I know, “don’t kick someone when they are down“, but I have a history of working on a project that catalogs just such incidents. Yesterday, MITRE announced that they had been compromised by a nation-state actor, but didn’t provide much detail. Bleeping Computer reported that the compromise was due to a zero-day vulnerabilities in an Ivanti VPN product (CVE-2023-46805 / CVE-2024-21887). Like MITRE CEO Jason Providakes says, “No organization is immune from this type of cyber attack, not even one that strives to maintain the highest cybersecurity possible“, and he is correct. Despite that, there is still some irony and amusement in my eyes.
At the end of the MITRE announcement it says:
As part of our cybersecurity research in the public interest, MITRE has a 50-plus-year history of developing standards and tools used by the broad cybersecurity community. With frameworks like ATT&CK®, Engage™, D3FEND™, and CALDERA™ and a host of other cybersecurity tools, MITRE arms the worldwide community of cyber defenders.
It’s that second line that stood out to me. Look at the four frameworks mentioned! So what do they do?
ATT&CK® “is a globally-accessible knowledge base of adversary tactics and techniques based on real-world observations. The ATT&CK knowledge base is used as a foundation for the development of specific threat models and methodologies in the private sector, in government, and in the cybersecurity product and service community.“
Engage™ “is a framework for planning and discussing adversary engagement operations that empowers you to engage your adversaries and achieve your cybersecurity goals.“
D3FEND™ “is a knowledge base, but more specifically a knowledge graph, of cybersecurity countermeasure techniques. In the simplest sense, it is a catalog of defensive cybersecurity techniques and their relationships to offensive/adversary techniques. The primary goal of the initial D3FEND release is to help standardize the vocabulary used to describe defensive cybersecurity technology functionality.”
CALDERA™ “is a cybersecurity framework developed by MITRE that empowers cyber practitioners to save time, money, and energy through automated security assessments.“
So we have a framework to track adversary tactics, a framework for discussing adversary engagement operations, a framework to catalog defensive techniques related to adversary techniques, and a framework that helps automate security assessments. The last one is perhaps the most ironic, as many in our industry know that automated security assessments routinely fall short in many ways. If MITRE was relying on that as any part of their own defenses, we certainly hope it was a tiny piece in a bigger and more robust methodology. It’s also curious why three of the four projects aren’t listed on MITRE’s Cybersecurity Focus Area page.
What is also interesting is what isn’t listed; where is CVE and CWE? What are those projects?
CVE® has a mission “to identify, define, and catalog publicly disclosed cybersecurity vulnerabilities.“
CWE™ “is a community-developed list of common software and hardware weaknesses. A “weakness” is a condition in a software, firmware, hardware, or service component that, under certain circumstances, could contribute to the introduction of vulnerabilities.“
When summed up, we have to defensive frameworks, two offensive mapping frameworks, and two projects to catalog the vulnerabilities and weaknesses used in attacks. This is where I wonder why Mr. Providakes did not include the vulnerabilities used to compromise MITRE in his statement, while talking about “commitment to operate in the public interest“. This type of knowledge better helps organizations understand which vulnerabilities are being exploited in the wild and often helps determine a timeline for when attacks started. That can be invaluable when performing forensics that require sifting through logs from days, weeks, or months ago.
Thinking about all of the frameworks and different initiatives to define security makes me move further and further into the camp of “did we forget the basics?” While a zero-day is an exception to the rule, timely patching is still a challenge for organizations. Slow and incomplete vulnerability intelligence along with bad patching practices causes more breaches than anything else. And a vast majority of those aren’t at the hands of so-called advanced persistent threats (APTs).
Consider CVE-2017-0199, a seven year old vulnerability in Microsoft Office that to this day is getting successfully exploited. It’s fascinating to know which adversary or group popped you but if you are playing around with ATT&CK or similar framework, it means you might not be patching those critical vulnerabilities. Some organizations seem to be more obsessed with the adversary rather than being obsessed with proper network defense, and a stronger defense-in-depth model. Worse, these corporations keep using products with a history of fairly basic vulnerabilities that should have been caught during a proper security review during development. Not holding vendors accountable for these pedestrian vulnerabilities just invites them to keep prioritizing features over security.
Ultimately, this event and so many like it just further erode hope that the Internet has a hint of getting better in the realm of security. The bad guys have been winning since the start, and all of our money for blinky boxes and buzz words still isn’t doing the trick. Band-Aids on band-aids is the solution we’re predominantly seeing and it isn’t working.
Leave a Reply