We have just published a new free strategy document about how to employ a threat-informed defense and drive down the risk of ransomware for your organization, Countering Ransomware with MITRE ATT&CK®. It is probably the strategy document with which I’m most proud to have been involved since the 2015 cyberdefense strategy of the United States. Why? What makes this one special when compared to the others?
We have written a ton of great white papers and ebooks here at AttackIQ over the last two years – and I stand by all of them. Previously, when I was at Illumio, we authored a solid book called Secure Beyond Breach with my close colleague Matt Glenn and the Illumio team. Those were all good, so besides the fact that one should always hope to improve in one’s work as a team, three specific things in this document jump out to me.
- The objective is discreet. The aim is to help organizations improve their cybersecurity effectiveness against ransomware attacks, which have more than doubled since 2020. (!) In strategic planning, you always want a discreet objective to measure change, and this one is certainly discreet.
- The steps are clear. The guide outlines a set of planning assumptions followed by specific, measurable steps to improve your team performance and cybersecurity readiness. A good strategy should always have measurable aims, a path for aligning resources, and a time horizon for achieving your objectives. You can take this guide and set your timelines, and you’ll be able to make measurable progress quickly.
- Above all, the strategy is user friendly. You can plug and play with this guide. It outlines how you can use the MITRE ATT&CK framework and the AttackIQ Security Optimization Platform to test your cybersecurity program and validate your cybersecurity controls continuously against ransomware. It helps that our brilliant design team made it look so cool.
The simplicity of a threat-informed defense
The logic of the story is also robust. Only by preparing for known threat behaviors can you have any hope of progress. Arm waves and prayers that your compliance-oriented security controls will perform against ransomware are exactly that: prayers. A prayer is a good thing but it’s not a strategy. The only way to get from point A to point B is to build a strategy, align resources against it, and execute.
Which is what a threat-informed cyberdefense strategy is all about. The premise is simple, and this guide lays it out clearly.
So, what makes this strategy so useful technically? At the center of it stands one of my favorite capabilities that the company has released over the last year, The Anatomic Engine, a powerful adversary emulation capability that emulates adversary behaviors with specificity and realism in a multi-pronged pattern to test your security controls. The AttackIQ Security Optimization Platform runs the Anatomic Engine to form what we call “attack graphs” (or attack flows) that visually outline the adversary’s steps. Big thanks here, obviously, to the innovative work of our product team and our engineers, without whom none of this would ever even exist.
What does it all look like, and how does it unfold?
To see the whole picture, you should download the guide (again it’s free), but here’s a snippet.
The Anatomic Engine, which is embedded in the AttackIQ Security Optimization Platform, enables the development of complex tests by combining multiple scenarios across an array of adversary TTPs into an attack graph. The TTPs execute sequentially, as they would in a real ransomware attack. Through this chain of simulations, the AttackIQ Security Optimization Platform emulates complex intrusions that have been seen in the real world.
Such automated simulations are the most effective way to test security controls that use artificial intelligence (AI) and machine learning (ML). They are also a way to test internal security controls, like micro-segmentation or Next Generation Firewalls, which we do in part through the AttackIQ Network Control Validation Module.
Attack Graphs and the Anatomic Engine
To dive a bit into the Anatomic Engine and the attack graph, let us look at the case of WannaCry cryptoworm, which since its first appearance in 2017 continues to spread and infect unpatched systems all over the world. It also has within it a range of MITRE ATT&CK techniques. The relevant attack graph (what some call an “attack flow”) in the AttackIQ Security Optimization Platform validates network and endpoint security control prevention and detection capabilities to thwart it. A high-level overview of the AttackIQ Security Optimization Platform’s emulation of this threat’s behavior is described below and shown in figure 1 and 2 below (pg. 18-19).
The WannaCry cryptoworm actively scans for systems (ATT&CK tactic T1595 – Active Scanning) vulnerable to CVE-2017-0144, exploited by EternalBlue. Like the real threat, the AttackIQ scenario checks specified targets for an SMBv1 service being published. It can be configured to either check for this vulnerability only or exploit it if the check passes (T1190 – Exploit Public-Facing Application), opening the door for the worm to infiltrate the WannaCry payload onto vulnerable targeted assets.
If the target asset is vulnerable, the WannaCry payload is saved to the file system, and, if not stopped by endpoint security controls, it executes peripheral device discovery and remote system discovery scripts. This emulates the behavior of the worm to count additional local filesystems and files for encryption as well as additional targets for malware propagation. It then sets up an encrypted Tor channel, enabling command and control (T1573), and finally, the worm encrypts its first target (T1486), allowing the intruder to hold the data for ransom.
The first image below shows the full appearance of the attack graph in the Security Optimization Platform, and the second zooms in to show more detail (so you can read it even if you have old and tired eyes like mine).
We describe the WannaCry-EternalBlue attack graph here given its historical importance and continued impact it has on organizations all over the world. Aligned to the MITRE ATT&CK framework, the AttackIQ Security Optimization Platform emulates a range of ransomware families, and strings together adversary tactics, techniques, and procedures in an attack graph to emulate the adversary with specificity and realism to test an organization’s security program continuously and automatically.
For a full demonstration of our ransomware adversary emulation capabilities, join us on January 27 with Jose Barajas, a malware researcher and Technical Director at AttackIQ and Ken Towne, an adversary research engineer at AttackIQ with over a decade of cyber intelligence and threat actor hunting experience, to walk you through the resources in our platform. Download the strategy in advance and give it a read. It scans quickly. And then come join them for the demo of the full suite of our ransomware capabilities.
The world is full of threats, obviously, and sometimes it feels like things are just getting nuttier and nuttier here on planet earth. As ransomware proliferates, to a degree that may be true. But it feels even more stressful when you don’t have control over your operational terrain. You literally feel like you are driving in the dark. Which is not the world’s best feeling when you’re trying to fix a problem or lead a team.
Today in matters of cybersecurity, there’s no sense letting threats spike your anxiety. There is a path out. The best way to drive down risk in a complex environment is to focus on the things you know you can control. A threat-informed defense strategy and the MITRE ATT&CK framework are ultimately all about that control. They focus you on:
- Naming the ransomware threats and TTPs that matter most to you;
- aligning your defenses against those threats; and
- running your defenses against the adversary to understand your program performance.
With real data about your team performance, you can dig deeper into your team to find out why and how they are performing the way that they are. This guide is designed to help you dig in on how to do that, particularly for the human performance of your team. Once you have a threat-informed defense strategy built and executed, you can exercise your defenses continuously so that when your leadership or auditors or Congress comes asking for proof, you can tell them how well you are performing with real data. That’s an effective way to get ahead.
You’ll be prepared for whatever comes your way. You’ll be ready. That’s what we mean when we say we’ve got your six.
Additional Resources:
AttackIQ Vanguard, Our Managed Adversary Emulation Service
The CISO’s Guide to Better Vulnerability Management Using MITRE ATT&CK®
The Dummies Guide to MITRE ATT&CK