety for Womenby Luke McNamara on March 8, 2021 at 5:15 pm
Did you know that women are disproportionately affected by cybercrime, cyber stalking, cyber bullying, cyber harassment, and image-based sexual abuse? I asked Cris Kittner, Principal Analyst at Mandiant Threat Intelligence, and Lillian Teng, Director of Threat Investigations from Verizon Media to join me for a discussion around their recent talk on digital safety for women and practical strategies women of all ages can take to increase their online safety. Cris and Lillian provided their reasons and motivations for putting together the talk, which they first presented at the Grace Hopper Celebration in 2020. They highlighted the connection between physical and cyber stalking and the need for these conversations to be normalized. Far too often, Cris and Lillian heard from young professionals that they believed the cyber harassment that was happening to them in the workplace or at conferences was “normal.” To combat the issues many women are facing online, Chris and Lillian provided a list of practical considerations that women should follow, such as using a password manager, knowing what permissions are being given to third-party applications, understanding that Snapchat images can be recovered, adjusting (or eliminating) location tags, and how to report abuse happening on social media sites. Listen to the episode today for online safety strategies that can help you or a loved one stay safe online.
- Establishing a Zero Trust Architecture for Federal Agenciesby Bobby New on March 4, 2021 at 5:30 pm
Amid the ever-evolving, increasingly sophisticated cyber attack landscape, federal agencies are being urged to adopt a Zero Trust approach. Today’s environment “calls for and needs a new approach for security, and Zero Trust architectures are going to be critical for helping [agencies],” said Brandon Wales, executive director of the Cybersecurity and Infrastructure Security Agency (CISA), during a Federal Computer Week (FCW) webinar. Organizations might be concerned that Zero Trust adoption will create greater complexity. However, with the right approach and platform, federal agencies can gain efficiency and avoid complexity while significantly improving overall security. What a Zero Trust Architecture Looks Like As the term suggests, Zero Trust is led by the principle of “never trust, always verify.” It is a framework of policies, technologies, and systems that are applied to users and devices. For example, multi-factor authentication (MFA) is considered a core Zero Trust technology because it requires more than one piece of evidence to trust a user’s identity. There are multiple technologies and capabilities that lend themselves to taking a Zero Trust approach. Implementing these functionalities and principles takes time. In a recent informational statement, the NSA recommends four stages toward Zero Trust maturity: Preparation. Initial discovery and assessment activities. Basic. Implement fundamental integrated capabilities. Intermediate. Refine capability integration and further refine capabilities. Advanced. Deploy advanced protections and controls with robust analytics and orchestration. The NSA acknowledges that these stages don’t happen overnight. That’s why we believe organizations should look at this from a holistic standpoint. Agencies should seek to unify security and move beyond perimeter-based security, while increasing compliance with policy-based access controls. We recommend four pillars to underpin a Zero Trust approach: Verify the user. How does an agency validate that an individual accessing systems is, in fact, who they say they are? There should be automated policies that address access permissions, and these should be adaptive and dynamic to respond across different applications, clouds and on-premises systems. Verify the device. Users may use multiple devices—laptops, smartphones, and desktops—to access organizational systems. Verification must be extended across all of these devices so that the user’s identity is validated every time they connect. Limit access and privilege. Cyber criminals are typically attracted to personnel with administrative privileges to gain control over a business system, so it is important to limit lateral movement. The principle of least privilege must be considered thoroughly in all cases, ensuring users only have enough access to successfully do their jobs. Learn and adapt. Information about the user, including their workstation, application use and server policies, should be collected and analyzed. Machine learning is beneficial for this; the technology continuously improves this process, allowing security teams to recognize unusual behaviors, determine risk levels and decide whether risks are acceptable. Accuracy and availability of data—logging, log feeds, depth of content—is crucial. All of these pillars can be addressed by establishing a Zero Trust architecture (ZTA), as visualized in this diagram: At a high-level, the ZTA is comprised of a control plane and a data plane. The control plane components are responsible for authorizing access to assets or resources. Actual transfer of information occurs in the data plane. Access to system resources is implemented by a policy enforcement point (PEP) in the data plane, which acts like a gatekeeper. It operates in consultation with policy engine and policy administration functions, and together these form the policy decision point (PDP). The PDP forms the control plane of a ZTA, which in turn is continually updated by inputs from the various control functions. The Critical Ingredient: Intelligence Across the Architecture Looking at that diagram, Zero Trust may seem daunting. However, with the right partner, agencies can move through the Zero Trust journey at their own pace. The common thread is intelligent functionality. For example, to verify users and devices organizations must validate all endpoints. This includes all the apps and devices that employees use to get work done, regardless of whether the devices are owned by the organization or by the individual. That also extends to contractors, partners and guest devices. To make this happen, the right endpoint security solution should: Stop actions from compromised apps and files Identify a malicious actor’s activities in a security event Isolate the bad actor’s network access while capturing forensic access information Automation and embedded intelligence reduces the complexity of these functions. Another example is network security. It’s critical to rapidly identify web-based threats and malicious actors before they move too deep into the network. To act fast, a solution should intelligently detect early phases of web-based attacks, extract the malware and safely detonate it—in real time. Similarly, an intelligent ZTA should help federal agencies address overall security system hygiene. For example, regular maintenance and vulnerability scans of security information and event management systems (SIEMs) is an onerous task. By integrating threat intelligence services directly into infrastructure systems such as SIEMs, organizations gain real-time insights into vulnerabilities and risks. An Intelligence-Backed Platform Approach for Zero Trust Verifying users and devices must also happen within the infrastructure. A platform-based approach can enhance security across clouds and security operations systems such as SIEMs. For example, an intelligent foundational solution offers assurances of compliance and enforcement by providing a framework for visibility across cloud environments. This allows organizations to view network traffic, auto-discover cloud assets in public, private and hybrid clouds, and improve threat detection and alerting. The right platform should provide workload microsegmentation using cloud-native security capabilities, a key element in Zero Trust. When this process is automated, agencies can seamlessly provision, secure, and monitor multiple cloud environments to protect applications and micro-services. At the same time, federal agencies should leverage a cloud-based SIEM platform that intelligently and automatically delivers centralized security. This solution bolsters a Zero Trust architecture, for example, by empowering teams with proactive alert management, analysis and reporting. The Need to Measure Effectiveness Ultimately, federal agencies must validate that their cyber security efforts are effective. The same applies to Zero Trust implementations. Security validation: Measures and improves cyber-defensive effectiveness with detailed evidence Verifies the effectiveness of workload segmentation Guards against security regression with continuous testing Measures the performance of security incident handling Organizations should seek an overarching, unifying solution that is built to demonstrate the effectiveness of all their cyber security investments. It should provide evidential data that answers questions such as: Are my security technology layers configured correctly? Is my SIEM collecting all the data sources it needs for malicious activity alerts? Will the latest security attack affect our organization? What gets measured gets improved. A security validation platform ensures that organizations are not only proving cyber security effectiveness, but also optimizing security and efficiencies. The Bottom Line Federal agencies may be at different points in their Zero Trust journey. Maybe they just implemented MFA and are ready to address cloud security, or they’ve implemented a cloud-based SIEM. No matter whether an agency is just starting or delving deeper into systems and infrastructure, the right partner can help eliminate unnecessary complexity. FireEye realizes that Zero Trust isn’t a one-size-fits-all approach. Our expertise and intelligent solutions can be adapted to meet an organization’s most pressing security needs, and get them on the path toward minimized exposure and increased security.
- XDR: Making an Impact on the SOCby Dan Lamorena on March 2, 2021 at 4:45 pm
With organizations struggling with alert fatigue and disconnected tools for monitoring security controls, it is not surprising that one of the hottest new cyber security technology categories is Extended Detection and Response (XDR). Designed to better integrate security control data and security operations through cloud-driven analytics, detection, and response, the category of XDR is set to drive new efficiencies in the security operations center (SOC). In a recent survey conducted by IT analyst firm ESG, 70% of organizations expressed that they are already using or considering XDR, or plan to establish a formal budget to invest in an XDR solution in the next six months. What is behind the aggressive XDR adoption plans? The idea of bringing together security data across multiple security controls and the prospect of XDR solutions delivering a turnkey approach, security teams are moving fast to apply enhanced security analytics to help them keep up with advanced threats, while reducing the complexity of aggregating, correlating, and analyzing security data from multiple control points. True XDR solutions are an integrated set of cyber security products that unify control points, security data, analytics and operations into a single enterprise solution. XDR implies supporting multiple types of security telemetries, which could include endpoint, network and cloud sensors. XDR promises to provide better technology integration between data sources and security operations to accelerate detection and response, all while reducing integration and security engineering headaches that plague SecOps teams today. Meeting the Security Alert Challenge The biggest challenge to solve related to the security data and alerts generated by disparate security controls was filtering the noise out of the alerts so that security analysts could focus on the right signals (38% of respondents). This means they could deliver the most important outcome that 40% of respondents currently using or considering XDR want: improve the fidelity and prioritization of security alerts to make it easier to triage and respond to events (leading to improved response time). What To Look for in an XDR Solution Here are some key elements when considering an XDR: Controls agnostic. The problem with simplifying security operations with an XDR is that most XDRs require organizations to purchase the security controls/sensors (network, endpoint, cloud, mail, etc.) from a single vendor, and often require a rip and replace of the existing technologies. A controls-agnostic XDR enables security organizations to choose best-of-breed technologies while retaining improved detection and response. Machine-based correlation and detection capabilities. Machines can comb through large data sets and see patterns faster and more accurately than humans. And it would be nearly impossible for humans to do correlation across EDR alerts, network events, account services, vulnerability scan data, etc., to “triangulate” amongst sensors and more accurately distinguish between true signal and the noise of false positives. If machines can more accurately and consistently find real and actionable incidents, it means less time for analysts doing tier one monitoring, i.e., staring at screens, and more time focusing on their customers and incident response. Which should result in happier analysts and improved job satisfaction. Machine-based detection could also mean 24×7 coverage with the added staffing. Pre-built data models. No one wants to write custom rules/content/code in their SIEM and SOAR platforms. It would be a huge advantage to have these complex models work out-of-the-box. This would mean reduced security engineering time and costs, or even better, freeing them to work on more value-added projects. Integrating timely threat intelligence automatically is another important component for determining known bad and relevancy. Integration with different SIEMs, SOARs and case management tools. XDR should play nicely with those investments. Key features would be built-in integrations, including automated case creation, scoping new and additional events into a case over time, and feedback being provided from the SOAR to the XDR for model improvement. A technology-agnostic XDR gives security teams the best of both worlds: analytics that work across a broad range of security technologies and vendors—to provide the true outcome—finding incidents in real time without noisy false positives.
- The “Big Four”: Spotlight on Iranby Luke McNamara on February 24, 2021 at 4:00 pm
We’re back with the second episode of our “Big Four” series focused on North Korea, Iran, China, and Russia. We chose Iran for this one, and to help me explore their cyber capabilities I invited Sarah Hawley, Principal Analyst for Mandiant Threat Intelligence, and Lee Foster, Senior Manager of Information Operations Analysis. Sarah kicked off the episode by providing an overview of Iran’s past offensive cyber activity and how these capabilities have developed over the years. Lee shared how they have also grown their usage and willingness to use information operations (IO) and how his team approaches attribution and analysis of this disinformation activity. We then touched on drivers of Iranian cyber threat and their apparent increasing willingness to target democratic processes. Sarah also discussed Iran’s destructive activity going after industrial targets in the oil and gas sectors through password spraying and spear phishing operations. As always, we closed out the episode with thoughts about what Sarah and Lee think we might see from Iran’s cyber operations in the coming years. Listen to hear their predictions and stay tuned for our upcoming episodes on China and Russia. Listen to the podcast now, check out the “Big Four” episode on North Korea if you haven’t already, and then head over to our Eye on Security page for even more episodes.
- Breaking Down Malicious Insider Threatsby Luke McNamara on February 17, 2021 at 5:30 pm
“Legitimate access rules the threat landscape,” says Jon Ford, Managing Director at Mandiant. In addition to loss of intellectual property, malicious insiders are increasingly impacting organizational reputation, customer trust and investor confidence. There’s a lot more to insider cyber security threats than disgruntled employees, which is the first thing that comes to mind for most when they think of this threat. Jon Ford, Managing Director of Mandiant, and Johnny Collins, Director of Mandiant, joined me to break down what insider threats are and the trends Mandiant is seeing in recent investigations. Johnny began by defining insider threats—from unintended link clicking, all the way up to human enabled technical operations (think meet-ups in parks while avoiding all electronic communications that you see in movies). Both Johnny and Jon shared how organizations on the commercial and government sides are thinking about insider threats as part of their overall risk and security posture, and how clients are approaching insider threat security from a behavior-focused approach as opposed to targeting or profiling individuals. Then we got to the good part: stories from recent investigations they’ve worked on through Mandiant’s Insider Threat Security Services offerings. You might be surprised by the outcomes of a few of them. Johnny and Jon went on to highlight the various tiers of Mandiant’s Insider Threat Program Assessments and Mandiant’s Insider Threat Security as a Service offering with Mandiant Intelligence. Johnny and Jon close with shared thoughts on the growing Insider Threat trends we’ll see in the near future. Listen to the podcast right now.
- The Cyber Landscape in Latin Americaby Luke McNamara on January 25, 2021 at 5:30 pm
While many cyber threats and security issues are universal and experienced by organizations in any part of the world, some are more common to a particular region than others. I invited Ryan Goss, Vice President for Latin America & the Caribbean, and Juan Carlos Garcias Caparros, Director of Mandiant Consulting for Latin America and the Caribbean, to talk specifically about cyber security in Latin America. Juan Carlos shares what threats we’ve seen our customers face in Latin America. He also discusses the security culture in Latin America, comparing maturity of organizations to those in United States or Europe. We also explore whether attitudes are shifting around cyber security in boardrooms. Ryan believes it’s moving in a good direction, but that many companies still treat cyber security as an afterthought, which leads to lower overall budgets and forces security teams to focus on solutions that are “good enough” or at least allow them to “check the compliance box”. Thus the importance of FireEye leading with Mandiant Solutions and establishing ourselves as trusted advisors and true partners for our customers. We wrap up the episode by touching on cyber training, security validation and unexpected activity from North Korea targeting financial institutions throughout Latin America.
- Joseph and the Amazing Primary Color CTI Function (Part Two) —
Leveraging Primary Source Insight From the Front Linesby Jamie Collier on January 21, 2021 at 4:30 pm
The first blog post in this series provided an introduction to primary source intelligence and discussed some of its benefits. This highlighted how primary source insight can be a key driver in ramping up an organization’s security posture. Despite the clear benefits of primary source intelligence, it should never be seen as an end in itself. This is because it is only ever as effective as a security team’s broader maturity, ability to consume intelligence, and capacity to blend it with other data sources. This post picks up where we left off, by providing some practical steps on how to operationalize primary source intelligence within a cyber security function. Establish the Foundations Before we get too excited about some of those sweet primary source nuggets of insight, it is vital that a CTI team and cyber security function get the relevant foundations in place. Primary source intelligence is a means to an end and should serve a broader goal of providing decision advantage that is relevant to key business challenges. This means starting with understanding the purpose of intelligence within an organization. There are ultimately many ways that organizations can leverage CTI, ranging from patch prioritization and threat hunting to risk management and strategic decision making. Intelligence functions should therefore understand intelligence use cases, build relationships with relevant internal stakeholders, and help them better understand how intelligence reporting can aid the decision-making process. Once this clarity of mission has been achieved, an intelligence function should ask what kind of intelligence and sources best serve stakeholder requirements. A robust collection program that is mapped to stakeholder requirements is a key ingredient in producing high-quality and actionable intelligence. The chances are that primary source intelligence can make a significant contribution in solving business challenges, yet it is stakeholder requirements that should always be the driving force. Integration Any intelligence source will be more effective when it is fully integrated into a security function’s tools and technology. This could include, for example, directing CTI feeds into threat intelligence platforms (TIPs) and security information and event management (SIEM) systems. However insightful primary source intelligence may be, it has to be presented in a usable and accessible way. Ultimately, if CTI is able to compliment and integrate with existing work flows, it is far more likely to be consumed. Primary source intelligence derived from CTI vendors will provide organizations with a broad understanding of the threats relevant to them, yet this should always be integrated with a deep knowledge of an organization’s own internal operating environment. By mapping CTI against the infrastructure and assets within an internal network, a security function is able to understand their own exposure. Here, organizations should also ensure that they integrate external intelligence with the primary source data sitting under their own nose (i.e. that gained from within their own network). A combination of sources becomes more powerful than the sum of their parts. At FireEye, for instance, indicators gleaned from an incident response engagement could then assist our endpoints in detecting additional malicious activity. This could, in turn, provide fresh insight to uncover additional adversary operations via Advanced Practice engagements. This would unearth new context around adversary TTPs, all of which is then fed into our threat intelligence offering. Different CTI sources therefore inform each other, creating powerful multiplier effects. Adopt an Empirical Approach The cyber threat landscape is highly complex and there is no shortage of attack vectors. Yet, not all attacker techniques pose a uniform threat to organizations. Most cyber security functions require insight to help them focus and prioritize on what really matters to them. Rather than providing an exhaustive list of all the attack techniques that might pose a threat, a CTI team will always deliver more value through intelligence that can sort through the noise and identify the handful of TTPs that pose the most significant and likely threat. Empirical and data driven analysis sits at the bedrock of this approach. This can be enabled through primary source intelligence. COVID-19 provides one example of how the cyber threat landscape can become distorted through secondary reporting. In March 2020, the intense global interest in the pandemic meant there was understandable press interest around how the virus was being leveraged in social engineering campaigns. With so many of these reports published in a short time frame, it would be easy to assume that the vast majority of phishing emails contained COVID-19 lures. Yet, cyber security reporting intended for a mainstream audience will understandably report on what is new and topical. After all, who wants to read about yet another generic phishing email? Mandiant Threat Intelligence, by contrast, was able to leverage its malicious email detection data to ascertain that COVID-19 content was used in only two percent of malicious emails at the time. This highlights how a more data-driven approach to CTI can untangle tangible threats from broader hype and media headline bias. Ultimately, whilst both cyber security news reporting and intelligence play important functions, they are fundamentally different products developed for different purposes. The same principles can also be applied to vulnerability intelligence. Patching across an organization running multiple systems and applications can be a mammoth task. This makes prioritization crucial. Yet the mean and ugly vulnerabilities that make their way onto headline news are not necessarily the ones that pose a material threat Rather than focusing on the most frightening vulnerabilities, organizations are better off adopting a context-driven approach. This prioritizes patching vulnerabilities that are both being actively exploited and affecting relevant geographic and industry verticals. This significantly increases the chances that an organizations’ patching efforts go towards preventing targeted attacks. Again, such context requires expansive telemetry and rich data sets. In Closing One does not need to work in the cyber security industry for long before encountering oodles of distraction, hype, and questionable hot takes. Primary source intelligence might not be the cyber security silver bullet for every practitioner wished existed, but there is little doubt that it can provide a healthy and much-needed dose of grounded perspective. This empowers organizations to focus on the threats that really matter.
- Joseph and the Amazing Primary Color CTI Function (Part One) — An
Introduction to Primary Source Intelligenceby Jamie Collier on January 12, 2021 at 5:00 pm
Cyber threat intelligence (CTI) can be a vital pillar of an organization’s cyber security function. Yet not all intelligence is created equal—it can range from stale and outdated indicators of compromise all the way to zesty adversary attack details (and with juicy mitigation advice baked in for good measure). When it comes to refining intelligence, quality typically trumps quantity. The majority of intelligence stakeholders are time constrained and have enough on their reading list already. The challenge, therefore, is to produce high leverage intelligence that equips stakeholders with decision advantage related to their most pressing challenges. There are various ways that CTI functions can improve the quality of their reporting. Yet, few will have as dramatic an improvement as utilizing primary source intelligence. Primary Source Intelligence 101 Primary source intelligence refers to reporting that is based on immediate and first-hand accounts. Within cyber security, this typically means reporting based on a direct connection to the threat at hand. Much of Mandiant’s own primary source data is gained from front-line experience in responding to some of the most significant network intrusions for example. Mandiant also benefits from rich telemetry by protecting millions of endpoints across multiple industries; an organic collection capability to monitor adversary infrastructure and behavior; multiple security operation centers located across the globe; and an Advanced Practices team that works to proactively discover and mitigate adversary behavior. Yet, primary source intelligence does not possess a monopoly on useful insight. It is typically compared to secondary source intelligence that, by definition, is based on second-hand observations of adversaries. Secondary source intelligence could therefore be based on media articles, academic papers, or third-party reporting. Many organizations, including FireEye, will therefore combine both primary and secondary sources in their reporting. This is because secondary source can undoubtedly provide high-quality insight. Ultimately, no single entity has omniscient visibility into the threat landscape. Utilizing external sources can therefore help to gain a more expansive perspective and additional insight. Despite the clear contribution that secondary source intelligence can provide, we believe that a robust primary source-led approach provides a unique and highly effective perspective. Benefits of Primary Source Intelligence Build an Intimate Understanding of Adversary Behavior Regular, first-hand observations of threat actors afford an opportunity to learn intimate details of an adversary’s modus operandi. Possessing an understanding at this granular level then provides the foundation for producing and disseminating intelligence in a variety of formats (whether that be relevant indicators, executive perspectives, MITRE ATT&CK playbooks, or even a technical annex for those determined to venture into the weeds). Building intelligence off attacks observed in-the-wild is a key focus at Mandiant. For instance, Mandiant Threat Intelligence was able to provide in-depth analysis on the “TRITON” malware family after responding to an incident at a critical infrastructure organization where an attacker deployed malware designed to manipulate industrial safety systems. Intelligence based off front-line understanding also removes ambiguity by reducing the risk that reporting is misinterpreted. Secondary sources introduce additional nodes in the communication chain between any initial observed adversary activity and a final report. These additional links increase the risk that adversary details are obfuscated, redacted, or amended as a story goes through different reporting iterations. Detailed technical reports, for example, are often summarized into high-level media articles. Intelligence based off these media articles would then be unable to provide technical details that could be useful to relevant stakeholders. Primary source intelligence, by contrast, cuts out intermediaries. Understand Adversary Activity From Multiple Angles A variety of primary sources exist in cyber security and utilizing a breadth of sources will help organizations to better understand their threat landscape. This is because each source provides a different perspective. Ransomware is one example where a variety of primary sources enriches our understanding. Incident response engagements help us to understand how a ransomware variant operates once it has reached a target system—an increasingly important issue given the rising popularity of post-compromise ransomware operations. Here, tracking malware and adversary infrastructure provides additional insight into many of the tools used in conjunction within these campaigns. Endpoint telemetry on the other hand, can provide a broader perspective on the most prescient threat to specific regions and industry verticals. Access to dark web criminal forums also affords an understanding of the new variants being advertised for sale. Regularly monitoring data leak sites linked to ransomware operations allows us to confirm any publicized victims and to ascertain any data exposure issues that could impact organizations. The point here is not that any one of these sources is superior, but that when combined, we are able to build up a much clearer picture of the threat landscape. Speed Timeliness is a key component of actionable intelligence. Whether it be relevant indicators or the use of a new MITRE technique, CTI functions should strive to shorten the window of time between adversary activity and the dissemination of relevant and actionable insight to defenders. Threat actors are constantly innovating, and front-line experience allows organizations to move at the speed of the threat. By being close to the action and leveraging sources with a direct connection to the threat at hand, an intelligence function is able to provide intelligence in as close to real-time as is possible for finished and quality-assured intelligence products. In Closing A primary source-led intelligence capability offers unapparelled insight into adversary behavior. By developing a security strategy that builds off experience and expertise from the frontlines, an organization can map its defensive posture against the operational realties in their sector and region. However, despite the clear added value of primary source insight, its benefits can only be leveraged if intelligence is appropriately integrated within an organization’s security function. It is therefore vital that organizations zoom out and identify the relevant processes and capability required to maximize the benefits of threat intelligence. Stay tuned for part two of this blog series, which will provide some practical steps on how to operationalize primary source intelligence, and learn more about Mandiant Advantage: Threat Intelligence.
- The “Big Four”: Spotlight on North Koreaby Luke McNamara on January 11, 2021 at 8:30 pm
We’re kicking off Eye on Security in 2021 with a nation-state-themed miniseries that focuses on the big four, which we recognize as North Korea, Iran, China and Russia. In this episode, I invited Fred Plan, Senior Analyst for Mandiant Threat Intelligence, onto the podcast to talk about North Korea. Fred started our discussion by providing some background on the country, how it operates geopolitically, and why they’ve shifted their focus to a cyber capability. We also review their early cyber operations that primarily targeted South Korea and their expansion to the U.S. private sector with the Sony hack. Since then, North Korea continues to be active in both financially-motivated and espionage-related operations. There are a lot of behaviors that make North Korean cyber operations unique, due in part to the country being very closed off. Their cyber operations have demonstrated rapid shifts in targeting, which likely comes at the request of the regime. We most recently saw this with their targeting of COVID-19 research and vaccine distribution. North Korea hasn’t publicly reported on any COVID-19 cases, so their cyber behavior offers us a glimpse into what might actually be going on within the country. As always, we like to predict what we’ll see next in a region or from an actor. In this case, Fred says it’s quite difficult to know what North Korea is up to next. Find out why when you listen to the episode.
- Protecting Healthcare and Academia Against Cyber Threatsby Luke McNamara on December 4, 2020 at 5:30 pm
As the COVID-19 pandemic continues, cyber threats have worsened for several industries across the globe. Universities with medical and research facilities are increasingly being targeted by threat actors because of the critical and valuable work they do surrounding the pandemic. I invited Monte Ratzlaff, Cyber Risk Program Director at the University of California Office of the President, to join me for this episode of Eye on Security so we could discuss the important research they secure. Monte and I reviewed the types of data UC protects, which includes protected health information, payment card data, student data and research data. Even with all that data, the threats UC faces are still quite similar to what many other organizations face: phishing, ransomware and nation-state attacks. We shifted our discussion to the challenges of securing COVID-19 research; especially at a time where ransomware is particularly rampant. Monte emphasized the critical need for organizations to know their environment and have plans in place in case attacks get through defenses. Listen to the episode to hear insights on securing medical devices and why Monte wouldn’t be surprised to see an uptick in insider threats as a result of a larger remote workforce.
- A Look Back and a Look Forward: Cyber Security in 2021by Luke McNamara on November 20, 2020 at 4:45 pm
With 2020 coming to an end, we’ve released our 2021 cyber security predictions report, videos with our senior leaders and more. I asked Major General Earl Matthews, VP of Strategy for Mandiant Security Validation, to join me on Eye on Security to discuss what we can expect in cyberspace as we head into a new year. Ransomware isn’t going away any time soon, so I asked General Matthews how he’s seen executives react to this threat and if that has impacted how they think of security. We also explore the increasing risk ransomware poses to operational technology based on some of the ransomware campaigns we have seen this year. We also talk in depth about third-party risk—a risk that’s been around for a long time, but that we’ll see increasingly exploited by threat actors. General Matthews also shared some personal stories about his time as a CISO that you won’t want to miss. We finish our chat with an interesting look at which industries have adopted security validation and the benefits of this solution for proving security effectiveness. Check out the podcast today. If you’re looking for more perspectives on the future of cyber security, you can listen to this roundtable discussion from FireEye Cyber Summit 2020, or save your spot for our upcoming webinar on Dec. 7.
- A Global Reset: Cyber Security Predictions 2021by Adam Greenberg on November 12, 2020 at 3:15 pm
For most of us, 2020 was one of the most challenging years in recent memory. We struggled to deal with big changes in our personal lives and were forced to overcome various obstacles in our professional lives. Now that the year is coming to a close, we looked back at the past 12 months and identified several new and evolving cyber security trends that will likely persist as we move into 2021. We discuss these trends in detail in our report, A Global Change: Cyber Security Predictions 2021. Read it today to learn about: Remote work and other impacts of COVID-19: The global pandemic has forced us all to change the way we work, and has introduced new threats as we race towards development and distribution of a vaccine. The persistence and growth of ransomware: Ransomware attacks are more intricate and devastating than ever before, with ransom demands upwards of a million dollars—and it’s only going to get worse. Espionage as an ongoing driver of nation-state activity: Major players such as China and Russia will continue to carry out operations primarily for espionage, but we expect to see activity from other nations as well. Cloud security taking the limelight: Organizations that have made massive migrations to the cloud will need to focus on cloud security, and also understand the relationships with their cloud providers. Security validation to keep defenses and budgets in check: With the rapid change in how we work, organizations will rely on security validation to optimize security and reduce spend. This report would not be possible with out some of the brightest minds here at FireEye and Mandiant, including Sandra Joyce, EVP of Mandiant Threat Intelligence; Major General Earl Matthews, VP of Strategy; Dave Baumgartner, CIO; Martin Holste, CTO for Cloud; and John Hultquist, Senior Director of Intelligence Analysis. Read the report, A Global Reset: Cyber Security Predictions 2021, right now, and also check out the latest episode of our quarterly show, FireEye Chat, where Sandra and John look back at some predictions from last year and discuss how they panned out. For even more, hear what’s top of mind for Sandra and General Matthews in 2021. For a more in-depth conversation, watch the discussion that Dave recently led with General Matthews, Martin and John. Finally, don’t miss our webinar on Dec. 7, where our experts will go deeper into topics from the report.
- Road to Security Predictions: A Look at 2021 With Sandra Joyceby Adam Greenberg on November 10, 2020 at 9:30 pm
The global pandemic has upended our lives, changing the way we interact with people and the way we conduct business. Many organizations had minimal infrastructure in place to support a remote workforce, and earlier this year they were left scrambling as the majority of employees began working from home. Rapid change often leads to oversights in security, and nobody knows that better than threat actors. Unfortunately, attackers don’t rest even in such troubling times, and in fact we are seeing increasing aggression especially when it comes to financial threats such as ransomware. A big part of having an effective security strategy means understanding the threats that matter most. To help us understand the threats we will be seeing in 2021 and what organizations will have to do to stay ahead of them, we turned to Sandra Joyce, EVP of Mandiant Threat Intelligence.
- Road to Predictions: A Discussion About 2021 With FireEye and Mandiant Expertsby Adam Greenberg on November 5, 2020 at 6:30 pm
When planning Cyber Summit 2020, we thought it would be a great idea to include a session about what we expect to see next year. Deciding on a presenter was tricky, so we wrangled up four FireEye and Mandiant experts from various areas of the business to provide a complete overview of cyber security in 2021. Join us on Nov. 9 at 3 p.m. ET to see Dave Baumgartner, CIO, lead a discussion about 2021 with Martin Holste, CTO for Cloud, John Hultquist, Senior Director of Intelligence Analysis, and Major General Earl Matthews, VP of Strategy.
- Ransomware: The Threat We Can No Longer Afford to Ignoreby Sandra Joyce on October 29, 2020 at 9:45 pm
Cybercrime is a billion-dollar industry that is consistently evolving. Innovation is at the heart of these criminal acts—hackers and fraudsters must continuously overcome advances in technology and forensics, in addition to staying ahead of law enforcement. When it comes to the problem of ransomware, the act of encrypting and ransoming the data of victims, things are spiraling out of control. The actors behind these attacks now seek out and take down the most critical targets and are successfully fielding new ways to exploit their victims. The ransomware challenge has become so prolific and dire, that we should no longer view it as a mere nuisance or business risk—we should consider it a grave threat to global security. In recent years, Mandiant has witnessed an increasing number of ransomware operators focus on deployment following the thorough breach of a network. Rather than indiscriminately targeting victims, operators are exploiting critical organizations with the means and motivation to pay enormous ransoms. Once networks are breached, operators skillfully move laterally through victim networks, deleting or encrypting backups if they can find them. Then they deploy their malware on sensitive systems. The result is highly effective and widespread ransomware deployments guided by human intelligence rather than the indiscriminate method that only affects a handful of machines. Gaining access to critical systems allows ransomware operators to demand higher ransom amounts and increases the sense of urgency to pay. And as the criminal seeks out more critical prey, the consequences become more dire, not just in terms of economics. Municipal networks, which run many critical civil services, have been particularly affected by this method, and many cities have been forced to pay exorbitant ransoms to bring themselves and their communities back online. Ransomware incidents have already impacted some election systems, possibly drawn by their familiarity with state and local systems. Now our hospitals are under siege by ransomware attacks that are disrupting patient care. Several U.S. hospitals have been hit, and in Germany, one death may even be connected to an attack. Under present circumstances, physically dangerous incidents are inevitable. Though there has always been some question about the willingness of threat actors to cross this line, actors such as UNC1878 have proven to be cruel and unrestrained. In fact, the criticality of these systems may have only incentivized these criminals to target them. The COVID-19 pandemic has also underscored the danger of ransomware. The danger to hospitals and their patients will only be compounded by another rise in infections which overburdens hospitals and leaves little room for error. Research laboratories working to develop vaccines and treatments have been targeted as well. Even when the availability of these systems is crucial to alleviate human suffering worldwide, some of the least scrupulous operators have shown no restraint. Cyber espionage operators from Russia, Iran and China have targeted these organizations too, but we doubt that even they would have the gall to disrupt them for ransom. Cyber criminals are also now combining ransomware deployment with data theft and extortion, threatening to leak sensitive data from their targets via websites they control. In essence, this adds another point of leverage and increases the pressure on victims to comply with the demands of these groups. This brash method has caught on with several actors who recognize the opportunity for major paydays. Ransomware operators are increasingly abandoning restraint in lieu of an aggressive and loud approach to their victims. Another worrisome trend we have witnessed this year is an increased threat towards the operational technology (OT) networks that run the industrial processes in our most critical infrastructure. Mandiant Threat Intelligence observed at least seven ransomware families incorporate some ability to interrupt operational technology. This capability could allow threat actors to disrupt critical systems that could result in kinetic, real-world impacts—shutting down machines in a plant or destabilizing a device in a hospital. As ransomware operators penetrate industrial processes the effects of their actions may become unpredictable. A group exemplifying both the trend of data leakage as an extortion tactic and the utilization of ransomware impacting OT assets is FIN11. Active since at least 2016, this group has historically been involved in various financially motivated crimes, to include point-of-sale compromises. In 2019, however, this group switched their focus to ransomware operations, using the increasingly infamous CLOP ransomware family. Now, in 2020, they have joined many of their peers by employing the tactics of extortion and data theft to apply pressure to victims resulting in successful demands of as much as $10 million USD. Disruptive and destructive cyber attacks by state actors receive significant attention—and they should; Russia, Iran and North Korea have all demonstrated an interest in attacking critical infrastructure to disrupt our lives and livelihoods. But the reality is that the threat posed by those actors may never overshadow the threat posed by ransomware operators right now; a threat we believe will continue to grow and mutate until we take it seriously. Like those capabilities being developed by foreign adversaries, ransomware is a threat to the global community and deserves our full attention and resources. For more intelligence on ransomware and other threats, please register for Mandiant Advantage Free, a no-cost version of our threat intelligence platform.
- Road to Security Predictions: A Look at 2021 With Major General Earl Matthewsby Adam Greenberg on October 28, 2020 at 3:45 pm
2020 has been a year like no other in recent memory. The way we do business has changed dramatically, and organizations are continuing to struggle with how best to move forward in the near and long term. This is particularly true when it comes to cyber security. With the majority of employees working from home, using personal devices to access work-related materials and connecting to networks that may not be as secure as on-premises, organizations are more at risk than ever before. Now is the best time to stop and think about what’s to come in 2021 in the world of cyber security, and to help us figure that out, we turned to Major General Earl Matthews, VP of Strategy.
- A Different Perspective: Cyber Security Through the Eyes of a Journalistby Luke McNamara on October 26, 2020 at 7:15 pm
On this episode of Eye on Security we have something a little different. I’m excited that Sean Lygaas (@Snlyngaas), Senior Reporter at CyberScoop, has joined me to share a different perspective on many of the cyber security stories and events that we work on in parallel here at FireEye. Sean and I kick off our conversation by discussing which stories he considers top priority. These days his mornings entail reviewing election security, and then he starts chasing the timely stories he finds most interesting. Sean also shared the difference between what is news and what is research when it comes to writing a story. With the election being so close, we of course turned to the topic of disinformation. Sean shared the difficulties of writing about information operations and his approach of attempting to report on it without amplifying fear or paranoia. We also explored the impact and intent of these operations. Listen to the episode to hear Sean’s thoughts on the future of media and news consumption, and the cyber security topics he thinks we will be reading about in the news in the coming year.
- Threats Targeting VoIP Networks as Usage Surges During Pandemicby Steven Savoldelli on October 21, 2020 at 1:00 pm
Internet service providers are seeing a spike in Voice over Internet Protocol (VoIP) usage driven by the increased adoption of working from home during the COVID-19 pandemic. This has been reported by many companies in the space including Comcast, which has said that VoIP and video conferencing usage is up 210-285 percent since the start of the pandemic. With this in mind, it’s important to remember that whether VoIP systems are maintained internally or outsourced to a third-party vendor, they remain an extension of organizations’ attack surface that can fall victim to attackers. VoIP systems are vulnerable to many threats including denial-of-service, metadata theft, traffic interception, and premium number scams. Threat actors can also use an insecure VoIP system as an entry point to compromise more sensitive networks or to divert attention from malicious activity elsewhere. Despite these vulnerabilities, VoIP systems do not typically receive much attention from IT departments. These systems often retain default or shared credentials and they may be overlooked when searching for and fixing vulnerabilities. So even though VoIP infrastructure plays a key role in business operations, the issue for many enterprises remains whether they would notice VoIP malware at all. Mandiant Threat Intelligence often finds adversaries attempting to gain access to VoIP administrator user accounts through stolen or brute-forced credentials. These credential collection tools are widely accessible, meaning actors without sophisticated development expertise can compromise VoIP infrastructure. Given the breadth of activity facilitated by VoIP compromise, network defenders should consider the following possible outcomes for attackers. Metadata Targeting and Voicemail Theft VoIP calling systems generate voice recordings and related metadata that is sought after by espionage- and financially motivated actors. In September 2020, ESET researchers discovered a new and rare piece of Linux malware dubbed “CDRThief” being used in attacks targeting VoIP telephony switches in campaigns designed to steal call metadata. In August 2019, Microsoft reported APT28 attempting to compromise VoIP-based phone systems as well as other Internet of Things devices. Mandiant Threat Intelligence observed threat activity we believe used FINSPY variants capable of capturing VoIP file recording, and in a separate campaign, espionage actors sent a phishing email that included a legitimate voicemail message, possibly stolen from a corporate VoIP service. Premium Number Fraud ‘Call pumping’ scams are one of the most common threats to companies from compromised VoIP systems. The Communications Fraud Control Association recently estimated the losses associated with premium number fraud, or International Revenue Share Fraud (IRSF), to be between $4 billion and $6.1 billion. The scheme involves making calls from compromised phone systems to phone numbers that bill callers. The actor registers a premium call number, often overseas to charge higher rates, where they receive a cut of the charges. They then will have compromised phone systems call these premium numbers, running up charges on the victim’s account. These scams can cost affected companies millions of dollars in illegitimate premium number charges in a short period, making it attractive to cybercrime actors. The malicious actors will often choose premium number services that bill and pay out on a weekly schedule, while most phone companies bill monthly. This way the actor can run up significant charges before the fraud is discovered. Telephony Denial-of-Service VoIP phone systems are vulnerable to telephony denial-of-service (TDoS) attacks, where a large number of illegitimate calls prevents legitimate calls from going through. VoIP systems are also potentially vulnerable to denial-of-service conditions from additional vectors, including being flooded with “invite” requests, “goodbye,” or “unavailable” messages or similar flooding attacks. This technique is high-volume and hard to miss, which can be advantageous for attackers—these systems can be used as diversionary measures to burden network defenders while other fraud activity is taking place. Call Manipulation A successful man-in-the-middle (MitM) attack that enables call manipulation could be used to facilitate almost any phone-based social engineering activity, including vishing (voice-based phishing) or bypassing phone-based authentication methods. For example, if a malicious actor compromised a bank’s phone system, they could redirect incoming calls from customers to instead connect to attacker-controlled infrastructure and, under the guise of verifying the customer’s identity, compromise their account. A malicious actor could also redirect a call from a financial institution to a customer attempting to confirm a transaction and impersonate the customer to confirm the transaction. Extortion: The Future of VoIP Abuse? The compromise of VoIP infrastructure can provide actors with access to sensitive corporate information and empower them to drive denial-of-service conditions. Actors have historically used this to fuel extortion attacks, as seen with the adoption of public data disclosure websites for victims of ransomware. Even the theft of large volumes of call data may be more susceptible to extortion as automated transcription and processing of audio files could help actors identify sensitive business data quicker. Mitigation Considerations The biggest step an enterprise can take to mitigate risks for VoIP is to seriously consider VoIP infrastructure as part of the attack surface, regardless of whether it is managed internally or by a third-party. Simply put, VoIP infrastructure is an extension of IT infrastructure, and as such it demands monitoring, maintenance and auditing like any other area. Here are some tips on how to protect VoIP networks: Firmware for VoIP phones and infrastructure should be patched regularly, and passwords should be changed from the default. Multifactor authentication should be required to access VoIP accounts, especially those with administrative privileges. Calls to international or premium numbers can be restricted to defeat call pumping schemes, and elements such as duration, frequency and time placed should be monitored for outliers and patterns of abuse. Having VoIP phones run on a separate network can prevent a compromised phone from exposing data sent over the network or providing access to other machines on the network. Organizations should have a plan for communication methods in the event VoIP systems are unavailable—either through TDoS activity or other denial-of-service scenarios such as ransomware or destructive malware. The pandemic has caused more employees to work from home than ever before. This scenario has driven VoIP usage upwards during the pandemic and provided a reminder of how reliant most of us are on global connectivity. Malicious actors can, and will, seize upon this dependency to damage business operations, distract from the incident response work of security teams, and profit from fraud. Organizations cannot afford to leave VoIP infrastructure out of their defensive operations.
- Ransomware Rising — Get Ahead of the Threatby Jon Ford on October 13, 2020 at 4:15 pm
Public-sector institutions are attractive targets for ransomware operators. In fact, our latest M-Trends report revealed that government, defense, healthcare and education are among the top targeted industries. This is because of the disruptive and destructive impact that these targeted ransomware incidents can have on critical operations. Attackers understand the value of the personally identifiable information and research-based intellectual property these organizations collect and store. Take for instance the upcoming local, state and national elections. Among the pressing concerns are: Citizen data relative to voting—e.g., residence, age, and in some cases photo ID—that is stored on critical infrastructure Actual votes, and how that data is captured, transmitted and stored If this information was to be held ransom, it would put into question the integrity of critical infrastructure, as well as the voting results themselves. From big cities to small towns, no government is immune to ransomware. However, when organizations can detect and remediate the initial compromise quickly, it is possible to avoid the significant damage and cost of a ransomware infection. The following serves as a quick checklist guide of the proactive, protective measures organizations should think about when it comes to protecting against ransomware. Email, Endpoint and Network Protection According to our Mandiant data, 90% of ransomware cases involve the unintentional insider who clicks a link. This can be prevented with adequate email security solutions that are also complemented with an endpoint detection response capabiltity to catch any items that may not have been prevented by the email security solution. Of the 10% of remaining causes of ransomware cases, most were the result of an unpatched public-facing server that was exploited and had minimal detection. In these cases, a network security appliance combined with regular patching has proved excellent for prevention. Security Tool Configuration: Invest in the Basics Unfortunately, misconfiguration or reliance on default settings leads to problems. For example, Mandiant recently reported that a government security team discovered their network firewall only blocked 24% of executed attacks. The government agency optimized firewall controls and increased blocking capacity to 74%. Multi-Factor Authentication is Table Stakes We still see use of single factor to access critical systems, which enables actors to easily gain access using stolen credentials. Especially as the remote workforce expands, it’s important to use strong authentication tools with true multi-factor that include something you know (e.g., username and strong password) with something you have (e.g., token or PIV), and/or something you are (e.g., biometrics). Visibility is Crucial Most organizations today have complex networks that include a mixed infrastructure of on-premises and cloud resources. Security teams need visibility (e.g., asset management) across these environments with integrated threat intelligence and ongoing monitoring of devices and connections. Key for ransomware is the visibility into the real-time detection of when a user accesses backups. For example, our research shows that median dwell time for organizations that self-detected incidents was 30 days. Although that’s an improvement from last year, a month is still significant time for bad actors to explore and gain footholds into networks undetected. Public-sector institutions should seek 24-hour security operations center coverage or use managed services to ensure the integrity and monitoring of systems. Segment Critical Data Our threat research tells us that hackers perform considerable reconnaissance to understand environments. To counter this, ensure a plan is in place to protect the “crown jewels,” the most sensitive information that could be leaked to the public during a ransomware event. This approach includes: establishing a principle of least privilege when provisioning accounts; ensuring differences between administrator and normal user account access roles; and distinguishing login permissions between administrators and controllers. Have a Response Playbook This is a mature, practiced plan that prepares all teams—IT, communications, executives, legal, human resources, etc.—for incident response. The goal is to avoid rushed decisions when a ransomware attack occurs. To that end, coach teams to slow down and ask questions such as: Do we know the infection vector and if an attacker is active? Do the attackers have real data? Does this attack have the potential escalate? For example, do the infiltrators have data from the city’s legal department and can the attack spread throughout city offices? How quickly can we recover? Do we have an offline backup that we have tested? Is there any oversight into who accesses backups, when, and how? Do we have cyber risk insurance and if so, what does it cover? The Bottom Line Ransomware will continue to become more sophisticated. Government agencies, healthcare organizations and educational institutions are at heightened risk for these incidents given the nature of the valuable data they hold. There isn’t a one-and-done approach. Rather, there are multiple factors and questions to consider. We recommend starting by asking: Is my organization secure? If you don’t have a binary answer to that, it’s time to make changes. For More Information To learn more, check out our recent ransomware session with GovTech. Jon Ford and our principal analyst, Luke McNamara, joined Dan Lohrman, Senior Fellow, Center for Digital Government, and we covered many different aspects of ransomware and strategies to defend and respond. For even more guidance, read our report on ransomware protection and containment strategies. Also, head over to our website to learn more about Mandiant’s Ransomware Defense Assessment, which evaluates an organization’s ability to detect, contain and remediate ransomware within an environment—before it produces costly harm.
- Late Game and Lingering Threats to the Upcoming Electionsby John Hultquist on October 12, 2020 at 5:30 pm
As the U.S. elections near an end, the nature of successful interference is likely to change. Any significant attempt to sway voters now will require a dramatic late game operation that receives significant attention—an operation such as a hack and leak campaign or the use of forged materials. Otherwise, adversaries are likely to focus on operations aimed at outlasting the actual elections and undermining faith in the institution. These operations could unfold at the eleventh hour and even following the final tally of votes. Late Game Events to Sway Voters The release of hacked and forged materials, laundered through personas and third parties, and amplified by media and social media is a tactic we have seen repeatedly used by adversaries within the context of elections as well as other events. The hack and leak has been used by Russian, North Korean and other unknown actors as a means to embarrass, misrepresent and successfully cow targeted organizations. The timing of hack and leak operations varies. Long term preparations may give way to ad hoc necessity. When Guccifer 2.0 suddenly appeared in the wake of revelations about APT28 compromising the DNC, the persona was likely a departure from original plans to release materials through the ElectionLeaks and DCLeaks websites. Timing may also be dictated by the third parties used to launder leaks. Third parties may have designs on the most opportune timing for leaks or the leak may be at the mercy of their ability to act quickly. An editorial process, for instance, could hinder timing. Actors may also wait until the eleventh hour, as was the case with MacronLeaks. Third parties and personas are an essential feature of these operations. Although they rarely hinder attribution of incidents, they provide a veneer of suitable obfuscation to maintain deniability. The fictitious personas frequently leveraged in these incidents include dubious hacktivist groups without any previous history and confused ideology meant to explain their actions. More and more, actors have leveraged the Anonymous moniker as a versatile persona to hide their actions. AnonymousPoland was used by GRU actors to carry out a protracted attack on Olympics related organizations. Other third parties leveraged in these events include the media, organizations focused on leaked materials, and fringe political figures. Though mainstream media has become more circumspect, less traditional outlets that enjoy strong social media infiltration are still a means to deliver this information to voters. In previous incidents, political figures with significant social media followings have worked diligently to spread documents they received from Russian military intelligence through social media. Adversaries are already targeting organizations that could provide leakable materials. Targeting of democratic campaign affiliates and Ukrainian industry with ties to the candidates has been connected to the very same organizations that were involved in the 2016 incidents, as well as hack and leak incidents associated with the Olympics, and French elections, among others. While outstanding work has caught some of this activity, it is possible that intrusion have escaped notice. Forged materials, such as fabricated documents, may be added to leaks or used alone. Leaked alongside authentic, stolen documents, forged material is difficult to detect. Forged materials have been at the core of operations such as Secondary Infektion and Operation Ghostwriter. In the latter operations, these materials were planted on real media sites in an attempt to encourage rapid propagation. Undermining the Institution of Elections Ultimately, almost all information operations undermine society, sowing distrust and attacking preexisting rifts, but operations designed to specifically focus on election legitimacy are well precedented and often misinterpreted. These operations may already be happening and may outlast the election itself. The opportunity and utility of attacking the 2020 election may not fade for some time, especially given this year’s unique circumstances. The targeting of voting systems has been frequently assessed as attempts to make specific changes to results in an effort to directly change the outcome of the election. However, such a scenario would require an enormous effort across a multitude of systems. A more likely scenario is an incident that draws attention to itself, raising questions about the integrity or availability of systems. In 2014, APT28 gained access to a website belonging to Ukraine’s Central Election Commission and falsely reported a candidate had won. The intrusion did not change results, but it was hard to ignore. The targeting of systems such as these is in itself a means of interference as it will necessarily raise questions about unknown actions by the adversary. For instance, though there is no evidence that Sandworm, Unit 74455 of the GRU, did anything to change results when they targeted election systems in 2016, knowledge that these systems were targeted could suffice to undermine confidence. Ransomware is a means of disruption that could be leveraged to interfere with limited election processes. Fake ransomware, ransomware that is not intended for financial gain, has been used on several occasions by the GRU. The NotPetya incident is one such example. This capability is particularly deniable, especially considering the many incidents state and municipal organizations have already encountered. Coordinated inauthentic behavior could be leveraged to promote discord over election legitimacy. Before the results were even known in 2016, pro-Kremlin bloggers had prepared the campaign #DemocracyRIP. Any discrepancy or complexity associated with results could be used as a means to denigrate the process. Outlook The circumstances of this election will provide a unique opportunity for interference. Any operation would benefit from the environment of distrust and disagreement of what transpired in 2016. However, information operations no longer enjoy the obscurity they once did, and a clear recognition of their mechanics and their limitations may well inoculate us to their effects. For More Information I will be briefing these items and more to attendees of a special Mandiant Executive Intelligence Briefing on Oct. 13. Register for the briefing today, and also remember to visit the FireEye Election Security page for the latest on election security-focused news and analysis from Mandiant.
- Mandiant Executive Intelligence Briefing: Election Security Editionby John Hultquist on October 8, 2020 at 5:30 pm
With less than a month before the U.S. elections on Nov. 3, the race is on to protect the democratic process. Mandiant Threat Intelligence is tracking the threats that matter to this election, leveraging our global collection and deep experience analyzing this problem. The answers are as nuanced and complex as the issue itself, but the Mandiant Threat Intelligence team will share the context necessary to help make sense of this problem at our upcoming Mandiant Executive Intelligence Briefing: Election Security Edition. Our weekly briefings inform executives of recent developments by pairing information with analysis and insight from our frontline intelligence experts. The threat landscape changes by the hour, and the weekly Executive Intelligence Briefings are one of the unique ways we deliver deep insights to our customers on a regular basis. Attend a Complimentary Election Intelligence Briefing Election security is such an important topic that we’re opening up this election security briefing to everyone on Oct. 13. Here is a brief summary of what I plan to present during the complimentary briefing: Insight into the strategy of election threats with an eye towards late-game threats and activity with effects that outlast the election. A review of pertinent threat actors and operations such as Sandworm, APT28, and Operation Ghostwriter. Historic perspective based on the extensive experience of FireEye Mandiant. Register for the briefing today, and also remember to visit FireEye’s Election Security page for the latest on election security-focused news and analysis from Mandiant. I hope you’ll join us on Oct. 13 for this important election security update, and if you are in the U.S. like I am, make sure your voice is heard by voting on or before Nov. 3.
- Back to School: The Cyber Workforce in 2020by Luke McNamara on October 2, 2020 at 4:00 pm
The cyber skills shortage is a real problem. There just aren’t enough qualified people to adequately meet the cyber security needs of all organizations, and the problem is only expected to get worse. One of the ways we address this challenge at FireEye is through internal and external training courses. I invited two people involved in those efforts to join me for this episode of Eye on Security: Dawn Hagen, Senior Director of Learning and Development, and Dr. Brett Miller, Managing Director at Mandiant. The three of us spoke about the evolution and range of training that includes product and product-agnostic courses. Brett shared insights on how we adapted our courses to meet customer needs and market demands—efforts that include opening up our training to individuals as well as the general public. Dawn also noted that we have developed curricula alongside clients who have requested custom courses, and that we continue to teach some of these courses to this day. Of course things are changing. While most of our training was in-person for both internal and external courses, we have pivoted to virtual training in light of recent global events. Currently, about 60 percent of our courses are available online, and we expect many of these courses to remain online indefinitely—while still maintaining the same quality as in-person classes. Listen to the episode to dive into the development of our courses, hear about our lab to lecture ratio, and find out why we’ve shifted to ensuring students are able to perform tasks instead of just having the knowledge to do it. And for more information about individual training courses available to the public, check out our training schedule.
- In Pursuit of a Gestalt Visualization: Merging MITRE ATT&CK® for
Enterprise and ICS to Communicate Adversary Behaviorsby Daniel Kapellmann Zafra on September 29, 2020 at 12:00 pm
Update (Dec. 10): This post has been updated to reflect changes in MITRE ATT&CK Matrix for Enterprise, which now includes additional tactics. Understanding the increasingly complex threats faced by industrial and critical infrastructure organizations is not a simple task. As high-skilled threat actors continue to learn about the unique nuances of operational technology (OT) and industrial control systems (ICS), we increasingly observe attackers exploring a diversity of methods to reach their goals. Defenders face the challenge of systematically analyzing information from these incidents, developing methods to compare results, and communicating the information in a common lexicon. To address this challenge, in January 2020, MITRE released the ATT&CK for ICS knowledge base, which categorizes the tactics, techniques, and procedures (TTPs) used by threat actors targeting ICS. MITRE’s ATT&CK for ICS knowledge base has succeeded in portraying for the first time the unique sets of threat actor TTPs involved in attacks targeting ICS. It picks up from where the Enterprise knowledge base leaves off to explain the portions of an ICS attack that are out of scope of ATT&CK for Enterprise. However, as the knowledge base becomes more mature and broadly adopted, there are still challenges to address. As threat actors do not respect theoretical boundaries between IT or ICS when moving across OT networks, defenders must remember that ATT&CK for ICS and Enterprise are complementary. As explained by MITRE’s ATT&CK for ICS: Design & Philosophy paper, an understanding of both knowledge bases is necessary for tracking threat actor behaviors across OT incidents. In this blog post, written jointly by Mandiant Threat Intelligence and MITRE, we evaluate the integration of a hybrid ATT&CK matrix visualization that accurately represents the complexity of events across the OT Targeted Attack Lifecycle. Our proposal takes components from the existing ATT&CK knowledge bases and integrates them into a single matrix visualization. It takes into consideration MITRE’s current work in progress aimed at creating a STIX representation of ATT&CK for ICS, incorporating ATT&CK for ICS into the ATT&CK Navigator tool, and representing the IT portions of ICS attacks in ATT&CK for Enterprise. As a result, this proposal focuses not only on data accuracy, but also on the tools and data formats available for users. Figure 1: Hybrid ATT&CK matrix visualization—sub techniques are not displayed for simplicity (ZIP download of .XLSX file) Joint Analysis of Enterprise and ICS TTPs to Portray the Full Range of Actor Behaviors For years, Mandiant has leveraged the ATT&CK for Enterprise knowledge base to map, categorize, and visualize attacker TTPs across a variety of cyber security incidents. When ATT&CK for ICS was first released, Mandiant began to map our threat intelligence data of OT incidents to the new knowledge base to categorize detailed information on TTPs leveraged against ICS assets. While Mandiant found the knowledge base very useful for its unique selection of techniques related to ICS equipment, we noticed how helpful it could be to develop a standard way to group and visualize both Enterprise and ICS TTPs to understand and communicate the full range of actors’ actions in OT environments during most incidents we had observed. We reached out to MITRE to discuss the benefits of joint analysis of Enterprise and ICS ATT&CK techniques and exchanged some ideas on how to best integrate this task as they continued to work on the evolution of these knowledge bases. Enterprise and ICS TTPs Are Necessary to Account for Activity in Intermediary Systems One of the main challenges faced by ATT&CK for ICS is categorizing activity from a diverse set of assets present in OT networks. While the knowledge base contains TTPs that effectively explain threats to ICS—such as programmable logical controllers (PLCs) and other embedded systems—it by design does not include techniques related to OT assets that run on similar operating systems, protocols, and applications as enterprise IT assets. These OT systems, which Mandiant defines as intermediary systems, are often used by threat actors as stepping-stones to gain access to ICS. These workstations and servers are typically used for ICS functionalities such as running human machine interface (HMI) software or programming and exchanging data with PLCs. At the system level, the scope of ATT&CK for ICS includes most of the ICS software and relevant system resources running on these intermediary Windows and Linux-based systems while omitting the underlying OS platform (Figure 2). While the majority of ATT&CK for Enterprise techniques are thus descoped, there remains some overlap in techniques between ATT&CK for ICS and ATT&CK for Enterprise as the system resources granted to ICS software are in-scope for both knowledge bases. However, this artificial divorce of the ICS software from the underlying OS can be inconsistent with an adversaries’ possible overarching control of the compromised asset. Figure 2: Differences and overlaps between the ATT&CK for Enterprise and ICS knowledge bases As MITRE’s ATT&CK for ICS was designed to rely on ATT&CK for Enterprise to categorize adversary behaviors in these intermediary systems, there is an opportunity to develop a standard mechanism to analyze and communicate incidents using both knowledge databases simultaneously. As the two knowledge bases still maintain an undefined relationship, it may be difficult for ATT&CK users to understand and interpret incidents consistently. Furthermore, ICS owners and operators who unknowingly discard ATT&CK for Enterprise in favor of ATT&CK for ICS run the risk of missing valuable intelligence applicable to the bulk of their OT assets. Enterprise and ICS TTPs Are Useful to Foresee Future Attack Scenarios As MITRE notes in their ATT&CK for ICS: Design & Philosophy paper, the selection of techniques for ATT&CK for ICS is mainly based on available evidence of documented attack activity against ICS and the assumed capabilities of ICS assets. While the analysis of techniques based on previous observations and current capabilities presents a solid preamble to describe threats in retrospect, Mandiant has identified an opportunity for ATT&CK knowledge and tools to support OT security organizations to foresee novel and future scenarios. This is especially relevant in the evolving field of OT security, where asset capabilities are expanding, and we have only observed a small number of well-documented events that have each followed a different attack path based on the target. MITRE’s intent is to limit the ATT&CK knowledge base to techniques that have been observed against in-scope assets. However, from Mandiant’s perspective as a security vendor, the analysis of exhaustive techniques–including both observed and feasible cases from Enterprise and ICS–is helpful to foresee future scenarios and protect organizations based upon robust and abundant data. Additionally, as new IT technologies such as virtualization or cloud services are adopted by OT organizations and implemented in products from original equipment manufacturers, the knowledge base will require flexibility to explain future threats. Adapting ATT&CK for ICS to the novelty of future ICS incidents enhances the knowledge base’s long-term viability across the industry. This can be accomplished by merging ATT&CK for Enterprise and ICS, as the Enterprise techniques are readily available as future, theoretical ICS technique categories. A Hybrid ATT&CK Matrix Visualization for OT Security Incidents To address these observations, Mandiant and MITRE have been exploring ways of visualizing the Enterprise and ICS ATT&CK knowledge bases together as a single matrix visualization. A mixed visualization offers a way for users to track and analyze the full range of tactics and techniques that are present during all stages of the OT Targeted Attack Lifecycle. Another benefit is that a hybrid ATT&CK matrix visualization will help defenders portray future OT incidents that employ tactics and techniques beyond what has currently been observed in the wild. Figure 3 shows our perception of this hybrid visualization that incorporates TTPs from both the Enterprise and ICS ATT&CK knowledge bases into a single matrix. (We note that the tactics presented in the matrix are not arranged in chronological order and do not reflect the temporality of an incident). Figure 3: Proposed hybrid ATT&CK matrix visualization with highlighted technique origin—only overlapping sub techniques are displayed for simplicity This visualization of the hybrid ATT&CK matrix shows in gray the novel tactics and techniques from ATT&CK for ICS, which were placed within the ATT&CK for Enterprise matrix. It shows in blue the overlapping techniques found in both the Enterprise and ICS matrices. The visualization addresses three concerns: It presents a holistic view of an incident involving both ICS and Enterprise tactics and techniques throughout the attack lifecycle. It eliminates tactic and technique overlaps between the two knowledge bases, for example by combining Defense Evasion techniques into a single tactic. It differentiates the abstraction level of techniques contained in the impact tactic categories of both the ATT&CK for Enterprise and ICS knowledge bases. The separation of the Enterprise Impact and ICS Impact tactics responds to the need to communicate the different abstraction levels of both knowledge bases. While Enterprise Impact focuses on how adversaries impact the integrity or availability of systems and organizations via attacks on IT platforms (e.g. Windows, Linux, etc.), ICS Impact focuses specifically on how attackers impact ICS operations. When analyzing an incident from the scope of the hybrid ATT&CK matrix visualization, it is possible to observe how an attacker can cause ICS impacts directly through an Enterprise impact, such as how Data Encrypted for Impact (T1486) could cause Loss of View (T0829). As threat actors do not respect theoretical boundaries between IT and ICS when moving across OT networks, the hybrid visualization is based on the concept of intermediary systems as a connector to visualize and communicate the full picture we observe during the OT Targeted Attack Lifecycle. This results in more structured and complete data pertaining to threat actor behaviors. The joint analysis of Enterprise and ICS TTPs following this structure can be especially useful for supporting a use case MITRE defines as Cyber Threat Intelligence Enrichment. The visualization also accounts for different types of scenarios where actors willingly or unwillingly impact ICS assets at any point during their intrusions. Additional benefits can spill across other ATT&CK use cases such as: Adversary Emulation: by outlining paths followed by sophisticated actors involved in long campaigns for IT and OT targeting. Red Teaming: by having access to comprehensive attack scenarios to test organizations’ security not only based on what has happened but what could happen in the future. Behavioral Analytics Development: by identifying risky behavioral patterns in the intersection between OT intermediary systems and ICS. Defensive Gap Assessment: by identifying the precise lack of defenses and visibility that threat actors can and have leveraged to interact with different types of systems. Refining the Hybrid ATT&CK Matrix Visualization for an OT Environment The hybrid ATT&CK matrix visualization represents a simple solution for holistic analysis of incidents leveraging components from both knowledge bases. The main benefits of such visualization are that it is capable of portraying the full range of tactics and techniques an actor would use across the OT Targeted Attack Lifecycle, and that it also accounts for future incidents that we may not have thought about. However, there is also value in thinking about other alternatives for addressing our concerns—for example, to expand ATT&CK for ICS to reflect everything that could happen in an OT environment. The main option Mandiant and MITRE evaluated was to identify which of all ATT&CK for Enterprise techniques could feasibly impact intermediary systems interacting with ICS and define alternatives to handle overlaps between both knowledge bases. We particularly analyzed the possibility of making this selection based on type of assets (e.g. OS and software applications) that are likely to be present in an OT network. Although the idea sounds appealing, our initial analysis suggests that shortlisting ATT&CK for Enterprise techniques that apply to OT intermediary systems may be feasible but would result in limited benefits. The ATT&CK for Enterprise site separates the 184 current techniques into a few different platforms. Table 1 presents these platforms and their distribution. Platform Techniques Percentage of Enterprise Techniques Windows 176 96% macOS 139 75% Linux 137 74% Cloud 41 22% Table 1: Enterprise ATT&CK knowledge base divided by type of asset Close to 96 percent of the techniques included in the enterprise knowledge base are applicable to Windows devices, and close to half apply for Linux. Considering that most intermediary systems are based on these two operating systems, the feasible reduction of techniques applicable to OT is quite low. Devices based on macOS are rare in OT environments, however, we highlight most of the techniques for affecting these devices match with others observed in Windows and Linux. Additionally, we cannot discard the possibility of at least a few asset owners using products based on macOS. Cloud products are also rare in industrial environments. However, it is still possible to find them in business applications such as manufacturing execution systems (MES), building management systems (BMS) application backends, or other systems for data storage. Major vendors such as Microsoft and Amazon have recently started offering cloud products, for example, for organizations in energy and utilities. Another example is Microsoft Office 365 suite, which although not critical for production environments, is likely present in at least a few workstations. As a result, we cannot entirely discard cloud infrastructure as a target for future attacks to OT. Vouching for a Hybrid Visualization to Holistically Approach OT Security The hybrid ATT&CK matrix visualization can address the need to consider intermediary systems to analyze and understand OT security incidents. While it does not seek to reinvent the wheel by significantly modifying the structure of ATT&CK for Enterprise or ICS, it suggests a way to visualize both sets of tactics and techniques to reflect the full array of present and future threat actor behaviors across the OT Targeted Attack Lifecycle. The hybrid ATT&CK matrix visualization has the capability to reflect some of the most sophisticated OT attack scenarios, as well as fairly simple threat activity that would otherwise remain unobserved. As ATT&CK for ICS continues to mature and becomes more broadly adopted by the industry, Mandiant hopes that this joint analysis will support MITRE as they continue to build upon the ATT&CK knowledge bases to support our common goal: defending OT networks. Given that attackers do not respect any theoretical boundaries between enterprise or ICS assets, we are convinced that understanding adversary behaviors requires a comprehensive, holistic approach. The hybrid ATT&CK matrix visualization .XLSX is available for download. Otis Alexander is a Principal Cyber Security Engineer at The MITRE Corporation.