Been quite the month in the world of cybersecurity, eh? As if 2020 couldn’t get any more bizarre here we are with a December jam-packed full of adversary activity that’s not just stealing headlines. Learn how AttackIQ’s got your back when tough questions get asked, so you’re not stuttering like the scarecrow in the classic film that gives this blog it’s title.
Lots of stuff. We have a likely nation-state actor (dubbed “UNC2452”) who created an incursion channel through widely-used systems management software, who then rips off a reputable red team services provider’s toolkit. As if that wasn’t enough, the list of organizations affected by this actor’s persistence and behavior in their environments—gained the same way as I described above—just keeps growing.
Wow, that’s kinda awful. I’ve already been asked questions about this. What should I do?
Yeah, we can agree that this situation is super not-awesome. Of course, it highlights many things that experts have been saying for years—namely that getting the basics right, and planning for an inevitable breach, are crucially important.
Testing those defenses to make sure that you’re always getting the basics right, and have the ability to emulate specific adversary tactics, techniques and procedures (TTP) is the next step. Too often, untested defenses won’t be successful in aiding the discovery of a persistent adversary, or blocking their paths to move laterally inside your network.
It is with this in mind that AttackIQ placed Assessment Templates in our platform with all of the TTPs employed by this adversary for our customers to evaluate the performance of their cybersecurity programs. These Assessment Templates allow users to commission test activity with just a couple clicks—and have it execute on an ongoing basis to become aware of any changes in posture.
Assessment Templates exist for all of December’s adversary activity in the news—the UNC2452/Sunburst compromise’s TTPs, the indicators of compromise associated with adversary persistence from that malware plant, as well as the stolen red team toolkit—so you’re not in the dark about defensive performance.
AttackIQ provides coverage to validate whether control technologies would have detected or prevented the adversary’s actions inside the network, as well as coverage for the indicators of compromise that would indicate their persistence. Defensive technologies can provide meaningful capabilities to isolate the adversary from compromised systems as defenders and threat hunters inspect their networks, preventing further reconnaissance and lateral movement, but only if their effectiveness is tested and validated.
Additionally, all of the adversary behaviors in these Assessment Templates are mapped to the MITRE ATT&CK matrix, just like the other content in the AttackIQ Security Optimization Platform. This makes it easy to communicate with other defenders about the common adversary behaviors you should already be blocking, like the ones used to achieve persistence, and make other required policy changes to protect your organization. The U.S. government and others have been using MITRE ATT&CK to describe the adversary’s behaviors. With AttackIQ’s help, you can deploy scenarios aligned to MITRE ATT&CK to emulate the adversary’s behavior validating your cyberdefense effectiveness.