Right now, as you’re reading this, four human beings are flying through deep space at roughly 25,000 miles per hour in a spacecraft named Integrity. And if that name doesn’t end up being the most ironic thing about this week, I’ll eat my hat.

US astronauts Reid Wiseman, Victor Glover, Christina Koch, and CSA astronaut Jeremy Hansen launched from Kennedy Space Center on April 1st and have now broken Earth orbit for the first time since Apollo 17 in 1972. NASA Let that sink in. Fifty-three years. The Artemis II crew is currently further from home than any human has been since the Nixon administration, looking back at our little blue marble while making history in real time.

And back here on the ground? The administration just proposed cutting NASA’s science budget by nearly half.

Great timing, guys. Maybe they’re sore about a conspiracy they backed being debunked?

The Numbers, Because They Matter

The FY2027 White House budget request would cut NASA’s Science Mission by 47%, dropping it from $7.25 billion to $3.9 billion, with the overall agency taking a 23% hit. The Planetary Society points out that adjusted for inflation, this would be the smallest NASA budget since 1961 - which, for reference, is before John Glenn had even orbited the Earth.

The official framing from the White House budget office is that it “terminates over 40 low-priority missions to transform the Science program into one that is more focused and fiscally responsible.” (SpaceNews) Low priority. We’re talking about missions studying asteroids that could hit us, Earth’s climate systems, and decades of planetary science. But sure, low priority. Makes total sense.

This isn’t even a new idea. They tried this last year. Those proposed cuts were used to shrink research programs, draw up termination plans for 19 in-flight missions, and push more than 4,000 civil servants out the door. Congress said no - loudly, and with rare bipartisan agreement. So the White House just... submitted the same proposal again this year. “That’s a bold strategy, Cotton.”

The impact goes well beyond cancelled missions. These cuts would gut space science research programs, cripple university departments and NASA centers, wipe out a generation of the STEM talent pipeline, and trigger widespread layoffs across a highly skilled workforce in both government and industry. (Spaceflight Now) California alone could lose nearly 14,000 jobs. JPL, the lab behind the Mars rovers and Voyager, would be looking at an existential crisis. NASA’s workforce could drop to its lowest level since the Apollo era. (Astronomy.com)

Where Have We Seen This Movie Before?

Here’s the thing. This pattern is not unique to space policy. Anyone paying attention to the tech industry over the past few years will recognize the playbook immediately.

Record profits. Record layoffs. Record executive compensation packages. Rinse and repeat, and blame it on “restructuring.” I know plenty of folks personally impacted by this. Some never make it back into the field and switch tracks. Like any one in tech, I am looking over my own shoulder.

Amazon posted $716.9 billion in revenue in 2025, a record, and still announced 16,000 layoffs, framed as a push to “flatten management layers.” Block’s CEO was at least honest about it: “This is not driven by financial difficulty, but by the growing capability of AI tools to perform a wider range of tasks.” (International Business Times) At least someone said the quiet part out loud.

And AI is the key word here, because the “AI will do it better and cheaper” logic that has been gutting tech workforces is absolutely leaking into government decision-making now. Why fund a generation of planetary scientists when some future model could theoretically analyze the data? Why maintain decades of institutional knowledge when you can just prompt your way to an answer?

The standard corporate line always includes some version of “restructuring for AI efficiency” or “rightsizing for current market conditions.” What that actually means is: we can do more with fewer people, and we’d rather boost margins than maintain headcount. The productivity gains are starting to peak through, finally. But the benefits just flow straight to the top, not to the people who actually built ‘the thing’.

No offense to my boy Claude.ai, but I am not a substitute for a career NASA scientist. Neither is any other AI. They don’t land on asteroids. They don’t look out a capsule window and inspire the next generation of engineers. And they definitely don’t carry 53 years of hard-won institutional knowledge, instinct, or respect for heat shield erosion and orbital mechanics.

What We’re Actually Losing

The modern playbook, in corporate America and apparently in Washington now too, optimizes for the next quarter, the next earnings call, the next news cycle. Long-horizon investments like space science are at a permanent disadvantage because the returns don’t show up fast enough to move a stock price or win a midterm.

NASA was specifically built to do the opposite. It exists for missions that take a decade to plan and another decade to fly, with payoffs that ripple out for generations. You can’t apply short-term efficiency logic to that without breaking it. GPS, memory foam, water filtration, scratch-resistant lenses: half the technology you used today has a lineage that traces back to someone at NASA who didn’t know exactly what they were building yet.

More than 100 members of Congress co-signed a bipartisan letter calling for a $1.75 billion increase to NASA Science. Congress will probably reject these cuts again. But every year this fight has to happen is another year of deferred missions, demoralized researchers, and talented people going somewhere else. And this subset of science has been luckier than many. Just ask the folks who’ve protected us as part of the CDC, WHO, NOAA, and countless other experts whose work has been deemed “inefficient” while we divert funds to prop up egos and unleash chaos on the world.

The Artemis II crew will fly around the Moon, come home around April 10th, and it will be genuinely awe-inspiring. It deserves every bit of attention it gets.

Then the awesome and irreplaceable people who made it happen will walk back into their offices and wonder if there’s still going to be a program next year. But hey, at least we can fund inflicting more pain!

That’s the part that should make all of us a little sick to our stomachs.

There’s something quietly therapeutic about watching Harrison Ford stumble through grief, bad decisions, and genuine human connection on Shrinking. It’s a show about people doing the hard work of not running from their problems, and in 2026 that feels both aspirational and instructional. Because looking at the news this week, I’m watching a lot of institutions that have been running from (or ignoring) their problems for a long time. The bill is coming due, and they are expecting us to float them some money.

The Middle East Was Always a Cyber War. We Just Made It Louder.

Here’s what I think most of us in security already sensed was coming, even if we didn’t know the specific shape of it: the slow-burn cyber conflict with Iran was always going to get louder when the kinetic fighting started. And it did.

On February 28, U.S. and Israeli forces launched coordinated strikes on Iranian targets. In the days that followed, drone strikes physically hit AWS data centers in the UAE, with a third facility in Bahrain damaged by debris from a nearby strike. The IRGC claimed responsibility, saying the attacks were aimed at identifying the role of those centers in supporting enemy military and intelligence activities. Euronews As of this writing, several Amazon services remain unavailable or disrupted for customers in the UAE and Bahrain. Euronews

I don’t think any of us had “cloud data centers as kinetic military targets” at the top of our 2026 bingo cards. But in hindsight, it shouldn’t be shocking. Data centers power AI capabilities, they support military logistics, and they’re physical buildings. They can burn.

The bigger question this raises for most of us isn’t “what happened in the Middle East” - it’s “what did I assume about cloud resilience that this just proved wrong?” Most business continuity plans were designed around power outages, natural disasters, maybe a ransomware incident. I don’t think many of them were stress-tested against the scenario where a meaningful chunk of a region’s cloud infrastructure goes dark because of military action. If a single weekend of conflict can physically destroy cloud infrastructure, trigger hundreds of cyberattacks, and sever an entire country from the internet, the assumptions underneath your organization’s data retention policies and business continuity plans deserve a hard look. ComplexDiscovery I would say I am shocked that the aggressors didn’t account for this, but I would be lying. Consequences and the impact to the US’s reputation, the global economy, energy prices, exacerbated humanitarian plights & loss of life, or world order seem to be complete afterthoughts to the current decision makers.

What about the cyber side?

Here’s what the picture looks like right now, with the caveat that things are still moving fast and anyone who sounds totally certain is probably oversimplifying.

CrowdStrike has not observed large-scale state-sponsored cyber campaigns yet, but is seeing a surge in claimed activity from both pro-West and Iran-aligned hacktivist groups, including assertions of denial-of-service operations, defacements, and alleged interference across targets in the Middle East, the U.S., and parts of Asia. Security Weekly A lot of that activity is loud and claim-driven. Take it with a bucket of salt. Iran has historically had mixed results with disruptive cyberattacks and frequently exaggerates their effects for psychological impact. Nextgov.com

That said, the degradation of Iranian internet connectivity to 1-4% has likely hindered state-aligned actors in the short term, but may also push tactical autonomy to cells operating outside of Iran. Cisco Talos That’s the thing I keep thinking about: when the central command structure gets disrupted, you get less coordination but potentially more unpredictability from independent operators. The first few weeks of a conflict like this tend to be loud and noisy. The moves that actually hurt usually come later.

What can defenders actually do?

• Check your cloud geography. Pull the list of workloads you have pinned to Middle East regions and understand which ones could be migrated versus which ones are stuck due to data sovereignty rules. Don’t just know the answer in theory -- actually test the migration for something non-critical.

• Watch for what comes after the noise. The current DDoS and defacement wave is largely opportunistic. The more concerning pattern to watch for is credential harvesting, identity infrastructure targeting, or any probing of operational technology environments.

• MFA everywhere that matters. Iran-linked actors have a long history of leading with credential theft - password spraying, targeted phishing, supply chain access. If you haven’t enforced phishing-resistant MFA on remote access and privileged accounts, that’s the highest-return move available right now.

• Check on your people in affected regions. If you have employees, contractors, or managed service providers in the UAE, Bahrain, or Jordan, verify they can actually function. Your incident response plan may assume key people can reach their workplaces. That assumption deserves a check.

Learn more: Sophos Cyber Advisory on U.S.-Israel-Iran Escalation | ZeroDayClock (live exploit timeline tracker) | Cisco Talos advisory on developing situation in the Middle East.

Things I’m Keeping an Eye On

• The White House dropped a new Cyber Strategy last Friday, and offense is front and center. The seven-page document places offensive cyber operations at the center of U.S. policy, with a push to deregulate industry and use AI to accelerate defense - a significant shift from past approaches. National Today I find myself genuinely uncertain how to read the deregulatory piece alongside the “go on offense” piece. Those two things can coexist, but they require real discipline to not let one undermine the other. Dark Reading

• APT36 is now vibe-coding their malware, and it’s both less scary and more interesting than it sounds. Bitdefender’s research on the Pakistan-based group Transparent Tribe shows them using AI to churn out disposable malware in niche languages like Nim and Zig. The code quality is often embarrassing -- one sample shipped with a placeholder where the C2 URL should have been, meaning it could never actually steal anything. But the point isn’t sophistication. The strategy is to overwhelm defenders through volume rather than bypass security through technical brilliance - a kind of distributed denial of detection. bitdefender As someone who’s been experimenting with vibe-coding myself to prototype ideas, I find this one personally thought-provoking. Bitdefender

• Talos has a good read on agentic AI and the threat models that come with it. The piece walks through what it looks like when AI agents get deployed offensively -- and the scenario that stuck with me is a fully autonomous agent given a specific objective that uses local inference and only contacts the backend when the task is done, minimizing the network traffic defenders would normally use to detect it. Talos Intelligence We’re early here, but it’s worth starting to think about. Talos Intel

• ZeroDayClock is worth a bookmark. It’s a live dashboard tracking how fast the window between a vulnerability being published and it being actively exploited is shrinking. The data has caveats they’re upfront about, but the direction of the trend is not reassuring. Worth keeping an eye on as a gut-check for your patching timelines. zerodayclock.com

What I’m Learning This Week

Finishing up FOR578, and I’ll just say: Robert Lee and Rebekah Brown built something that genuinely surprised me. I thought I knew CTI. Turns out I knew about CTI the way someone knows about surgery because they’ve watched a lot of medical dramas. The nuance in what it actually means to produce finished intelligence - with real confidence levels and analytic rigor -- is something I’m already reworking into how I approach everything. More on this soon.

Closing

Shrinking works because the characters eventually stop pretending the hard thing isn’t the hard thing. They sit with what’s actually in front of them. Looking at this week - missiles hitting cloud infrastructure, a conflict whose shape was visible for a long time, AI tools getting used offensively before we’ve figured out how to defend against them -- I think that’s the right posture for all of us right now. Not panic. Just honesty about what we’re looking at.

Stay vigilant, folks.

Well it has been some. time since I have had an opportunity to log in and capture some thoughts - sorry about that! The truth is, it has been a wild few months with work, kids, and the whole 'adulting' thing. I do hope I can start offering something of use more frequently. Something that took a lot of time - and shouldn't have - was getting a working installation of MITRE's Caldera open-source attack simulation tool. I have used prior versions since 2020 - I think it was version 2.7? Well, the new release (Magma or v5.0) is fantastic. If you can get it to install correctly for you.

What seemed wrong?

Keep in mind, I am an outage waiting to happen, so some of this is most certainly my self-inflicted wounds or ignorance. Call me crazy, but I think the biggest barrier to open source satisfying the masses is just how finicky it can be to set up an application and maintain it. That would seem the case here! Let's start with the general complaints that could apply to any modern open-source solution:

Dependencies and the OS

Depending on your desired implementation, you may need to install and troubleshoot a long list of software packages:

• python & pip

• virtual environments

• vue.js/node.js and NPM

• Docker

• upx

• Go

• and numerous other dependencies of these packages

Not to mention, you might be working around any new roadblocks your chosen OS throws at you. Ubuntu is continually re-working its complicated relationship with python, as I assume many other Linux distributions are. I get it. It is both essential to apps and the OS, but can be easily broken by the other. But yeah, what a PITA. The flow I will convey here isn't pretty, but it seems to work (thanks Mark for the help and finding the mistake!)

Changes to the base platform

Application developers have a tough job - how do they keep offering functions the customers need in ways that are appealing and keep pace with user experience trends? The Caldera team dramatically shifted gears with Caldera Magma, moving into a vue.js based UI that is quite amazing once you get to work with it. It has much more visually significant iconography, more useful tables, and a much tighter workflow for setting up and managing an operation. They also needed to bake in capabilities that allow Caldera to be extended for OT/ICS coverage and for the eventual inclusion of AI-driven adversary simulation.

These major changes and enhancements mean the inclusion of even more dependencies. Earlier versions of Caldera were largely Python focused. Now a much broader set of capabilities are being brought to bear. All of these changes make installation a much more involved task for any script. And when the script fails, well, it becomes a lot of work for the poor end user.

A seemingly broken script

One of Caldera's awesome superpowers is its ability to install even more fun via plugins. In effect, it installs itself even more super powers! Ahh, but like any good superhero, there is always a constraint, limit, or price to be paid. In Caldera's case, these plugins are all developed different ways and some have fallen out of support, are no longer added by default (like Mock), are coded differently (Human), or require additional dependencies (e.g. Emu). Some are an easy fix - like cloning Mock in after the main package but before build. In Emu's case, the included script fails to pull all required files and will thus hang the server's startup. This was resolved by installing a fresh copy directly from the Emu plugin's profiles.

Overcoming obstacles

I am afraid to admit how much time the above took to work through, but I managed with some digging into errors, multiple tries with different flavors of Ubuntu and install types (docker containers vs. directly on the VM) and a boatload of frustrating time on StackOverflow. As much as that site has bailed me out, it is useless to someone without a good clue as to how to outline their query. I even used by good buddy Claude.ai to help me get past some really fundamental issues with a botched NPM config. It even found a way to tell me nicely that it was my fault.

The working path

So without further ado, here is the general idea for how I tackled this and finally got Caldera to cooperate!

Prerequisites

• Ubuntu 22.04 or 24.04 VM or host with sudo privileges

• >20GB of free space to allow for node.js build, expanded libraries, and room for collected (looted) intel during ops

• If you plan to use this on a real network, you might want to statically configure or reserve an IP in DHCP for the intended network interface

Installing dependencies

sudo apt update && sudo apt upgrade -y
sudo apt install python3-dev git curl python3-venv npm

curl -o- https://raw.githubusercontent.com/nvm-sh/nvm/v0.38.0/install.sh | bash

source ~/.bashrc
nvm install stable
sudo snap install go --classic && sudo snap install upx

Clone the main Caldera repo

git clone https://github.com/mitre/caldera.git --recursive caldera5

Install the Mock plugin

I use this no-longer-default plugin purely to help demonstrate how agents work when I am on the road and need to show a simulated environment without spinning up real targets.

cd caldera5/plugins
git clone https://github.com/mitre/mock.git --recursive

Install Emu payloads

This is where it gets fun. Emu's directory structure comes through using the top-level clone, but it is missing some stuff further down the tree. Install the payloads as best you can now and we'll clean it up shortly

cd emu
./download_payloads.sh

Fix emu plans directory

Because the plans don't make it over completely, if you attempt to start the server the build will stall. In order to fix this, we'll just remove the incomplete emulation plans directory and pull from source to ensure we have them all. You should see that when you re-run the download_payloads.sh script that more installs. Yippee!

cd data/
rm -rf adversary-emulation-plans/
cd ../../..

git clone --depth 1 https://github.com/center-for-threat-informed-defense/adversary_emulation_library.git plugins/emu/data/adversary-emulation-plans

cd plugins/emu
./download_payloads.sh

Finish config!

Here is where we finally get to do some customization. I know there is some sed/awk tricks that can make this easy, but I would rather spend 5 minuters making the changes than 2 hours learning how to script the change to save 5 minutes. I am not a role model for DevOps, that is for certain!

First, we're going to modify the default.conf file so we can ensure our IP addresses are configured and the mock and emu plugins are loaded:

cd ../..
nano conf/default.yml 

Breaking the rules for science

Now that we have that all knocked out, time to install your python packages. I know this can be done in a virtual environment - and it can also be run out of Docker. At the time I was putting this together, venv wasm't working well for me, so I ran this on a small ubuntu VM dedicated to Caldera anyway and used the --break system packages switch to force the pip install. Feel free to let me know if you have a more elegant path in the comments below!

pip3 install -r requirements.txt —break-system-packages

Now we can start the server. The first run requires more time as vue.js needs to fully inflate, build out the web application, and do its thing. Don't freak out if this takes a while! Also - I am using the --insecure switch for testing here. Whenever I plan to run it for more than a quick run, or unattended, I create a local.yml file that looks like default.yml but includes my salt value and encryption key, and then I drop that switch for subsequent startups.

# For testing
python3 server.py --insecure --build 

# For my more persistent lab box
python3 server.py --build

You are likely to see errors related to payloads. Many of these are not allowed to be distributed to systems, and so you are left to search for them yourselves IF you have the permission and access from your organization to do so. Looking at some of those names, it makes sense that you would want to explicitly download those only if needed. Either way, your instance should build and work ok without those specific executables.

Starting up later

For subsequent start-ups, you can omit the build switch:

python3 server.py

And if all works well, you can log into your Caldera portal and get emulating! If you can get to the following portal but not log in, try a restart. More often than not that clears up any lingering issues :)

Conclusion

Once Caldera is up and running, be sure to try out the training paths - that is the single best way to learn the tool inside and out. As you do see it, you might notice that the newest version is much more polished and extensible. Don't try and do it all at once - take it slow and soak it in. This tool teaches you so much not only about Caldera itself, but about ATT&CK, adversaries, and offensive security in general. And with the Blue Team features, it even can assist with enabling defenders.

Hopefully this run through helps those of you looking for a path to playing with Caldera. I love this tool, and the effort of all involved is just amazing. Knowing what the alternatives cost, this is a fine way to get some familiarity with breach attack simulation and learn what you value most. For those who don't mind the hands-on, it can even be a great long-term platform. We can be certain that Caldera will only get better, and the new Magma platform is worth my personal growing pains. With any luck, you can avoid my errors and be emulating APTs in no time!

In our journey through the MITRE ATT&CK framework, we've explored how attackers gain access, establish persistence, and steal data. But what happens when adversaries decide to break things, or to show the defenders that they are in charge? This last post covers ATT&CK's Impact tactic - the cyber equivalent of leaving a calling card, often with devastating consequences.

The Importance of Impact

Impact is often times the point of an attack. Attacking leaders stake their reputations on whether a battle was worthwhile or not. How do we know?  In the historical warfare realm, we assess whether it changed the outcome of the conflict. Did the battle further the attacker's goals, capture people or territory, or prevent later losses? Even though the answers to these might be 'yes,' we typically talk about the trade-offs. Was it worth it?

In cyberspace, Impact represents the point where attackers transform their access and privileges into tangible effects on the target organization. These effects can range from subtle data manipulation to bringing entire networks to their knees. The goals vary: some attackers aim for financial gain through ransomware, others seek to cause chaos or embarrassment, and some use Impact techniques to cover their tracks or set the stage for future operations. As we'll see, the way we assess impact differs in some cases, but in the march to present time, that line blurs more and more.

Impact on a geopolitical scale

If you are familiar with earlier posts in this series, I look for historical analogs to the cyber techniques. As this is the last post in this series, I am finally bringing it together! (Eventually, I do get to the point!) So let's look at one of the most famous examples in cyber history: Stuxnet. If you haven't read "Countdown to Zero Day" by Kim Zetter, you are missing out! Anyway, here we go.

Discovered in 2010, Stuxnet was a sophisticated computer worm some believe to have been developed by the United States and Israel to target Iran's nuclear program. The thinking was that a well-placed and articulated attack might disrupt Iran's ability to enrich Uranium needed to develop nuclear warheads. Without the fissile material, Iran wouldn't be able to muster enough inventory to make these weapons. What made Stuxnet remarkable was not just its complexity, but its physical impact on the real world.

Stuxnet targeted specific Siemens industrial control systems, particularly those used in Iran's uranium enrichment facilities. The worm manipulated the operation of centrifuges, causing them to spin at incorrect speeds. This led to physical damage and disruption of the enrichment process, all while feeding false information to operators that everything was functioning normally. This effort achieved an assumed primary objective of disrupting the program, and likely added a few years to the timeline for Iran's program.

What we learned from Stuxnet

This was remarkable for a LOT of reasons, but here are some of the biggest in my mind:

1. Precise Targeting: The attackers crafted Stuxnet to affect specific systems, minimizing collateral damage. Even crazier, they targeted both Windows IT devices and very particular Siemens OT controllers.

2. Stealth: The worm operated for months without detection, slowly causing damage. It did this without a persistent Command & Control link to the attackers themselves, and relied on HUMINT and ELINT to confirm impact was being made. That takes a combination of preparation, patience, and confidence not seen elsewhere.

3. Physical Consequences: It bridged the gap between cyber and physical worlds. This is perhaps the most impactful to us all - we now see nation-state actors targeting critical infrastructure, fearlessly and pervasively.

4. Persistence: The impact continued over an extended period - which is impressive given the lack of full-length C2. Again, the patience and craftsmanship were top-notch.

5. Deception: False information was presented to mask the actual impact. Understanding how the victim's operators would see and respond were critical here, and it shows that Deception or Defense Evasion don't just have to be a gimmick to bypass a control, but may play into the defender's playbooks.

Consensus has it that Stuxnet also ushered in a whole new era of cyber warfare. Its use set a precedent that now sees cyber attacks accompany or even replace physical warfare with much lower consequences to the threat actor. While the tactical impact was a great success, it is the long tail of geopolitical impact beyond ATT&CK that continues to bring consequences to all of us every day.

Impact in Modern Cyberspace

As we transition to discussing modern cyber Impact techniques, it's clear that many of these principles and goals might be achieved by either means - physical or cyber. Today's attackers still aim for precision, stealth, and often seek to cause real-world consequences. However, the scale and speed at which Impact techniques can be deployed have increased dramatically. And the risks to the adversary have (so far) appeared to be much lower than those of a physical attack or action. For these reasons, cyber attacks are quickly becoming the preferred tool versus committing forces to a traditional attack.

Some of this is due to the asymmetric aspects of cyber attacks. In today's global digital world, a single ransomware attack can cripple a multinational corporation in hours. Data manipulation can sway stock markets or elections. And as we become increasingly reliant on technology, the potential for physical impact grows - from disrupting power grids to interfering with medical devices. Time, distance, and resources don't pose the same restrictions in this realm.

Another aspect here is the risks posed to the threat actor. Adversaries no longer need to fear numbers - they know that they are likely to evade defenses, avoid attribution, and get away with the attacks. And very rarely does the threat actor fear for their lives while carrying out these actions. While history on cyber attacks is much less extensive, precedent shows that - even when caught in the act - state sponsored threat actors rarely see justice served. Cybercriminal organizations have gotten smart quickly and aligned themselves with friendly governments or hidden their locations to complicate prosecution. Even worse, disinformation campaigns may even mislead the court of public opinion into taking opposing sides, doubting attribution, or mischaracterizing the threat.

New rules going forward?

This is new ground for all of us. We clearly don't have the entire picture and can assume that there are covert operations underway by victim organizations or nation states. But cyber events are testing the lines of an 'act of war' and it remains to be seen how defenders and their host countries will respond. And it seems we might all be wrestling with how to quantify the impact of something as transformational as Stuxnet:

Impact Techniques in action

The MITRE ATT&CK framework lists 14 techniques and 13 sub-techniques under the Impact (TA0040) tactic. What I find interesting is that these are very focused on system impacts, measurable and technical in nature. This seems to defer tagging of Impact based on more nebulous, political, societal, or unique attributed. I totally get that - some of those are hard to quantify even years after an attack, and I wouldn't put that burden on a SOC operator, incident responder, or even CISO. Given what is left, let's break the techniques we do have down based on their primary focus:

Data Abuse

Attackers often target the integrity and availability of data, causing chaos and potentially long-lasting damage. Adversaries use Data Manipulation (T1565) to disrupt operations, spread misinformation, or cover their tracks. Looking for an example? In 2013, the Syrian Electronic Army hacked the Associated Press Twitter account to post a false tweet about explosions at the White House, briefly causing a $136 billion dip in the S&P 500 index.

Sometimes Data Destruction (T1485) is more the goal though. The 2014 attack on Sony Pictures Entertainment saw terabytes of data wiped from the company's networks using RawDisk, causing massive disruption. Somehow The Interview still managed get released. Kim Jong-Un's cyber goons (thought to be Lazarus) may have failed at preventing its release, but they managed to cause huge damage to Sony Pictures and - by extension - Hollywood's bottom line.

Ransomware still remains the most popular method of abusing the data, and Data Encrypted for Impact (T1486) is a hallmark for WannaCry or NotPetya operations of yesterday or BlackSuit/ALPHV, Volcano Demon, or DoNex of today. In tales as old as (cyber) time, they data and hold it for ransom, causing both financial and operational impacts. Or maybe depriving everyone of that data is more beneficial? Disk Wipe (T1561) (in NotPetya's case) is a common approach when the attacker's goal is to simply deprive everyone of that data.

The flip side of ransomware is extortion or otherwise profiting from selling the sensitive data. Even more base than that is just stealing the money outright. a lot of business email compromise (BEC) campaigns, spearphishing, and crypto scams faciliate Financial Theft (T1657).

System Availability Impact

These techniques aim to disrupt normal operations, often causing immediate and visible effects. Attackers might overwhelm specific systems with Endpoint Denial of Service (T1499), targeting application servers, to disrupt services. The 2016 Mirai botnet attack on DynDNS servers, which disrupted major websites across the US, is a prime example. By flooding environments with traffic and causing a Network Denial of Service (T1498) attackers can bring down entire organizations. The 2007 cyber attacks on Estonia, which crippled government, media, and banking websites, demonstrate the potential scale of such attacks.

Stopping critical services - Service Stop (T1489) - can halt operations. 2015's BlackEnergy campaign by Russian APT Sandworm crippled Ukraine's electrical grid, and while ransomware was part of that, they also impeded detection systems, shut down response paths, and more. System Shutdown/Reboot (T1529) and Inhibit System Recovery (T1490) are similarly used alternatives.

System Hijacking

Some Impact techniques set the stage for future attacks or create long-term vulnerabilities. With Firmware Corruption (T1495), attackers can create persistent backdoors or render devices inoperable. The Equation Group's use of this technique, revealed by The Shadow Brokers release, showed how this technique can create nearly undetectable, long-term footholds.

While often seen as a calling card, Defacement (T1491) can also be used to spread disinformation or damage brand reputation. The 2013 hack of the US Marine Corps recruitment website by the Syrian Electronic Army is a notable example.

By removing access to accounts with Account Access Removal (T1531), attackers can create chaos and even lock out security teams. The 2020 Twitter hack, where high-profile accounts were compromised, included locking out legitimate users as part of the attack. Interesting to note how much now-owner Elon Musk's account was abused.

Resource Hijacking (T1496) may appear last, but it is also typically the most covert. Attackers like to keep it that way, and this is the realm of cryptojacking outfits, who look to have others pay the bill for helping pad their crypto wallets.

How Can We Mitigate Impact?

Impact has some different goals. Assuming that your data or continued operation are important, your focus should be on a quick recovery and the reliable backup of your data. but it doesn't mean we need to cede territory! Plan on interrupting their actions earlier in the attack, and maybe we won't get to this point! Either way, we need to hold the fort, so-to-speak. Like many other tactics before it, preventing and detecting Impact techniques is more effective when enlisting a multi-layered approach:

1. Robust Backup Strategy: Regular, secure backups can mitigate the effects of data destruction or encryption attacks. Protecting that backup path and monitoring it as well is super important! Paying the ransom is not a viable alternative. Just ask Change Healthcare.

2. Network Segmentation: Limit the spread of attacks by properly segmenting networks. The old adage of "don't put your eggs in one basket" seems to apply here.

3. Endpoint Protection: Deploy and maintain up-to-date endpoint security solutions. After all, it is your endpoints and servers that house the good stuff!

4. Monitoring and Alerting: Implement systems to detect unusual activities that might indicate an impending Impact attack. This one is hard - but essential. With valid credentials often used, detecting abuse and monitoring behavior becomes critical.

5. Incident Response Planning: Develop and regularly test plans for responding to various Impact scenarios. Lots of IR plans are still based on comet impacts or Hurricane Sandy. Is cyber part of yours? And does everyone know their role?

6. Access Control: Implement strict access controls and multi-factor authentication to prevent unauthorized system changes. This may seem like a broken record, but it pops up a lot because it is fundamental!

7. Firmware Security: Regularly update firmware and use secure boot processes where possible. A lot of new access methods take advantage of this oft-forgotten part of any system.

8. DDoS Protection: Employ DDoS mitigation services or appliances to protect against availability attacks. This is very important when uptime and availability are your lifeblood.

Conclusion

Impact techniques are what we all fear happening most. Everything prior is really just a prelude to the damage the attacker plans to cause. By understanding these techniques, we can better prepare our defenses and minimize the damage when attacks occur. Remember, in the world of cybersecurity, it's not just about keeping attackers out - it's about limiting what they can do if they get in. In all of MITRE ATT&CK's 14 tactics, this is the one that our non-technical folks tend to grasp and fear most. Help them see the linkage between mitigations implemented earlier reducing the risk of Impact later.

As we've seen throughout this series, effective defense benefits from a better understanding of attacker tactics and techniques. Not just how they do it, but why? MITRE ATT&CK isn't going to solve all of your problems, but it can be a very handy tool for better understanding and communicating about threat behaviors amongst stakeholders. Use it, but understand its limits. You'll need other tools too, like those that help structure your organization, or bolster your processes, or deploy solid defensive technology. Throughout that journey, you can use tools like ATT&CK to better characterize what you are up against. Make it your own.

Thank you for reading this entry in the ATT&CK Tactic Series. It's been a long journey, but I feel like I learned a lot putting these together and I hope sharing that journey was helpful to someone. I'll probably take a little breather while deciding what to tackle next, but feel free to share your thoughts and experiences in the comments below!

In our Collection post, we examined how attackers collect valuable information within a compromised environment. Once adversaries have gathered their loot, the next crucial step is to smuggle it out. This brings us to the MITRE ATT&CK tactic of Exfiltration. Let's explore how various threat actors, from cyber criminals to nation-state operatives, execute this critical phase of their operations.

The Importance of Exfiltration

Exfiltration is often the culmination of an attacker's efforts. It's the point where they transform their hard work into tangible gains, whether that's stealing intellectual property, obtaining sensitive personal information, or acquiring valuable intelligence. Maybe they decide to sell the data. The attackers may be interested in seeding their own future operations. They may even be using the stolen information to gain or nullify competitive advantages or exert pressure. No matter the motive, without successful exfiltration, many cyber operations would be fruitless.

Exfiltration in Historical Context

During World War II and the early Cold War era, one of the most significant exfiltration operations revolved around the United States' top-secret Manhattan Project. While the US dedicated unprecedented resources to beat Germany to producing atomic weapons, Communist sympathizers were furious that the developments were not being shared with the Soviet allies. Unbeknownst to the US, a high-placed researcher worked to even the field. This operation saw the transfer of critical nuclear weapons research to the Soviet Union, dramatically altering the balance of power in the post-war world.

At the heart of this operation were several key figures: Klaus Fuchs, a German-born British theoretical physicist, Ursula Kuczynski, codenamed "Sonya," a German-born Soviet spy, and Harry Gold, a Swiss-born American chemist. Their collaboration resulted in one of the most consequential information exfiltrations in history.

Setting up the caper

Klaus Fuchs, who worked on nuclear technologies for years prior to joining the Manhattan Project from 1944 to 1946, had access to crucial information about the design and functionality of the atomic bomb. Ursula Kuczynski, already an experienced Soviet intelligence operative, served as his handler and the critical link to Moscow. While in New Mexico, Fuchs also added Gold as another outlet to provide courier deliveries to the Soviets.

The exfiltration was carried out through a series of clandestine meetings. Fuchs would memorize or prepare notes on the latest developments, which he would then pass to Kuczynski or Gold, depending on the time and his location. Kuczynski would photograph the documents or transcribe the information, then transmit it to Moscow via radio or diplomatic pouch. Gold leveraged more 'batch' like payloads, carrying documents directly to his handlers.

Essential aspects of any successful Exfiltration

The exfiltration process showcased several key aspects that remain relevant in modern cyber operations:

• Insider Access: Fuchs' position within the Manhattan Project provided him with legitimate access to highly classified information, bypassing many security measures.

• Stealth and Tradecraft: Kuczynski, Gold and Fuchs used sophisticated espionage techniques to avoid detection. They employed dead drops, coded messages, and limited face-to-face meetings to exchange information.

• Persistence: The operation spanned several years, demonstrating the long-term nature of high-value intelligence gathering and exfiltration.

• High-Value Targets: The focus on nuclear secrets represented a strategic prioritization of the most critical information.

• Diversified Communications Paths: The success of the operation hinged on multiple paths, methods, and assets.

The value and impact

This operation had profound consequences. The information Fuchs provided significantly accelerated the Soviet nuclear weapons program, leading to their first successful atomic bomb test in 1949, years earlier than Western intelligence had anticipated. The eventual discovery of this breach in 1950 sent shock waves through Western intelligence communities. It highlighted critical vulnerabilities in personnel security and the challenges of safeguarding information in collaborative scientific environments. And it uncovered parallel, redundant Collection and Exfiltration networks like that run by Julius and Ethel Rosenberg.

This historical example underscores several key points about exfiltration that remain relevant in the digital age:

1. The critical importance of insider threat mitigation.

2. The need for layered security measures that go beyond access controls.

3. The potential for seemingly small security breaches to have massive geopolitical consequences.

4. The enduring value of human intelligence in facilitating complex exfiltration operations.

Exfiltration in Modern Cyberspace

As we transition to discussing modern cyber exfiltration techniques, it's worth noting how many of these principles remain the same. Today's attackers must find ways to access high-value information, extract it without detection, and transmit it securely to their handlers or command and control servers. While the technical methods have evolved dramatically, the fundamental challenges of exfiltration – and the high stakes involved – remain constant.

In today's digital landscape, exfiltration techniques have evolved to overcome sophisticated defense mechanisms. Attackers employ a variety of methods to sneak data past firewalls, intrusion detection systems, and data loss prevention tools. They might compress and encrypt data to avoid detection, use legitimate cloud services as exfiltration points, or leverage command and control channels to slowly trickle out information.

If there is a significant difference between the historical and cyber-based exfiltration, it must be the investment and life stakes. Threat actors may fret over losing a vital exfiltration path, but rarely do they invest the same time and trust in developing that path and rarely do they need to consider losing a human asset.

Exfiltration Techniques

The MITRE ATT&CK framework lists 9 techniques and 9 sub-techniques under the Exfiltration tactic (TA0010). Keep in mind - these are wide-open techniques, and adversaries create a lot of opportunities for themselves within these bounds.

Core techniques

Let's break these down logically. The most straight-forward path is likely one the adversary already has, which is the case of Exfiltration Over C2 Channel (T1041) or likely Exfiltration Over Web Service (T1567). The main question here is whether they want to burn that path and risk detection or not. Unlike historical exfiltration, threat actors in the cyber realm can justify high-turnover of paths if they have faith that those or other techniques can be used again with success. We services are a persistent issue: they are hard to do without (Saas-delivered storage and tools) but ripe for abuse. Exfiltration Over Another Network Medium (T1011) is another option, and relies on the fact that things like Bluetooth, Zigbee, cellular, and other alternatives are likely forgotten parts of a SOC's responsibilities.

Threat actors who value their C2 may opt to conduct Exfiltration Over Alternative Protocol (T1048), helping maintain some separation and avoiding having to reestablish lines of communication. At the other extreme, adversaries may have to resort to Exfiltration Over Physical Medium (T1052) like USB or other drive. This risks getting caught. Depending on the stakes, it could mean disciplinary action and the exposure of the operation, but in extremes it can trigger jail time, execution, or diplomatic extremes. Attackers use that one sparingly!

Enhancement techniques

The last category is a lot like the dead drops and trade craft of old. Using Scheduled Transfer (T1029), and adversary leverages a visibility gap in the defenses or lapse in observation to move the data patiently without arousing suspicion. Data Transfer Size Limits (T1030) improves the odds further. No matter the mechanism of transfer, it helps avoid thresholds for detection and lie under the radar. In any case, hiding what the adversary thinks is of value from the defender is very useful. Data Obfuscation (T1001) does exactly that, usually through encoding, encryption or some other means.

Automated Exfiltration (T1020) occurs as part of a scripted or automated Collection technique. Data is found, parsed for value, and offloaded in one go. Interestingly, it's lone sub-technique, Traffic Duplication (T1020.001) actually sees adversaries use taps, mirrors, or redirection of traffic to an adversary controlled receiver. Most Cloud Service Providers offer these features for legitimate uses, so it is reconfigured without the victim taking note.

How Can We Mitigate Exfiltration?

Preventing and detecting exfiltration requires a multi-layered approach. Here are some key strategies:

• Network Segmentation and Monitoring: Implement strict controls on outbound traffic and monitor for anomalous data flows.

• Data Loss Prevention (DLP): Deploy DLP tools to identify and block unauthorized data transfers.

• Encryption: Ensure sensitive data is encrypted at rest and in transit, making it harder for attackers to exfiltrate meaningful information.

• User Behavior Analytics: Establish baselines for normal data movement and alert on unusual patterns.

• Egress Filtering: Implement strict egress filtering rules to limit the protocols and destinations that can be used for outbound connections.

• Regular Security Audits: Conduct frequent audits of your network architecture and data flows to identify potential exfiltration routes.

• Incident Response Planning: Develop and regularly test incident response plans that include procedures for detecting and responding to data exfiltration attempts.

As with every other set of detections and mitigations, there is a lot of overlap here. That is good! Use it to your advantage and look for mitigation approaches or detection capabilities that offer the best bang-for-the-buck.

Conclusion

Exfiltration represents the home stretch for attackers, but it's also a critical point of vulnerability. By understanding the techniques adversaries use to extract data and implementing robust defenses, organizations can significantly reduce the risk of successful data theft. Remember, it's not just about preventing initial compromise – it's about making sure that even if an attacker gets in, they can't get out with your crown jewels.

As we've seen throughout this series, the key to effective defense is a comprehensive understanding of attacker tactics and techniques. By aligning our security strategies with frameworks like MITRE ATT&CK, we can build more resilient systems and better protect our valuable data assets. We have one last tactic to tackle, so let's wrap up this series next week!

Thank you for reading this entry in our ATT&CK series. Feel free to share your thoughts and experiences in the comments below!

Good day, folks! Another week, another headline-grabbing security incident seems to be dominating the discussion. And I am not talking about Tim Weah's testy red card vs. Panama, or whatever comes out of the debate tonight. I am talking about a slow boiling issue that impacts all of us. After the last month's buildup, Snowflake is in the spotlight, but don't be fooled - this isn't just about one company's identity problems, and it has ripples through many. Let's dive into why Snowflake's woes are a wake-up call for all of us, and what else it might mean for how we tackle

Snowflake's Slippery Slope

Snowflake is a cloud data platform carrying over 20% of the business data out there, folks. It is massive - and the list of customers is equally impressive. Despite protecting most of their environment with multi-factor authentication (MFA), adversaries got their hands on stolen login credentials and used them to infiltrate customer accounts and pilfer sensitive data. The kicker? The attackers found ecosystem users with access to demo accounts and used an infostealer to cause a bunch of breaches in rapid succession. But here's the thing - Snowflake isn't the real issue. It's just the canary in the coal mine for a much larger shift in the threat landscape.

We don't yet know the exact mode of compromise here - there is a lot of conflicting information. What we know is that a BreachForums account called Sp1d3r is trying to sell thousands of Snowflake account credentials. And we have Mandiant publishing some insights about a financially-motivated actor called UNC5537. It turns out that the leak may have originated in service providers who assist customers with Snowflake, but do not work directly for the company. I think we know that this is concerning, but let's take a look at why this is the focus.

Identity might actually matter than we want to admit

Over the past few decades, we've seen the criminal threat landscape coalesce into two categories ransomware/data extortion and then everything else. Everyone's trying to grab a piece of that billion-dollar pie. Why? It is easy money. The stakes are very lopsided. What begins as a lark and requires relatively little effort for the adversary cripples and threatens the every extinction of the victim. The adversaries go where the money is. And ransom & extortion in cyberspace are easy money.

Cisco's Talos is reporting that their Incident Response engagements are showing a disturbing trend. While ransomware still dominates, the initial access methods are diversifying. It used to be broad phishing campaigns or watering hole attacks. Now compromised legitimate credentials are becoming the golden ticket for malicious activities. And where are these credentials coming from? Let's discuss that now.

Infostealers take the lead

Infostealers have grown into a crucial part of the dark web's economy. They're highly organized, and conduct widely distributed campaigns. Current infostealer groups hang out in Telegram chat rooms, selling credentials by the boatload. For a fee, actors can get timed access to a repository of credentials to search and use freely. It's a small price to pay when a single set of enterprise credentials could lead to a multi-million-dollar ransom.

How do they do it? Infostealer groups typically deploy malware that automates the collection and exfiltration of anything worthwhile. Credential databases, sensitive information, crypto wallets, customer listings, and the like. Many - like Vidar, Duqu or Racoon Stealer - still use keyloggers. The goal is to collect anything potentially useful, and then decide later whether it is worthwhile. Or let the market decide.

Initial Access Brokers take that next step

Initial Access Brokers like UNC1878 and Exotic Lily are also a part of this trend, offering that next step - assured access. IABs might use infostealers of their own or credentials sold on the market to gain access. Either way, they are typically taking it that next step and actively running Command & Control and have Persistence. Either way, eager threat actors don't have to go far to get these head starts. They just need some cryptocurrency and a dream.

Back to Snowflake's case

Many enterprises have deployed MFA, but the application isn't consistent. The focus has largely been on the enterprise domain itself. Snowflake apparently had solid MFA to protect identity almost everywhere, but like many organizations their power to enforce strong policies on 3rd party ecosystem vendors or contractors is limited.

With the rise of Software as a Service (SaaS), sensitive data is spread across multiple vendors around the globe. This creates many points of entry for attackers who, in 2024, might be more focused on data exfiltration than unauthorized encryption. We need to come up with more secure ways to allow collaboration on data. Snowflake isn't unique here, and may be taking arrows for something that could have happened to any SaaS solution provider. We need to learn from this - so what can defenders do while we rethink our industry's way of handling these cases?

1. Protect critical data with MFA, wherever it's housed.

2. Conduct audits of all external data houses and ensure MFA is configured.

3. Act on infostealer infections with urgency. Assume all credentials on an infected system have been compromised.

4. Provide users with a vetted and trusted way to store passwords.

5. For instances where MFA can't be deployed, limit account access and increase scrutiny.

I hope this has been a helpful take on the Snowflake situation. Feel for those folks - by all accounts there wasn't neglect or vulnerabilities here. But it illustrates the inter-dependencies across our economy and the information age.

Things I'm Keeping an Eye On

• Sometimes cyberattacks are just not enough - we should always remember state-sponsored adversaries will still resort to traditional, kinetic attacks. Count on Vlad to remind us.

• Apparently folks are still using MOVEit for file transfer? Yikes - another set of issues and critical vulnerabilities recently hit and sparked fears in this tool.

• We've seen TeamViewer used for years by adversaries as an alternative to RDP or VNC - not due to the company's malfeasance, but the ease with which anyone can deploy it. What happens when the company who makes it is compromised?

• In a bid to re-enter the market with a splash, the threat actor and RaaS group Conti is rebranding itself as BlackSuit, and have begun hitting victims with a vengeance.

• A new threat actor Unfurling Hemlock is dropping the kitchen sink equivalent of malware on victims. In what is called a 'malware cluster bomb', a nested doll of badness is certainly offering options. While most threat actors have multiple paths and persistence plans in place, this takes it to an extreme.

Conclusion

The Snowflake predicament and identity exposures are a stark reminder that in 2024, protecting your data means more than just securing your own systems. As attackers continue to shift focus to data theft, it's time for organizations to take an honest look at where their data is housed and what protections are in place. Otherwise, you might find your stolen data being sold to the highest bidder - even if that bidder is you. We as a security and systems industry need to come up with a new way of doing things 0 because this isn't working.

Stay vigilant, folks, and remember: we're all in this together. Have a great week, and be sure to comment below on the new focused approach!

In our last post, we explored how attackers gather valuable information through the Collection tactic. Once adversaries have a foothold and have collected data, they need a way to maintain control over compromised systems and coordinate their activities. In military operations, you'll see a mix of overt and covert forms of communications. But we know they are happening. Without them, the various units involved would be uncoordinated and the attack would fail before major objectives could be accomplished. Cyber adversaries need this sustained control as well. Payloads are unable to act autonomously for long. And exfiltrating data without it is futile. This is where the next MITRE ATT&CK Tactic comes into play: Command and Control (C2). Let's dive into how attackers use C2 to orchestrate their operations and why it's a critical component of almost every sophisticated cyber attack.

The Importance of Command and Control

Command and Control is term for communication and coordination in an attack. Whether orchestrated from an attacker's Kali box or a military command post, C2 allows attackers to issue orders, receive information, and manage their operations from afar. Without effective C2, attackers have to build more into their deployed assets. This isn't impossible - some recent military and cyber attacks have used this strategy, but the preparation is insane, and the possible outcomes limited. Prior to the ubiquity of the internet and satellite communications, covert operators would spends months or years to prepare for a mission. Threat actors may also forego C2 as a last resort, most often limited to fire-and-forget malware or simple scripts. These conditions are dangerous, but lacking the adaptability and persistence that characterize today's most threatening adversaries.

C2 infrastructure serves several crucial purposes for attackers:

• Persistence: It allows malware to maintain a connection with the attacker's systems, ensuring long-term access to the compromised network.

• Updates: Attackers can push new instructions or malware variants to evade detection.

• Data Exfiltration: C2 channels are often used to steal sensitive information from the target network.

• Lateral Movement: Coordinating the spread of an attack across multiple systems often relies on C2.

Historical Context: The Telegraph of War

To understand the significance of C2 in cyber operations, it's helpful to look at its roots in military history. During the American Civil War, both Union and Confederate forces recognized the game-changing potential of the telegraph for military communications. General Ulysses S. Grant, in particular, used telegraph networks extensively to coordinate troop movements and relay intelligence. Leaning into these communications helped him maneuver three armies across great distances while keeping supply chains synchronized.

However, this new form of rapid long-distance communication also introduced vulnerabilities. Confederate cavalry raids often targeted Union telegraph lines, disrupting communications and gathering intelligence. In one famous incident, Confederate General John Hunt Morgan's raiders tapped into Union telegraph lines, intercepting messages and sending false orders to confuse enemy forces. If only Grant's operators had cryptography! It should also be noted that horse messengers, ships, semaphore flags, and even messaging via the printed press were used to link up other assets like scouts, spies, and more mobile forces.

The Union's use of telegraph to provide C2 mirrors modern cyber C2 in several ways:

• Rapid communication allows for coordinated, large-scale operations

• The communication channel itself becomes a critical asset and potential vulnerability

• Intercepting or disrupting the enemy's communications provides significant tactical advantages

• The main mode was far from the only mode used - backup communications and redundancy are evergreen needs

Command and Control in Modern Cyberspace

In the digital realm, C2 infrastructure has evolved into a sophisticated ecosystem of tools and techniques. Modern attackers use a variety of methods to establish and maintain control over compromised systems, often employing multiple redundant channels to ensure persistence. These channels are not just to hand down orders, but are also used to provide updated Recon and Discovery, Exfiltrate data, and inform Lateral Movement.

Popular C2 frameworks like Cobalt Strike, Empire, and Metasploit provide attackers with powerful, flexible tools for managing their operations. The C2 Matrix project does a great job getting you familiar with a lot of them. These frameworks offer features like:

• Multiple communication protocols and encryption methods

• Modular payloads for different tasks

• User-friendly interfaces for managing compromised hosts

• Evasion techniques to avoid detection

However, the principles remain the same as in General Grant's day: establish reliable communications, coordinate actions across multiple assets, and protect your own command infrastructure while seeking to disrupt the enemy's.

C2: the attacker's puppet strings

The MITRE ATT&CK framework identifies 16 techniques and 27 sub-techniques under the Command and Control (TA0011) tactic. This diversity reflects the many ways attackers can implement C2, adapting their methods to evade detection and maintain persistence.

Here's an attempt at categorizing those same techniques based on a general focus area:

As you can see above, there are a ton of ways adversaries may combine techniques to provide unfettered access to an environment. Even worse, they may use multiple combinations in concert to ensure they have redundant access.

Examples of Techniques in action

Want to see some of the more common C2 scenarios out there?

• Application Layer Protocol (T1071) Attackers often use common application layer protocols like HTTP, HTTPS, or DNS to blend their C2 traffic with normal network activity.

  • Example: The Havex malware, used in industrial espionage, uses HTTP POST requests to exfiltrate data and receive commands, making it difficult to distinguish from legitimate web traffic.

• Data Encoding (T1132) To further obfuscate their communications, attackers may encode or encrypt their C2 traffic. This can range from simple base64 encoding to sophisticated custom encryption schemes.

  • Example: The Ursnif banking trojan uses a custom encryption algorithm over HTTPS to protect its C2 communications, making it challenging for defenders to analyze the traffic.

• Non-Standard Port (T1571) While using common protocols helps hide C2 traffic, using non-standard ports can help evade port-based filtering and monitoring.

  • Example: The Carbanak malware, infamous for targeting financial institutions, has been observed using port 443 (typically reserved for HTTPS) for its C2 communications, but with a custom binary protocol instead of actual HTTPS.

• Protocol Tunneling (T1572) Attackers may tunnel their C2 traffic through other protocols, essentially hiding one protocol inside another. This technique can bypass firewalls and other security controls that aren't inspecting traffic deeply enough.

  • Example: Cyclops Blink has been know to abuse DNS over HTTPS (DoH) in order to evade firewall and other DNS security measures and reach C2 nodes.

How Attackers Establish and Maintain C2

Setting up effective C2 infrastructure is a crucial step for attackers. Here's a typical process:

1. Infrastructure Setup: Attackers often use compromised servers, cloud services, or anonymizing networks like Tor to host their C2 servers. They may employ domain generation algorithms (DGAs) to create a constantly changing list of domain names for their C2 servers.

2. Initial Compromise: Once a system is compromised, the attacker's malware establishes an initial connection to the C2 server, often using hardcoded addresses or DGA-generated domains.

3. Beacon and Registration: The compromised system sends a beacon to the C2 server, providing information about the system and potentially receiving initial instructions.

4. Ongoing Communication: The malware maintains periodic communication with the C2 server, checking for new commands and potentially exfiltrating collected data.

5. Adapting and Evading: Sophisticated attackers continuously modify their C2 techniques to avoid detection, using tactics like traffic mimicry, domain fronting, or piggybacking on legitimate services.

TinyTurlaNG is a great case study. They not only conduct the steps above, but they do it for two disparate C2 mechanisms (TTNG and Chisel) in addition to a whole host of parallel back doors that they are implementing. Below is just one of those (TTNG), which uses a compromised WordPress server to act as the C2 head end and builds in a custom HTTP parser to coordinate actions. Below is look at some of the logic in that C2, as covered by a wonderful Cisco Talos post:

How can we Mitigate Command and Control?

Defending against C2 activities requires a multi-layered approach, and if it seems they rhyme well with previous tactics we've covered, you are spot on! The good news? You get a lot of bang for the buck when you do the 'simple' things well. The bad news? Doing the 'simple' things can be hard culturally:

• Network Segmentation: Limit the ability of compromised systems to communicate across the network. This single thing can ensure C2's tentacles are limited in reach and save your bacon!

• Firewall Rules and Application Whitelisting: Strictly control what can communicate externally and which applications can run. If you don't know, enlist a network behavior and/or application dependency mapping tool to help!

• Traffic Analysis and Anomaly Detection: Use tools to identify unusual patterns in network traffic that could indicate C2 activity. Beacons and long-lived sessions are weird. We need to find the strange and scrutinize it.

• Regular System Updates and Patch Management: Keep systems updated to prevent exploitation of known vulnerabilities. A lot of C2 takes advantage of flaws, vulns, and misconfiguration.

• DNS Monitoring: Watch for unusual DNS queries that could indicate use of DGAs or DNS tunneling. Firewalls and Secure Web Gateways are particularly helpful here. Also - enforce strict ACLs for what resolvers are trusted!

• SSL/TLS Inspection: For environments where it's feasible, inspect encrypted traffic for signs of C2 communications. It is costly and compute intensive, so maybe use it in higher-risk areas?

• User Education: Train users to recognize and report suspicious system behavior that could indicate a compromise.

Conclusion

Command and Control is a critical tactic for adversaries, serving as the nervous system of their operations. By understanding C2 techniques and implementing robust defenses, organizations can disrupt attackers' ability to maintain their grip on compromised assets.

Just as General Grant's use of the telegraph revolutionized military communications, modern cyber attackers leverage robust C2 infrastructures to coordinate their campaigns. However, unlike Civil War-era telegraph lines, today's C2 channels are often hidden in plain sight, masquerading as normal network traffic. And rather than diversifying with flags, riders on horseback, and smoke, cyber adversaries just add additional channels using different TTP recipes. Can you tell the difference?

As defenders, our challenge is to spot these disguised communications, sever the attacker's control, and fortify our systems against future intrusions. By focusing on a good mix of C2 detection and prevention, we significantly increase the cost and complexity for attackers and force them to make mistakes. Which is super helpful to our detection efforts!

I hope this ATT&CK Command and Control entry in the series has been helpful. Whatever you decide to do, think about all the ways you need communications to happen and aim to allow only those to happen. Thank you for reading and feel free to comment below!

Good day, folks! It's been more of the same for security practitioners around the world. Increasing rates of ransom, leaks, and vulnerability announcements continue to climb. That said, interesting new news hit this week, with mixed results for cyber crime outfits. Let's talk about ALPHV and Scattered Spider and look at some good guidance on MFA. We'll also take a look at the other fun developments.

Ransomware dynamics continually in flux

Cyber crime giveth, cyber crime taketh away!Spanish police arrested Tyler Buchanan, a Scottish SIM-swapper. As one of the alleged ring leaders of Scattered Spider, he's a popular guy. Scattered Spider has been in the news a ton lately, taking ransoms from over 130 organizations in the past couple of years, notably MGM and Caesars casinos, LastPass, DoorDash, and many more.

Scattered Spider's background in SIM-swapping is particularly troublesome as it prepares them well to tackle enterprises. SIM-swapping involves fooling the phone company into moving your number to a hacker-controlled SIM card. Cell companies need more than the request - they want personal information to help verify you are the rightful owner. SIM swappers are adept at digging that information up, through stolen information from other breaches certainly, but more commonly we do it to ourselves - they simply check into our over-shared details on social media.

Scattered Spider applies these same techniques to social engineering focused attacks like those on MGM and Caesars. They do their homework, find weak spots in the process, and confidently pose as someone who belongs in the environment. While law enforcement has arrested Tyler and other collaborators, more are on the loose. And it appears as though this is a very competitive underground, with rivals competing for breaches and even ordering Violence-as-a-Service against each other. Nice people!

The "how'd they do that?" piece

Meanwhile, ALPHV Group's more recent TTPs get a very thorough write-up in The DFIR Report's latest on their IcedID campaign. In one of the most elaborate (by ATT&CK plotting standards) operations, The DFIR Report folks conducted a master-class in understanding how ALPHV conducted this op, which also offers a lot of insights as to how we can stop them. Keep in mind, ALPHV supposedly exited the business after orchestrating both the breach of Change Healthcare and their 'exit scam' that saw them hosing their accomplices, but we can learn a lot from this operation and certainly expect ALPHV to resurface after reinventing themselves.

MFA-related help

I think we're all learning that not all MFA is created (or configured) equal. Even Duo, an advanced and capable MFA offering, requires proper configuration to ensure it is delivering phish-resistant and resilient multi-factor authentication. Scattered Spider and many other firms are leveraging phishing in all of its variations (voice, email, text, etc.) to bypass improperly configured or overly lax MFA processes. Cisco's Talos released a very informative piece that goes a long ways towards helping understand where all of these bypasses come from. Most importantly, they offer guidance on how and where to implement MFA for best results, in a vendor-agnostic way.

This week in AI

As we race to both harness and counter AI in so many aspects of technology, AI's propensity to hallucinate and susceptibility to poisoning are getting a lot of attention. One thing I hadn't counted on but find both funny and frightening, is that some may be full of it. Wired's report "Perplexity is a Bullshit Machine" makes a good case for not just putting guardrails on the tech, but also calling for ethics in the companies and developers who unleash them on us.

I think this is a good cautionary tale for security vendors and practitioners. Pay attention to how your security ecosystem protects their AI from malicious influence. Take note of how they mitigate hallucinations. And ensure they are ethical. You'd hate to have an AI engine ignore important aspects of your environment or make recommendations purely based on bullshit.

Things I am keeping an eye on

• T-Mobile is denying claims that they were breached recently, despite IntelBroker claiming they have source code to post. There may be a service provider T-Mobile uses who was hacked, and it could explain the big uptick in breaches by IntelBroker in recent weeks (Europol, AMD, Apple, and more). There may be some links to Confluence products, but that is not yet confirmed. Odds are, however, that IntelBroker focuses on service providers to their victims, not the victim environments themselves.

• Another week, another cryptocurrency exchange hitting major bumps. Kraken is blaming a security researcher for the loss of $3M in digital assets, claiming that they are refusing to return them after exploiting an "extremely critical" 0-day flaw while participating in a bug bounty. It seems the researcher shared the flaw with 2 other folks who used it to make off with the loot.

• The NSO Group - an Israeli firm who for years denied abuse of their Pegasus spyware, finally caved in legal proceedings brought by WhatsApp. It turns out Citizen Lab and others were spot on - Pegasus is used all over, and targets include government and military officials. Even worse, NSO seems to let almost anyone willing to pay enough to use this stuff.

• CISA has released some great new guidance in concert with several partner organizations to help us improve network access security. With the glut of VPN-related hacks and CVEs, this is very welcome and informative.

• The French government appears to be serious about purchasing Atos' cybersecurity division in an effort to improve their national security posture and to salvage the financially-struggling company's most vital division. This seems weird at first, but I think it is bold and may offer some good lessons learned for the rest of the Western World. Russia and China are certainly not new to this sort of arrangement.

Good Reads

I'm going to cheat here. I am still reading my Children of Ash and Elm history about the Vikings, and it is really insightful - I had no idea that the "Viking Age" was most likely precipitated by a series of massive volcano eruptions in El Salvador and elsewhere (~536-546 AD) that triggered a 3-year winter and obscured the stars for decades.

I am also revisiting one of the best podcasts out there, Hardcore History by Dan Carlin. The episodes come out 1 per every few months, but there is no better storyteller out there. His most recent episode on Alexander the Great is phenomenal, especially the background on Phillip II (his father) and Olympias (his mother. That would have been an 'interesting' family dynamic for sure.

Conclusion

I hope this was a helpful update. Next week I plan to focus more on a recent threat actor rather than on a massive spread of news, so we'll see how that goes. have a great week, folks!

In last week's post, we tool at look at how attackers move laterally. They do this to get to their goals and to better entrench themselves. Whether the adversary is an APT or special forces unit, gathering information is critical to the success of any mission. If there are exceptions, they're probably limited to bombardments (in physical warfare) or Denial of Service (DoS) attacks (in cyber). It's tough to have long-lasting effects without going further than those brute-force attacks. FThe information may be the end goal, or it may be essential to achieving it. The next MITRE ATT&CK tactic is Collection. Let's look at how almost every adversary on the very diverse spectrum of threats needs it.

The Importance of Collection

Merriam-Webster's Dictionary primarily defines a system as "a regularly interacting or interdependent group of items forming a unified whole." Further down on the page is one that digs deeper: "an organized set of doctrines, ideas, or principles usually intended to explain the arrangement or working of a systematic whole." Information is essential to any system. You name a system, and I will bet that information defines or runs that system. Alliances or nation-states, terrorist organizations or cults, companies or organizations - all are systems, and all leave indelible marks - information that characterizes them, defines them, or keeps them running.

As we shift to thinking about potential targets in the modern era, it goes beyond even that. In the "Information Age," a vast majority of "shareholder value" is delivered by collecting and processing data. Healthcare or services organizations rely on information to function. Manufacturers use information to guide production and manage logistics. Military organizations leverage information to guide all decisions. Information is the lifeblood of any system. MITRE designed ATT&CK Collection tactic to focus on this key area of any attack chain.

Collection at war

During conflict, forces continually collect things of value. Sometimes intelligence informs decisions during the operation: intelligence gathering reveals the locations of strengths or weaknesses, prisoners, caches of weapons, or the like. Sometimes, the collection is the point of the entire operation. While information makes up a good part of that, it may also be property that is the focus. In traditional warfare, both sides take whatever they can get.

Fighting an Enigma

Nazi Germany's early domination in World War II was due in no small part to their mastery of electromechanical cryptography. With a highly centralized command structure, they depended on high-speed communications protected by algorithms provided by devices like the famous Enigma machine. Radio transmissions of the time were easy to intercept, so this layer was essential to keeping the Allies in the dark.

Allies managed, however, to accumulate enough cryptographic material (cipher sets and plugboard settings), design documentation, and even Polish counterfeit machines. Some of these were turned over by resistance forces, others were captured during the Allied invasion of North Africa. Informed by insights provided by Polish mathematicians, the Allies were able to break Enigma's codes, listen in on German traffic, and make decisions that no doubt altered the course of history.

Throughout their collection of German cryptographic material, the Allies issued requests with friendly forces seeking these materials. When sympathetic citizens in occupied areas happened upon these valuable assets or forces captured them, every effort was made to protect the loot and prevent its capture from becoming known to German forces. The value in the collection and loss of these cryptographic treasures was at risk. If Germans realized their precious machines were compromised, the value to the Allies would be nullified. Had they found out, they would have switched schemes, obscured their communications, and rendered Allied efforts pointless.

Collection in modern cyberspace

These same exact principles apply in the cyber realm. Attackers will collect information for many purposes. For the sake of our future dialog, we'll assume a couple of things. If it happens outside of and before the active operation, it is Reconnaissance. If it is collected while actively inside victim systems and used to further the attackers operation, it is Discovery. Either of those may provide information that can inform Credential Access. When we talk about the ATT&CK definition of Collection, it is the process of gathering any information during the active phases of an operation that either furthers the op (Discovery & Credential Access) or has intrinsic value to the victim, the market, or both. We've covered how the operationally-significant data impacts victims, but what about the rest?

That information could be financial (banking information, credit card data, balances). This data is useful in either embarrassing the victim or allowing a malicious actor to abuse them. Healthcare data, intellectual property, diplomatic or legal information - all of these are ripe for harvest and bring value on the dark web's markets. Some data may be useful in both the operation and on the market. Databases storing credentials or PII can help inform following techniques and be sold or marketed by initial access brokers. When targeting individuals for blackmail, attackers gather audio or video recordings or photos of that target in compromising situations.

The current trend in breaches is in the double extortion game. Early ransomware aimed to encrypt files to render them useless. Recent reports point toward attackers depriving the rightful owners of access while simultaneously holding that data over the victims head. This threatens to release or sell that information should ransom demands not be met.

Collection: the art of quietly accumulating anything of value

The MITRE ATT&CK entry for Collection (TA0009) lists 17 techniques and 20 subtechniques. These cover a lot of methods for gleaning information. These many techniques vary most by the types of information they hope to collect.

It's not personal, or maybe it is?

These ATT&CK collection techniques lean more toward gaining information that could be used post-breach to embarrass, compromise, or otherwise disadvantage the victim. Due to the very personal nature of these techniques, they tend to be used against individuals and are combined with social engineering to play on fear, stress, and desperation. Extortion or blackmail information may be gathered through many of these methods, but Audio Capture (T1123) and Video Capture (T1125) are primarily focused on this use case.

Useful in both furthering objectives and ransom scenarios

Screen Capture (T1113) can also be useful in ransom/extorion scenarios, but also offers a means by which to steal credentials, sensitive business data, or other more corporate uses. Input Capture (T1056) and Email Collection (T1114) are likewise multi-use techniques, feeding future operations and generating ransom fodder. Clipboard Data (T1115) takes advantage of user habits, where typical behavior sees a lot of cutting and pasting of credentials and PII.

Further from the users own actions, Data from Cloud Storage (T1530), , Removable Media (T1025), Local System (T1005), and Network Shared Drive (T1039) are all potential treasure troves that could offer both operationally significant data and embarrassing or sensitive information. Data from Information Repositories (T1213) or Configuration Repositories (T1602) tend to be more focused on corporate information, but that data may assist in pushing deeper into the target environment while boosting the value on dark web clearing houses.

Data in motion is also up for grabs. Adversary-in-the-Middle (T1557) sees attackers intercepting data to pull it "off the wire", with hopes that the victim is non-the-wiser. Browser Session Hijacking (T1185) goes right to the client and allows not just intercept, but potential poisoning of data or extended access to applications while posing as the legitimate user.

Getting organized

A number of the techniques in the ATT&CK Collection tactic are focused not on capturing the information, but in processing or moving it for later use. Archived Collected Data (T1560) prepares the data for efficient exfiltration, and may involve compression, archival, or encryption as part of performing it. This may happen in concert with staging that information at collection points, as described by the Data Staged (1074) technique. Some tools use Automated Collection (T1119) - key loggers and CLI parsers can pattern patch to pull useful data for adversaries to look into later.

How can we mitigate Collection?

The ATT&CK Collection techniques often come in groups. Pulling the information in the first place is only part of the tactic. The adversary must also get it somewhere they can exfiltrate it from or access it to assess its value. It may be impossible to prevent some of these techniques due to use of system LOLBins, but detection will be dependent on a mix of behavioral analytics and firm understanding of what 'normal' is for your environments.

Suggestions

Here are some things to focus on:

• User Training and Awareness - as with many of the prior tactics, your users are the first like of defense. They are very capable detectors - train them to recognize strange behaviors and use common-sense while operating.

• Segmentation of all types guards against putting all eggs in one basket. Breaches happen - ensure they do not include all data in one fell swoop. Create friction, and that will improve detectibility as adversaries will make more noise.

• Harden Systems and turn off unused or lower-security protocols. Many sniffing and AiTM techniques take advantage of services that have no place in a modern environment. Shut them down!

• Access Control and Privilege Management - by ensuring need to know and evaluating posture before allowing access, you reduce risk of all-out compromise tremendously.

• Encryption isn't infallible, but done right it renders the stealing of information useless for now. Even better, look for ways to implement quantum resistant methods so as to avoid exposure later, when adversaries can apply quantum computing to your locked secrets.

• Behavioral analytics - establishing a baseline and monitoring for strange behaviors addresses future attacks, even when signatures don't yet exist. Data hoarding alerts, collection events, and strange interactions between usually unrelated entities will tip you off.

• Log and audit - access to any sensitive data, files, or systems should be readily auditable. It isn't exciting, but it is immense helpful.

Conclusion

Adversaries know that collection only really helps if they can get away with it. Prevention sure would be nice for a defender, but detection can allow disruption and corrective action before the adversary can take advantage of their new found loot. The Allies' efforts to break Enigma only worked because they were able to collect and exfiltrate the needed information without detection. More importantly, Alan Turing was able to lead a team to build a first-of-its-kind computer to break it, feed that information to British and American Intelligence, and impact the war. If Germans had good auditing, segmentation, and access control or PAM, the Allies would have had a different outcome, and we may have been subjected to The Man in the High Castle as an alternate outcome.

We should strive to detect more, and to do so earlier. That affords us more options and less urgency, and if we buy additional time by encrypting our information, we stand a chance of avoiding real impact.

I hope this ATT&CK Collection entry in the series has been helpful - thank you for reading and feel free to comment below!

Good evening, folks! It has been a while since my last news update. You probably recall that these have gotten a lot longer over time, so in an effort to respect our time, I will change my approach and aim for shorter. Lots to unpack lately, but one of the headline grabbers is all about setting bad precedents in ransomware response. Microsoft made one of the most confusing decisions for 'security' that anyone has seen, and we're also going to have a lot more AI-related news, so let's buckle up!

Be the Change you want to see...

As you probably recall, Change Healthcare (subsidiary of UnitedHealthcare) had a dumpster fire of a response to a major breach. The ransomware event we covered the saga of over the last few months continues to damage everyone. First, it appears that in the time since they paid their $22M ransom, Ransomware-as-a-Service groups have stepped up the pace and 44 more healthcare related firms were hit in just the month following the payout. Recorded Future, who was quoted by Wired with that stat, said it was the second-biggest single-month jump in ransom events they have ever seen.

Senator Ron Wyden (D-OR) has taken a pretty clear position in calling for the FTC and SEC to investigate Change UHC's governance and leadership team. He's not wrong - he pointedly called out that it was their decision to hire someone lacking the proper experience as CISO, and their decision not to support him appropriately. Congress rarely grasps how tech-related issues should work, but Senator Wyden is spot on. Let's hope this becomes a template - until larger firms are held accountable for lapses that would sink smaller ones, they will continue to prioritize profits over us.

I say 'us' because 1/3rd of American's were impacted by the change with breached data and because over 1 million patients were impacted by stalled prescriptions and care for upwards of 2 months, no doubt costing some lives. Add in the impact to clinics, providers, and pharmacies that were unable to pay their bills thanks to Change's costly negligence, and the impact to the economy is still tangible.

Go get them, Senator.

Totally Reluctant Recall

If you have been keeping score at home, the past couple of years have been even worse for Microsoft than UHC. After showing huge improvements in core product security efficacy from roughly 2016-2021, someone decided they needed to drive margins with security sales. Talk about a conflict of interest! In the 2 years since, a steady deluge of breaches and missteps resulted in a lot of rightful scrutiny by partners, customers, and even US government investigators and lawmakers. But their market share in the EDR and SIEM space continues to grow - congrats (I guess?)!!! The Cyber Safety Review Board lit them up. This culminated with their Secure Future Initiative in early May - a promise to make security an essential part of what they do. Nice, right?

Someone should have told the product management folks and marketing team. But change is temporary, and in late May introduced a new AI-driven feature called Recall, which would provide a full 3-year look-back over everything done on the machine. Despite early objections to the sheer stupidity of collecting EVERYTHING (credentials, personal information, forms, searches, web history) and applying AI to it, they stuck to their guns and claimed all was well because it would be stored locally. Luckily no one ever managed to compromise a Windows endpoint before and get local privileges. (no sarcasm fonts to change to in this template).

Well, they finally recanted and decided not to enable it by default. But Congress hauled the CEO in for another round, and more promises were made. Should we celebrate? (font limitation again) What is confounding is that this comes hot on the heals of their SFI pledge and huge pressure & congressional testimony. That it never occurred to them that this was a super bad idea is insane.

This week in AI...

There is going to be a duality of AI use forever. Both sides will need it to get an edge up, and much like the invention of gunpowder, guidance systems, and aircraft, you don't want to be the side without it. While legitimately bad people are using it to automate and improve their adversarial tactics (like many APTs), it is with some trepidation that one of our frequently featured companies makes headlines in this space. Well, it seems Microsoft has released a chat bot for spies based on ChatGPT. It is supposed to be hosted on a separate air-gapped tenant, but given the issues they have protecting their own senior leadership email accounts and Azure tenants, there is room for skepticism.

AI-as-a-Service options are also hitting the market, and a recent study by Wiz discovered that the market still has a long way to go to address gaps and leakage issues. I would just be happy if we evaluated AI uses in a more holistic sense. This LinkedIn post really captures and distills it down very well!

Things I am keeping an eye on

• Scattered Spider, a threat we've mentioned in the past, is shifting its focus to SaaS platforms. Gotta respect always wanting to get better!

• Sophos threat researchers uncovered a very intricate campaign that involves DLL side-loading and targets virtualized workloads in a VMWare environment. Lots of LOLBins in use there, and it speaks to the fluency of these threat actors!

• CISA has been doing some amazing work in helping raise awareness and secure everyone. I guess it was only a matter of time before scammers tried to impersonate CISA employees and fool victims.

• Veeam (popular enterprise backup solution) has a critical RCE that needs to be addressed pronto. We are already seeing adversaries tackle the backup solutions, as they are often relied upon but seldom protected adequately by their users.

• Ivanti continues to smolder, with yet another high-profile flaw in another security solution. I feel for these poor folks, but there isn't an E for effort in this space :(

Conclusion

Well folks, I haven't read much, but I plan on it now that Cisco Live and a bunch of other high-importance stuff is behind me. I will look for some new wasy to change how I deliver this. Thank you for reading, and as always - please engage in the comments below! Have a great weekend!

It has been almost a month since my last MITRE ATT&CK Tactic-focused entry, and I apologize! When we discussed Discovery, we saw many ways adversaries explore the target environment after Initial Access. Depending on the threat, that information might be used for any number of malicious goals. Threat actors locate files and credentials of interest and uncover details of defenses and configurations. They could learn compromising information about a victim. Many aim to gain illicit access into victim's financial or intellectual property. Almost every threat actor plans on expanding their reach and to pivot throughout an environment. This "lateral movement" allows the attacker to spread activities out, impact more systems, and achieve even greater levels of persistence. Whether a cyber adversary or an invading army, lateral movement is essential to many other goals or tactics. So let's take a look at how the ATT&CK tactic of Lateral Movement works!

The Importance of Lateral Movement

Defenders lack resources and they must react to many adversary behaviors. When an attacker expands their front, it imparts stress and uncertainty to that defender. Some activity may be overt, and that alone may cause strain. With the sophistication of attackers increasing, however, they haunt defenders with the very real possibility that they are missing some activity. What is going on that they don't know about? Where else does evil lurk? While focusing on the known areas of compromise, what does that do to weaken as-of-yet uninvolved areas of the environment?

Lateral Movement (TA0008) is a group of techniques that an adversary deploys to gain access to and control any additional systems in the target environment. Attackers without Lateral Movement cannot hope to impact their victims. Traditional warfare would see the defenders quickly encircle the invaders and repel them more often. And for cyber warfare it is no different. Adversaries without must compromise any targets remotely, one at a time. This is noisy, cumbersome, and in many cases impossible.

"We’re paratroopers, lieutenant - we're supposed to be surrounded"

As I began writing this on the anniversary of D-Day (6 June 1944), I think it is probably fitting to look at how lateral movement was critical to the Allies invasion. As we mentioned in the Discovery piece, the landing of infantry and insertion of airborne troops was far from perfect. Strong currents took Higgins Boats far from their intended landing zones. Excessive flak (anti-aircraft fire) and winds forced frightened pilots to drop paratroopers far from assigned landing zones and at excessive speeds. Despite this, Allied forces managed to think on their feet and take what circumstances handed them. Captain Richard Winters (of 101st Airborne and HBO's "Band of Brothers" fame) delivered the quote in the heading above. Lateral movement is assumed. It was always part of the plan.

Even had they been on-target, defeating the German defenses depended on the Allies ability to rapidly pivot and expand the number of control points that they held before defenders could rally. The success of any attack hinges greatly on the momentum and positions carried by either side. As much chaos as the Allies were coping with, the German forces were now beset by the same confusion and ill-prepared to match the dynamic on-the-fly nature of the Allied forces.

Improvisation is key in lateral movement

"We’ll start the war from right here."

Brigadier General Theodore Roosevelt Jr., upon landing at the wrong location on Utah Beach

Each force in the invasion had multiple objectives laid out before them, both ranked by importance but also offering options to ensure room for improvisation. While the forces landing were largely in disarray, the decentralized command structure empowered junior officers and non-commissioned officers (NCOs - a.k.a. corporals, sergeants, and the like) to act on the objectives attainable, rather than be too prescriptive. In doing so, the attackers/invaders were able make inroads and pivoted to secure many objectives deemed vital to holding their beachhead. Because all leaders in the invading force were aware of the major objectives and their relative importance, they were able to piece together forces to take important gun positions, capture strategic crossroads, and eliminate fortifications that threatened the allied positions.

Cyberattack Lateral Movement is no different

Much as Allied forces relied on lateral movement to achieve their objectives, so must any threat actor. As many a coach or military leader might say, "you have to take what the opponent will give you." In cyber attacks, this usually means that initial access is rarely on the system they desire, but rather that some work and ingenuity is required to pivot and 'earn' their way into those systems. Even less-protected environments rarely see domain controllers or databases directly accessible to the Internet. Without Lateral Movement, ransomware operators like Conti or espionage outfits like Turla would be ineffective and their threat to defenses limited.

Threat actors seek high ground within the environment much like their traditional forebears. Domain controllers, database servers, web applications, or infrastructure devices all offer control points of interest. Many of these systems provide privileged access that is golden to sustained attacks - much like the capture and use of supply lines in a traditional conflict! Others are the end objective - capture or compromise of these objectives means victory. That may mean different things to different attackers. Stolen information, disrupted services, tainted data, or frustrated users are all end goals for different groups.

Lateral Movement: taking what they give you

MITRE ATT&CK assigns a relatively succinct list of 9 techniques to Lateral Movement. While direct (and detectable) paths might be tempting, they use many techniques to gain that access. Some of these are more covert than others, and it is rare to see a single technique used exclusively.

Several of these techniques are similar to Initial Access methods. Looking at you, Remote Service Session Hijacking (T1563), Remote Services (T1021), and Exploitation of Remote Services (T1210)! Why are they here again? Well hopefully defenders closed those ports and protocols to outsiders, blocking them outright with a firewall or limiting their exposure using an ACL. But maybe they have utility inside the environment itself! Once another Initial Access method is successful, the adversary looks just like a legitimate inside user on a trusted system.

Use Alternate Authentication Material (T1550) is hijacking on another level. In this case the adversary is taking advantage of the authentication mechanisms in place to use any domain tools or LAN-level privileges normally limited to authenticated users, administrators, etc. Exploiting remote services is bad, but those are (hopefully) rarely enabled everywhere. The same cannot be said for admin-level PowerShell, wmi, net, and SMB use.

Any of the above techniques can be fed or enhanced by Internal Spearphishing (T1534). This technique can be used to both steal credentials outright or hijack session cookies and tokens.

Sometimes attackers are happy with just pivoting using LOLBins, but in some cases they bring payloads with them. Lateral Tool Transfer (T1570), Software Deployment Tools (T1072), Tainting Shared Content (T1080) and Replication through Removable Media (T1091) are all ways to deliver that payload on the inside.

How can we stymie Lateral Movement?

Lateral Movement can be tricky to stop, so the key is to blend strong policy and hardening of systems with a well-monitored detection approach. Some of the most universal mitigations are common sense, but they can be painful without well-bounded scopes and buy in from stakeholders:

• Endpoint behavioral and execution prevention are vital to most effective defenses. These engines detect and prevent the running of scripts with abnormal strings or switches in use.

• System hardening nips malicious protocol or service abuse in the bud. Turning off unneeded services and limiting those that remain to very narrow use cases is the single most important measure. While you are at it, consider turning off autoruns and protecting across new hardware (USB devices, NICs) to close those holes as well.

• Strong authentication and account privilege management are critical. Add phish-resistant MFA, clamp down on privileges (both by user and location) and continually monitor both user and service accounts.

• Verify everything before allowing it to come into your environment. Sandboxing, using threat feeds, scanning for vulnerabilities, and ensuring patches are applied will cut down on the opportunities for an exploit to land on a vulnerable system.

• Segment the environment! Consider not just L2/L3 network segmentation, but division of responsibilities, segmentation of access, the use of bastion hosts, and the prohibition of work & play support from a single browser or system.

Balance these with detection capabilities. Network Detection & Response (NDR) tools, system logs processed in an XDR or SIEM, and adjacent detections of low prevalence executables, odd transfers, and the like will be canaries in the coal mine.

Conclusion

Where many of the preceding tactics offered a lot of variance, Lateral Movement tends to be more narrowly focused on using whatever is available to hop to another system. This usually means the propagation of a payload or the repeated use of favored LOLBins or remote services. While these may be tough to prevent, we have lots of behavioral means by which to detect them. This may seem easy, but two questions arise: 1) do you have the knowledge necessary to understand that behavior is bad? and 2) once lateral movement is identified, what do you do to remediate it effectively?

The German High Command struggled with both of those questions in the time following D-Day. The German Army had innovated greatly in the first years of the war, but now found themselves out-hustled and out maneuvered by a more agile and dynamic allied invasion. Their forces were crippled by the loss of important roads and railway exchanges. Even if they did have an accurate picture, they lacked any plan to respond. Their air power was outmatched and their field commands hampered by a reliance on Hitler's direct commands to alter plans.

Cyber defenders don't have to fall victim to this. Look at TinyTurla NG's operational flow above. We're not moving troops or gaining & losing real estate here, we're defending digital environments where the line between success and failure comes down to using what you have. 43 mitigations exist in MITRE's ATT&CK database, and well over half of those are present in your environment's own systems (OS, infrastructure, etc.). Are they dormant? And of the detection or data sources, are you listening to them? Most of what even a major APT is using against us is detectable or preventable (or both). Disrupt them!

I hope this long-awaited blog post is useful to you - please let me know what you think and feel free to weigh in in the comments! Have a great week!

The 9th tactic in the MITRE ATT&CK Enterprise Matrix is a fun one. ATT&CK's Discovery is essential in any operation. No matter how solid the recon efforts are prior, circumstances change. All of the preparation in the world can't replace updated intelligence. To be effective and achieve the end goals, adversaries need to dig deeper and gain knowledge of the environment. Both physical adversaries and cyber adversaries practice this behavior, but with slightly different stakes. In both cases, the discovery efforts not only help refocus the operation and steer towards objectives, but it also offers intel that can help the adversary cover their tracks. Let's take a look at how discovery happens and what it can bring!

The importance of Discovery

Reconnaissance (TA0043) equips adversaries with an idea of what they will encounter. This step's value is unquestionable. Much of the operations early stages are influenced by those findings. Traditional invaders might have insight on garrison levels, weapon locations, relative morale, and command structure. Cyber adversaries similarly will use recon to determine the initial access method, some starter identities, and systems and defenses they'll likely face. But recon alone has its limits. There is no substitute for being there - for seeing the lay of the land and adjusting accordingly. Recon prior to an incursion can't reveal all conditions, and it will not be able to predict movements and adjustments made my the defenders. Similarly, cyber recon is unable to reveal more technical details, such as paths, locations, registry entries and the like. Once inside an environment, adversaries must gain these insights to inform their next steps.

Discovery techniques help adversaries uncover lots of useful nuggets. What sorts of defensive tools, policies, and configurations are in place? Where have the defenders hidden their secrets or sensitive information? What tools do the target systems offer that may be of use? With this information, adversaries adjust their plans to more quietly and reliably obtain their end-goals.

meterpreter > powershell_execute 'Get-Process | Where-Object -Property Name -EQ "lsass"'
[+] Command execution completed:

Handles  NPM(K) PM(K)  WS(K)     CPU(s)     Id  SI ProcessName
-------  ------ -----  -----     ------     --  -- -----------
   1213      25  5643  18200       1.17    231   0 lsass

Tracking down hashes for credential access is a super popular goal in ATT&CK's Discovery techniques. Here the adversary is using a meterpreter session but abusing Powershell to glean the information.

Discovery's role in correcting assumptions: June 6th, 1044

For almost two years of World War II, several of the Allies (US, UK, Canada, the Free French Forces, and units from Poland, Belgium, Netherlands, and Norway) planned the invasion at Normandy. Veterans of the campaign recall the extensive use of sand tables and the selection of English countryside environments that best mimicked the eventual access paths through Omaha, Utah, Juno, Gold, and Sword Beaches. The paratroopers and glider infantry were similarly drilled. The planners chose these locations and tactics based on the best reconnaissance available over that time. They selected these initial access vectors for the invasion based on an assessment of the German "Atlantic Wall" fortifications and perceived troop strengths.

"Do not try to make circumstances fir your plans. Make plans that fit the circumstances."

General George S. Patton (who was not at D-Day and instead used as the commander of a Deception plan, Operation Bodyguard)

This recon and intelligence was perishable and incomplete. Weather, tides, and misinterpreted aerial photographs saw most beach landings and airborne drops miss their marks, encounter unforeseen obstacles, or heavier German resistance. By the end of the first day, not a single Allied objective had been accomplished. Had the Allies placed too much importance on their recon, the invasion would have failed. Luckily, Eisenhower and his staff understood the importance of improvisation. Soldiers landing in Normandy quickly assessed their surroundings, discovered the resources and paths available to them, and coordinated attacks and movements no amount of pre-invasion planning could have anticipated.

Adversarial Agility: Discovery's role in cyber attacks

Any Red Teams or adversaries worth their salt use discovery as an essential element to their operations. Unless the target environment was freshly breached or already accessed by the adversary or their friends, it will be impossible to account for all of the detailed on-system information that they'll need. Information hogs the spotlight, but in recent years savvy attackers also look for tools in target systems that they can abuse - the so called Living-off-the-Land binaries (LOLBins). The new orientation with respect to objectives and an assessment of available tools dramatically influence the plans of a sophisticated threat actor. Some threat actors, like Admin@338 focus a great deal of their time exploring after their initial access, as seen below.

Looking at some more notable campaigns in cybersecurity lore, STUXNET stands out here. In the 2007-2010 time frame, a state-sponsored adversary delivered multiple surgically tailored malware payloads to an air-gapped environment with the objective of disrupting the Iranian regime's ability to enrich Uranium for weapons. Iran's antagonists went so far as to uncover specific model numbers and versions of firmware running on Iranian centrifuges. They also spent considerable time after initial access making small tweaks to their actions and measuring the impact. The cryptic messaging and reactions of the Iranian scientists were in effect feedback from discovery activities, and allowed the attackers to adjust their work for greater impact. For what it is worth, Kim Zetter's book "Countdown to Zero Day" is a fantastic look at this modern caper, and shows what extremes an APT may take ATT&CK's Discovery to!

Discovery: if you're not cheating, you're not trying (apparently)

ATT&CK's Discovery (TA0007) Tactic offers a ton of variety in the 32 techniques it covers. Some of the techniques have a very distinct focus, and I have tried to sort them based on the primary use case. While Local System discovery used to be all the rage, cloud discovery has become a discipline all its own. Likewise, adversaries who run custom tools but fear capture spend considerable effort in evading detection techniques like sandboxes or honeypots. Network discovery is a classic with tons of variety for acquiring useful intel.

What should stand out is that there are some overlapping techniques, some of which deliver similar outcomes. I am curious from folks who work in both on-premises environments and in Azure just how much discovery in both leverages similar strategies, especially around accounts and services. Adversaries have a lot of choices in how they implement their procedures and ATT&CK's Discovery pages provide a lot of insight into how adversaries carry out their ops. As an ATT&CK hobbyist, these style points look like an area for significant differentiation from APT to APT.

How to we avoid the glare of Adversary Discovery?

Some amount of discovery activity is inevitable. And a few of the techniques should never see legitimate use, but what do we do about the rest? Most organizations should look to detect abnormal use of these techniques. The patterns of odd users in strange places reveal a lot and can even point to other behaviors that spawned them. Sometimes forgotten is that while we may not want to disable the tools used in discovery, we may be able to restrict what they have access to. The less a particular procedure discloses, the more difficult the attacker's job, and the less enticing the target environment is. After all, if we give up just because a direct mitigation isn't available, what fun is that?

So what are those potential mitigations?

• Harden the environment: operating system and infrastructure device configurations should include restrictions on who can enumerate information.

• User Account Management: strict permissions and privilege account management are essential to reducing the danger posed by an incursion. Add MFA in there too while you are at it!

• Log Collection & Monitoring: the abuse of LOLBins in an environment is most easily seen in logs, whether from the OS itself or from an EDR agent protecting it. Looking for command execution, process creation, or API calls (which may call for other API-focused detection solutions) is invaluable.

• Access Restrictions & Segmentation: along with User Account Management, this bucket of mitigations ensures that the span of what an adversary can see is severly restricted. Think of this as obfuscation - like a smoke screen or the use of hedgerows in your environment.

• Audit: in domains, trust relationships tie closely with roles and services. Make sure those are configured properly and track any changes.

• Encryption: at rest or in motion, it is harder for adversaries to harvest sensitive information if you make it unreadable. Not perfect, but it can reduce the impact of a leak!

Conclusion

Discovery is where a lot of adversaries end up developing habits, and those habits become behaviors we can detect. As you explore MITRE ATT&CK's database, it is amazing how so many of the techniques in ATT&CK's Discovery tactic lack a reasonable mitigation. Every one of these techniques, however has a data source listed (previously known as detections). These are key to reacting in time to the inevitable discovery activities of your adversary.

The German High Command missed some of those opportunities, or downplayed them altogether. It may be that they were still convinced that a larger landing may hit Calais, or that they were thrown off by the same chaos the Allies were when so many paratroopers and glider infantry were dropped way off course. One side improvised heavily, supported by the trust and preparation offered them by their command structure. The other was highly centralized, and inflexible. One shudders to think what would have happened if Hitler had not kept 3 Panzer divisions in reserve by his orders alone. Or if he had instilled more autonomy into his field generals to improvise and respond.

In our discussion of the stakes in last week's post, we saw that the relative insulation of operating digitally offered cover and reduced tangible risk to the aggressors. They could stand to burn credential sets in their efforts, and had plenty to spare. The same can be said in ATT&CK's Discovery tactic. With the exception of highly sensitive intelligence operations, or nation-state positioning inside of critical infrastructure, there is almost always room to make some mistakes or try new things. This says as much about the versatility and boldness of attackers as it does about our inability to stand in the way, or to even see it happening. So get your detection house in order, folks!

I hope this post on the MITRE ATT&CK's Discovery tactic has been worth the wait, and that you find it helpful! please reach out if you would like to continue the conversation!

When we look at the sheer number of vectors an adversary uses to compromise or breach their target, credential compromise is right up there with phishing as the two leading sources of compromise. In fact, phishing's primary objective is to obtain credentials. Threat actors get a lot of press for creating new exploits, but isn't it easier to just log in? Stats show that detecting a breach that leveraged stolen credentials takes ~50% longer over other primary methods (exploits, misconfiguration, etc.). Why is that? And what can we do to make it harder? Let's talk about MITRE ATT&CK's 8th tactic, Credential Access!

The importance of Credential Access

Credential access is simply obtaining (stealing) usernames and passwords to use in other steps of an operation. While other TTPs might help an adversary create their own or bypass these creds, stolen credentials are the Holy Grail. Governments spend significant funds, time, and resources securing their own communications and safeguarding access. Sure, they spend resources protecting them from other attacks too. They'll prepare for nuclear, biological, chemical (NBC) attacks, bomb/blast resistance, and more. The White House is rumored to have anti-aircraft missiles and a huge underground bunker! All of the kinetic protection in the world cannot protect a critical asset from someone using legitimate credentials from walking in the front door. Information system resources are no different - no firewall, IDS/IPS, proxy, or other protective measure expects to block legitimate credentials.

Ghost Stories - real world credential access!

In 2010, the FBI uncovered a network of Russian sleeper agents operating in the United States, known as the "Illegals Program." These agents assumed false identities and lived for years as ordinary American citizens while secretly working for the Russian government. If you haven't seen the FX television series "The Americans", you are missing out. There are lots of similarities there!

One of the most notorious figures in the real Illegals Program network was Anna Chapman, whose real name is Anna Kushchenko. Chapman and her fellow operatives had stolen the identities of deceased individuals to obtain forged passports and other documents, allowing them to blend seamlessly into American society. This access enabled them to gather intelligence on American political figures and policymakers. They also moved laterally to cultivate contacts with influential individuals who could provide valuable information to the Russian government. It is no wonder why this made for good TV!

Ghosts in the wires: how stakes change the game

The truth is, stealing and abusing identities is much easier and more common in information systems. The concepts might seem similar, but the circumstances lead in very different directions:

• Reduced workload: threat actors don't need artists, forgers, disguise experts, or the time to use them.

• Simpler on-mission logistics: cyber adversaries don't need a physical logistics chain of handlers, safe houses, or dead drop locations.

• Abundant and Easily Accessible identities: threat actors have the luxury of continually mining or acquiring new credentials without draining resources.

• Much lower stakes: While more traditional agents find themselves in continual danger, threat actors act with relative impunity.

This completely different spectrum of concerns and worries makes credential access both lower risk and more critical to a threat actor's operation. Traditional espionage efforts were used sparingly and with great care. The dark web's bountiful repositories of leaked information and accounts and the work of initial access brokers equips adversaries with thousands of identities across their specified target. And if one is caught by the defenders, the adversary feels no remorse - there are plenty of other identities at hand that can be applied in no time.

Credential Access: gaming the system & abusing its rules

After last week's post on Defense Evasion (43 techniques and 155 sub-techniques!) this should seem more manageable. Credential Access (TA0006) comes in with a fairly modest 17 techniques and 49 sub-techniques. If we take a queue from last week and attempt to categorize them, it would seem that we could group them in 4 categories: theft, intercept, forgery, or bypass:

This categorization was again up to me and my Sunday state-of-mind, but you get the gist! Execution, Defense Evasion, Privilege Escalation, and Initial Access are often combined together in a single operational step. Credential Access techniques are likely separate. Heck, for most identities, odds are they don't even get acquired in the same operation! Why is that?

Credential Access as a Service? Or at least as a side-hustle

The harvesting of identities for malicious activity can be detected by an attentive defender. Linking that activity to the operational end-goals is certain to spook the defender. Even the most notorious of state-sponsored threat actors subcontracts out the gathering of credentials whenever possible. There are a lot of good reasons for that. Many of the techniques may involve password cracking, which is a time and resource intensive effort, so it is best to take that offline. Some of the credentials used tomorrow came from yesterday's breaches - indeed it is often a primary objective of a breach to reveal caches of identities for future use!

This doesn't mean that an in-progress adversarial operation ignores these techniques altogether. Some of the techniques in this tactic aren't that easy. Stealing Application Access Tokens (T1528), Stealing Web Session Cookies (T1539), and those techniques and sub-techniques manipulating MFA will necessarily occur as-needed. They are very time-sensitive and required for lateral movement and escalation. Credentials obtained prior to an operation may also be limited to a subset of user groups. Most adversaries will augment during the operation when they need to access a service account or administrator's access.

How can we protect these identities?

If you are reading this and saying "don't we have a LOT of solutions that claim to protect these identities and the credential access?" than you are spot on. The mitigations offered by ATT&CK should sound very familiar:

• Least Privilege Access: limit access to only those who 1) need it and 2) demonstrate they can be trusted.

• Segmentation: network segmentation gets all of the love, but consider segmenting at every layer of the OSI model, and in other places. Files and folders, application services, and even the separation of work and private use should be on the table. Even Privilege Access Management fits in here!

• Restrict access: don't let folks do the same things from afar as they can in the DC or on the campus.

• Harden and patch systems: OSes are configured by default to do certain things for compatibility. Turn those off (NTLMv1, LANMAN, LLMNR, etc.). And follow CIS hardening guides as much as practical.

• Use hardened MFA: don't make it optional, and take measures to ensure only strong methods are used. Don't allow weaker SMS or 1-click options, but rather use phish-resistant methods, non-default configurations, and throttling to harden.

• Log and Audit: watch for login events, monitoring for spraying and brute-force attacks, and even leveraging canary accounts. This goes a long way towards catching abuse before harm is done.

• Account Policies: combine whatever is available to make it harder on imposters. Got geo location? Use it! Cert-based auth an option? YES PLEASE! No matter what, make it hard for folks to guess, spoof, or hijack an identity.

• User Training: MFA and restrictions can be seen as friction. Help users understand the why and turn them into proactive sensors for you!

At the risk of sounding like a broken record, the above measures are critical! These steps seem simple but can be a bear - pick a couple and see them through before trying to tackle more!

Conclusion

We unfortunately don't see Credential Access being abused in real time very often. Inadequately trained and supported defenders lacking context and deprived of logs fail to detect legitimate credential access being abused by adversaries. Organizations all start out thinking they have a handle on it, but something happens along the way, and they end up completely missing their own credentials either being stolen or being misused. This applies to both traditional espionage and to cybersecurity.

Well-trained operators with sufficient telemetry and time can provide counter-espionage or blue team coverage and radically reduce this threat. The main characters in The Americans hung in there for almost 17 years! In the real world, the FBI's investigation into the Illegals Program, code-named Operation Ghost Stories, eventually led to the 2010 arrest and deportation of ten Russian agents, including Chapman. This happened within a year of Chapman landing in the US, and before significant national security damage could occur.

We only hear of the failures in the cyber realm, but you can bet that success is attainable and has happened. Success here doesn't mean deportation or any diplomatic leverage, but does it need to? Show the hackers the door, and get ready for the next wave. Because it is coming.

I hope this post was informative! please send any feedback my way :)

Good morning, folks! Another week, another threat surface gets its turn in the press! While I have been working hard to prepare for the upcoming Cisco Live (2-6 June in Las Vegas!) news seems to be picking up before RSA Conference next week. This week we saw a lot of continued fallout from breaches past, variations of perimeter defense vulns, and more. We even see yet another tool essential to many get hacked - is nothing sacred! Let's get into it!

Playing the hits: Mobile gets some 'love'

Please don't misunderstand this section - the perimeter and infrastructure device focus is still a massive concern and soaking up a lot of oxygen (Cisco, PAN, Ivanti, etc.). But it has been some time since we've seen such a rash of endpoint and mobile-related vulnerability news. That pent-up demand burst this week.

First up was macOS. Apple just released a massive update to its built-in malware protection engine, XProtect, to counter the explosion in Adload malware's use across its user base. XProtect uses Yara rules, which makes it very transparent. The recent updates on April 30th show that Apple went pretty extensively into shutting down Adload's code base.

Next up was the Android ecosystem, within which Microsoft researchers found a new "Dirty Stream" attack path that allows a malicious app to overwrite files in another apps home directory by abusing content sharing meant to help apps work together. Their report is in-depth and very informative. I haven't been able to locate any mitigation or protection steps, but things move fast!

In both cases, we're seeing new novel paths to allow user devices to fall victim. These devices may not be as critical or desirable as a perimeter firewall, but they can often provide credentials or a toehold that adversaries can pivot from. Keep your stuff up-to-date, only download apps from trusted vendors, scrutinize any permissions you grant, and think about separating work and personal use on different devices, or at least with some isolation.

Another popular SaaS family hit!

It is pretty tough to find a company or household that doesn't use Dropbox to some degree. Dropbox Sign, from their HelloSign acquisition, is similar to DocuSign and allows official documentation to be passed for legal signatures and delivery. On April 24th, Dropbox discovered an intrusion into those systems that compromised names and email addresses. They have since added authentication information to the list of at-risk data. No word yet on who the threat actor is, but it is early, and as more TTPs become known we'll certainly learn more.

Some of the company's new acquisitions not as widely known or used. Given most software companies are in a continual state of integration, a breach of one tool often raises questions about the integrity of others. That is certainly the case here, and we'll have to see how this plays out in the investigation.

• Want to read more? This article provides background on the service and some initial messaging.

• Want to get nerdy? The SEC filings are something we all need to get familiar with. Reporting requirements and the scrutiny help clear away the spin and BS. This is where the additional PII stuff was revealed.

Where are they now? Change Healthcare keeps getting worse news

UnitedHealthcare (parent company of Change Healthcare, the recently breached pharmaceutical claims processing arm) sent their CEO in front of Congress, and it did not go well for him. Root causes have been slow to be shared, but now we know a stolen set of non-MFA protected Citrix credentials played a big part. Oh, and 1/3rd of Americans were likely impacted. But knowing would require Change actually had good processes, tools, and a clue. That was not the case :(

Stay tuned on this one, folks. We'll see how the US medical quagmire handles all of this. One of the first things I encourage customers to think about is reducing complexity. Simpler systems offer less to protect, less quirks to secure. Eventually, it may occur to us all that shirking healthcare reform and eliminating the massive profit-driven complexity is starting to cost all of us way more than a tax bump. It is impacting patient outcomes, fair access, and staffing. Lives and our personal sovereignty are at stake.

This week in AI

We've briefly discussed the dual-use nature of AI in past entries. The US Department of State and Department of Commerce use that classification for things like export control. Maybe a material or component is useful in making fine wristwatches? If that same component is also vital to the manufacture of weapons, they call it "dual use" and control who can buy it outside of the US. I think software should get more scrutiny than it does - certainly breach automation frameworks like Cobalt Strike would fit the bill.

I also happen to think that a similar consideration is needed for AI. Heck, ATT&CK version 15 even gave it its own Technique and sub-techniques! I know the regulation cat is out of the bag, but the same tech can offer both good and bad outcomes. Take for instance the threat actor use of OpenAI accounts for bad. A joint effort by Microsoft and their close pals Open AI focused on a who's who of state-sponsored APTs:

• Chinese threat actors Salmon Typhoon (SODIUM/APT4/Maverick Panda - purveyors of Sykipot Malware) and Charcoal Typhoon (CHROMIUM/RedHotel/Aquatic Panda)

• Iranian APT Crimson Sandstorm (CURIUM/Imperial Kitten)

• North Korean actor Emerald Sleet (THALLIUM/Kimsuky/Velvet Chollima)

• Russian APT Forrest Blizzard (STRONTIUM/APT28/Fancy Bear)

When you read Microsoft and OpenAI's posts, you get a sobering lesson in creative AI LLM use. Each had their own unique ways of leveraging and abusing OpenAI prior to their accounts being terminated. some focused on open source intelligence gathering and recon, others in researching scripts, payloads and vulns. The Microsoft appendix in particular gives you both inspiration and fear.

My point? It is probably too late, but government and society inability to wrangle the dual-use character of these tools will make watch components and metal alloys seem trivial by comparison.

Things I am keeping an eye on

• MITRE's CTID folks released a new version of ATT&CK (version 15) and it includes a lot of cool stuff! AI gets a lot of attention (7 sub-techniques!) and they expanded Cloud and Infrastructure as Code (IaC) concepts too. CTI, mobile devices, ICS, TAXII updates, and even a Splunk-friendly revision to CAR round it all out!

• Verizon released their popular and informative Data Breach Investigations Report (DBIR) this week. Vuln exploitation surged, and it still takes 55 days to address these holes after disclosure. It's no wonder 14% of breaches start now with a vuln being exploited. Prefer the Cliff's Notes?

• The UK's NCSC joined the chorus (again) warning of Russian APTs attacking critical infrastructure.

• Hacktivists "Anonymous Arabia" claimed credit for an attack on Columbia University for retaliation against police crackdowns on the pro-Palestinian protestors. A couple of notes - no one seems to think it happened, and aren't some Anon efforts just influence campaigns sloppily waged by other threat actors? Hmmmm.

• A vulnerability-mitigation consultant was arrested for trying to extort $1.5M from his former client when they let him go for being a putz.

Good Reads

• I am reading a lot of good threat reports in preparation for a new session of content for this Cisco Live, but I don't want to spoil the surprise. That being said, I continue to enjoy the works of my colleagues at Talos, who do a bang-up job of protecting us and informing us. They are unable to share a lot of the details on current stuff, but once in a while a good story gets out. Joe Marshall is as good as they come, and this blog post about his efforts to help the Ukrainian power grid defend itself is just inspiring. Check it out!

I hope you all have a great weekend, and I look forward to engaging with you all here or in person. Hit me up if you want to chat about any of the above!

This, friends, is the Big Kahuna of tactics we're talking about now! When I started writing this series of posts to discuss tactics, I feared the 7th tactic from the left. Why? Because we're talking about the diverse and expansive ATT&CK Tactic of Defense Evasion. This brute contains a whopping 43 techniques and 155 sub-techniques. It is almost as if our adversaries really want to avoid detection or prevention and need options! Well, as this is so massive, we're going to take a more holistic approach to this entry.

The importance of Defense Evasion

Defense evasion in any context is a group of techniques that allow one to hide, mask, or escape detection, capture, or confrontation. It can also include deception techniques. Both traditional warfare and cyberspace have their equivalents, but the goals are the same: live to fight another day. In cyberspace, these techniques are almost always associated with the attacker alone, but in traditional warfare all sides may need to enlist these TTPs to prevent becoming a casualty.

Run silent, run deep

If you haven't seen the classic movie "Run Silent, Run Deep" you are missing out! Clarke Gable and Burt Lancaster were solid, but the secret weapon was Don Rickles ;). While the era was different than the one I served in, the TTPs were pretty similar. When I was stationed on submarines, we always wanted options evade. Our best course of action was to avoid detection in the first place. For a submariner, evading detection came down to being quiet and hiding "under the noise floor", outside of the range and threshold of sonar arrays and buoys. We used a lot of different methods to stay quiet:

• Propellers were specially designed to avoid making noises that might give the boat away.

• Our hulls designed for minimal turbulence.

• We had special mounts for everything

• Some submarines used special tiles

• Submariners wear sneakers underway, and take precautions to avoid slamming doors or dropping tools.

• We used the quietest propulsion around (for us, nuclear, although new non-nuke boats have made huge leaps here!)

Now if we failed at that and were detected, our only options were to either hide better quickly or run like hell. And if they launched a torpedo, we had two options. We could launch a noisemaker and/or go all-ahead flank cavitate, making turns and depth changes in an effort to outrun our doom. Needless to say, we didn't like the words "torpedo evasion" a whole lot.

While I was a member of the "senior stealth service" I believe combatant aircraft have similar approaches. A lot of effort and resources go into reducing the detectability of a particular aircraft. Radar cross-section is a huge focus, but minimizing heat signatures, reducing emissions, and allowing these aircraft to operate either above or below defenses is critical. Once detected, these aircraft have the ability to maneuver and attempt to outrun their opponents. They also have jamming capabilities, flares, and chaff to distract or blind the sensors.

Threat Actors have their own flares, decoys, and chaff

Threat actors need to evade detection to ensure their attacks survive beyond initial access. The impact of an attack or breach is realized when the adversary has time to access the critical data, services, or devices and impact operations. Some of the techniques hide the activity altogether, others mask or disguise the activity. Obviously the gold standard is to lay low. But sometimes visibility is too pervasive to overcome. Threat actors pretend to be legitimate users and pose their payloads, scripts, or other tools as benign. Sort of like locking onto a star destroyer and pretending to be trash prior to their jump to hyperspace.

At the extreme, these same adversaries launch their attacks knowing full well that they will be seen. A subset of the TTPs in Defense Evasion allow them to completely neutralize the protective action. In a harrowing scene The Hunt for Red October, the Red October turns into the torpedoes launched by the Soviet submarine, the Konovalov. Knowing that the Konovalov had safeties set to prevent the torpedo from acquiring their own ship, the torpedo breaks up on impact. Cyber adversaries exploit the configuration of tools, startup scripts, or registries, or even turn those tools against other processes in similar fashion, exploiting the use of exclusions, which act as a form of safety. Increasingly we see threat actors disable the detection and prevention tools altogether.

Defense Evasion: throwing the defenders of the scent

The 43 techniques and 155 sub-techniques in Defense Evasion (TA0005) are focused on three main areas: impacting security tools, obfuscating actions, and hijacking or piggybacking on legitimate processes. I took a crack at sorting them into those three categories here.

This categorization is somewhat subjective and the techniques can overlap categories depending on their specific use case. In any case, look for these to be blended with other Tactics, as they go hand in hand. You don't just rob a bank and disguise yoursellf separately, you disguise yourself while robbing a bank. So I am told. Below is an example of Carbanak using UAC bypass to evade detection and execute mimikatz.

How do defenders avoid being duped?

The sheer number of techniques and procedures in the Defense Evasion tactic make a short discussion of detection (a.k.a. Data Sources) and mitigations impossible. But it doesn't mean we cannot try! Here are some of the top recurring mitigation themes in ATT&CK for these TTPs:

1. Privileged Account Management: Least Privilege is super helpful here, folks!

2. Execution Prevention: Allowlisting or ExPrev engines a must - any EDR/EPP needs to have those enabled.

3. Software Restriction Policies: code-signing, approved packages, file integrity, and user/executable policy mapping prevents a wide variety of the obfuscation and hijacking TTPs.

4. User Account Control: UAC gets a bad rap, but the frustration is a small hassle compared to the reduced risk.

5. Log and Audit: Collect and monitor logs, folks! The OS is talking - are you listening?

6. Behavior Prevention on Endpoint: Much like ExPrev above, but with more fuzzy math to anticipate new things.

7. Restrict File and Directory Permissions: It gets much harder on bad guys when we keep them hemmed into tight spots.

8. Multi-factor Authentication: Most of the TTPs in this realm can be interrupted or curtailed with MFA in the mix. Balance is key, but it is worth some friction in the experience to ensure only legitimate users are involved.

9. Update Software: Keep all software up to date, including operating systems and applications, to mitigate the exploitation of known vulnerabilities.

It is worth looking, once you build a threat picture, at the resultant recommendations from your tailored analysis. Most folks will find the above gives them a really good start!

Conclusion

Defense Evasion is dirty pool, as my old bartending colleagues used to call it. It doesn't just rely on gaming the system, but on breaking it. During postmortems, defense evasion is often the tactic that causes the most embarrassment. When military units pull it off, historians write about the sheer skill of the adversary and the gullible nature of the duped, but the truth is that there are a lot of factors in play. Defense Evasion, much like Persistence and Execution, happens together with other things. It is the smokescreen under which the adversary moves through the system, disrupts a service, or exfiltrates critical data.

While evasion occurs on both the defensive and offensive side of a traditional engagement, cyberspace sees the adversary more often using these techniques. In either case, mitigation of that risk depends on vigilant use of multiple detection methods. Bringing multiple sensors to bear on the same vector makes it much harder for an adversary to hide, evade or dupe us. The parallels are uncanny - submarines fear one adversary, but having an entire carrier battle group chase you down is downright mortifying. The spread and complimentary diversity of sensors make it so much harder to hide.

Hopefully this post has been helpful, and I look forward to any feedback or conversation this might spark!

Hello folks! It seems that there is never a dull week. To almost make that point abundantly clear, we have a large number of newly announced firewall vulns, some more ransomware hitting critical targets, and more state sponsored mayhem. So let's get started and see what is going on!

Healthcare under perpetual attack

We tend to think of critical infrastructure in terms of energy, water, sewer, communications, etc. It should be noted that healthcare and financial sector folks are part of that too. Healthcare in particular is seeing a massive uptick in ransomware attacks, and this might be for a few reasons:

• Nothing creates more urgency than patient lives being impacted

• Healthcare is extremely visible to the community

• Hospital systems are either doing well financially or backed by governments to ensure continued operation

• IT and security teams are understaffed, overworked, and overwhelmed

This potent combination makes them an easy sector to rob, as there is a strong likelihood that the cyber-criminal will be paid and not caught. These threat actors can also take credit for exposing just how fragile the entire ecosystem is. They have targeted adjacent industries, like Change Healthcare's pharmaceutical processing arm.

Catching up with Change Healthcare's ordeal

After a couple of months of pretending that they had not paid a ransom, Change recently disclosed that they did indeed spend $22M to recover their data. Wired's Andy Greenberg was all over it. The overall cost of this event is clicking in at over $1B, which should show that cutting corners on security (people, process, and technology) is yet again a poor move. The worst part? The ALPHV/BlackCat folks pulled an exit scam that would make Bernie Madoff proud, and due to infighting between the RaaS vendor (RansomHub) and their customer (ALPHV), Change is being extorted by the RansomHub for the SAME INFORMATION because ALPHV stiffed RansomHub.

Paying the ransom is a very serious choice that each company must make, but more and more data shows that it does not save the victims. The only thing it reduces is available budget for other things, like effective recovery and preventing re-infection. Just this week, several other healthcare and adjacent businesses were hit, like Octapharma Plasma (by BlackSuit group, HHS notice here), and LA County Health Services via a phishing attack.

Meanwhile, a substantial number of Americans' personal information was likely part of this breach, and no amount of ransom paid can negate the danger that presents.

• Want to know more? Read about Change Healthcare's view here.

• Want to get nerdy? The FBI's flash report on ALPHV/BlackCat is here. It will be interesting to see if this was truly their pig payoff before going away.

Nation-state threat actors pulling out all of the stops

This week Cisco Talos disclosed the actions of a new threat actor UAT4356 against Cisco ASA devices, and it seems that this is a state sponsored threat. Much of the press on state-sponsored activity centers on endpoints. Perimeter devices have seen a glut of new attention, however. Ivanti's VPN solution, Palo Alto firewalls, and now Cisco ASAs sit in critical parts of every network. For reasons obvious to most readers, I will not comment much further on this latest news.

State sponsored actors have a knack of finding new ways to attack critical parts of any environment, and they love to hit places they know are bottlenecks. Assets that cannot be removed. If the environment depends on them, all the better!

As with any vulnerability, immediate actions as advised by the vendor (including patching) are critical. But adversaries also know that it is hard to incur downtime in these mission critical environments, especially in a perimeter firewall. But we must. We need as an industry to allow for time to recover. Either we choose a small window for planned maintenance and updates or let attackers choose a much larger and more disruptive window for us. I can guarantee that window will cost more, disrupt more, and potentially put us out of work.

This week in AI

It's going to be a long wait for the US Congress and other legislative bodies worldwide to become smart enough to wrestle with AI policies. Meanwhile, agencies like the NSA are starting to put forward guidance that can help. In this case, they recommend 3 phases of best practices, and this should be very helpful in crafting your own private AI deployment's security strategy. Regardless of whether you trust the messenger or not, the advice is pretty solid and a good start.

Things I am keeping an eye on

• Threat actors are getting ready for their Christmas. We call it Election Season. Kitchen sink attack chains don't sound like a good thing.

• Researchers had to sinkhole over 2.5 million IP addresses to neuter C2 in the PlugX malware's botnet. Holy moly.

• Google Ads seem to have an issue screening their clients. A MadMxShell campaign is embedding a malicious scanner into the Google Ad service and tricking users into downloading the backdoor.

• Software keyboards are all the rage, but 8 of 9 Chinese app versions act as keyloggers. Mass surveillance is a feature!

• US DoJ teamed with Iceland to take down a crypto-mixing operation called Samourai Wallet. This removes yet another player in the market for hiding illicit activities. Cryptocurrency is proving to be anything but safe for criminals to hide behind.

• Some nation-state threat actors are advancing quickly to rival China and Russia in their efficacy. Iran's IRGC apparently conducted a multi-year campaign impacting hundreds of thousands of accounts across USG and US company employees.

Good Reads

This week has been all about slides for CLUS for me, but these NIST-curated talks look like something I should start digging into! Tons of interesting technical content, and it might make a cool compliment to the steady diet of YouTube conference recordings I tend to favor.

I hope this update finds you well and that you have a good weekend. Please feel free to reach out and continue the discussion!

It has been a little bit since we dove into the MITRE ATT&CK Tactics. When we left off with Persistence, we talked about how attackers maintain their leverage by opening as many ways in as possible. All use multiple vectors to cover their bases, but it is really hard to stay a step ahead and have impact if they don't get heightened permissions. History shows that attackers who can either disrupt, discredit, or even hijack the command structure can cause a whole new level of pain. The pinnacle of many adversaries' tactics is to be able to issue commands as if they were a highly placed commander within their target organization. It not only grants an amplifying effect, but can also hide their activity as they exploit trust. So let's take a look at ATT&CK's Privilege Escalation tactic and what it means to the attacker & defender.

The importance of ATT&CK's Privilege Escalation

Defenders have it rough! They face adversaries who have nothing to lose, copious resources, and plenty of time. Their targets, however, are on exactly the opposite side of that spectrum. The folks in the trenches are desperately and valiantly defending something they value greatly. In traditional warfare, they fight to preserve their lands, avoid persecution, protect their families, or uphold their honor. More often than not, they are suffering from a lack of resources - either through attrition, embargo or blockade, or sabotage. Most importantly, defensive forces rarely choose timing - attackers tend to initiate their invasions when it best suits them, and conversely hurts the targeted forces.

A modern study in asymmetry

The current war in the Ukraine, for instance, shows the impact of this asymmetric equation. Despite poorly trained forces, antique equipment, and crushing international pressure, Russian forces have dictated terms. The initial invasion was timed to best suit their plans. They have brought a near inexhaustible pipeline of new soldiers to bear, drawing from a mandatory draft pool that far exceeds that of Ukraine's. And they have mitigated their inventory issues despite sanctions through arms deals with Syria, China, and other sympathizers. Almost as important - they are led by a regime with a disregard for humanitarian or diplomatic norms.

The result to this point? Ukrainian forces have been vastly outnumbered and forced to react, valiantly standing to prevent their own collapse. Their military - while well trained and respected - has had to rely on a very sporadic flow of foreign aid to stand a chance. Because they are on the defensive and dependent on so many forces outside of their control, they have been much more sensitive to the norms their attackers disregard. These circumstances cause a significant asymmetry.

Ukraine has outperformed any expectations or predictions, and that is in large part due to the impressive strength of their people and the integrity of the command structure. Imagine if they couldn't count on that?

Traitors in the midst

The American Revolution saw a similar asymmetry play out between British and Continental Army forces. In fact, without the injection of proficient leadership from abroad and the diplomatic efforts of several founding fathers, it could have gone another way altogether. General Washington's army absolutely needed the infusion of discipline and rigor that Prussian general Baron Von Steuben brought in 1777. And with a lack of experienced leadership in the field, the addition of personalities like Marquis de Lafayette and later General Rochambeau, Admiral de Grasse and Admiral/General d'Estaine were critical. In hindsight, it is amazing that these outside personalities were so entrusted.

A change of heart could have been disastrous, as it proved with one of America's own. We can look back at the betrayal by General Benedict Arnold with great contempt now. But as it was happening, it seemed unfathomable that a man so critical in earlier battles and so heroically known could be swayed to serve his enemy.

Here is a quick recap: Arnold was a critical leader in the taking of Fort Ticonderoga, the bottling of British forces in Lake Champlain, and most famously turned the tide at the Battle of Saratoga. But the adversary (British intelligence) worked a long time to turn him to their side, leveraging his key vulnerabilities (his British loyalist wife Peggy, indebtedness, and his vanity) and eventually gaining use of his station. Were it not for the timely capture of his British handler, Arnold was prepared to surrender the garrison at West Point, which would have been disastrous to the Americans. They almost succeeded in leveraging their escalated privileges to take over a major control point and cause harm to the cause.

Do we see traitors in cybersecurity too?

I think that we have all heard of insider threats, and it is tempting to draw the equivalence. But unlike traditional warfare, cyberspace has a much greater separation of the user from their identity. It is a double-edged sword. Pros: it means we aren't too bogged down by such vulnerable ties. Cons: it is trivial for a well-equipped adversary to leverage an identity or even create one of their own to serve their purposes. Imagine if the British could just pretend to be Arnold and order the troops to vacate? Imagine if Russians could credibly convince Ukrainian forces to abandon their posts by impersonating President Zelensky or one of their generals? They don't even have to assume the identity, they can merely intercept communications or forge an order. Those have direct parallels in an IT environment.

A big difference here is that in IT environments, systems allows for new identities to be created quite easily. Additionally, those same systems need ways to allow for those identities to gain elevated access or execute more sensitive commands from time to time. To top it off, people aren't the only identities of consequence - services, assets, and more can have an identity and associated privileges. All of these things are much more prevalent in IT than on a traditional battlefield, and these areas are ripe for abuse. So let's take a look at how adversaries may do so!

Privilege Escalation: dirty deeds done dirt cheap

The MITRE ATT&CK Privilege Escalation (TA0004) tactic is comprised of 14 techniques and 97 sub-techniques. Almost as expansive as Persistence! All of them seek to gain higher level permissions. So we're going to group them logically based on the area each focuses in on.

If some of them are looking eerily familiar, good! It goes to show that some techniques can be used in multiple places to achieve different goals (Tactics). It also hints at the fact that sometimes multiple Tactics can be achieved in a single stroke. We'll see how that works below :)

Privilege Escalation via Impersonation

We've seen how advantageous having an insider can be. Whether they are willing accomplices or not, almost doesn't matter. The sheer amount of dumps available on the dark web is a testament to the power of Valid Accounts (T1078). Using these is doubly concerning - the user or service is real and has a need to operate, which means they are really hard to detect and hard to lock down if detected. Another path to looking legitimate isn't to hijack the identity but the communications from that identity - and this is where Access Token Manipulation (T1134) comes into play. By stealing tokens associated with a legitimate process, they can pass of their malicious activities as benign. Like a real admin user launched it.

Adversaries may have some valid accounts, but what if those identities didn't have the access they needed to do the job? Through Account Manipulation (T1098) they elevate privileges, alter permissions, or assigned roles. They can even attempt Domain Policy Modification (T1484) to entitle their accounts with more access. These are both tricky with proper logging in place. But who does proper logging?

Privilege Escalation via OS process trickery

As we have mentioned before, operating systems are complex beasts! In that complexity are many opportunities to exploit gaps or issues. An attacker may want to wedge themselves a legitimate OS process for executing a program and Hijack Execution Flow (T1574) to escalate privileges, like ShimRAT does to bypass Windows User Access Controls. With 13 sub-techniques, this Technique covers a lot of interesting ground!

Somewhat related, an attacker may decide it is easier to just take their aggression out via a Process Injection (T1055). The legitimate code was going to run anyway, so they inject their malformed libraries into a process already working at a higher level and let their payloads tag along! Here the OS is still intact, the adversary is simply embedding their code into something normally okay.

Maybe the adversary prefers to Abuse Elevation Control Mechanisms (T1548) that allow escalation on a case-by-case basis? In Linux or macOS, this is where the Setuid and Setgid bits come in super handy - the adversary can set these flags using chmod to allow their malicious executable to run at the levels of the owning group. In Windows, UAC is again a popular spot to target. the Linux/macOS sudo command, APIs, and cloud role manipulation are also important vectors to be on the lookout for.

Privilege Escalation via Boot and Schedule (revisited)

Lastly, bad actors love to Create or Modify System Process (T1543), leverage Boot or Logon Autostart Execution (T1547) or modify Boot or Logon Initialization Scripts (T1037) to make sure that their malicious code executes at high privilege but also persists through reboots or faults. Some of these TTPs happen before protection is in place, while others take advantage of system-level privileges to avoid detection. These same principles explain the use of a Scheduled Task/Job (T1053), which sometimes achieves the same results. Adversaries need to weigh detection risk vs. effort here, and will often combine 2 or more techniques to ensure access long-term.

Privilege Escalation via other means

While obtaining persistence, a threat actor often escalates privileges. Event Triggered Execution (T1546) is a handy way to invoke long-term access, and if done properly can ensure that access is at Admin or system-level privileges.

With most workloads and applications now running in some sort of abstraction, a new attack surface arises! Both container and virtual machine environments must consider the possibility of Escape to Host (T1611) as a vector. Adversaries may create images that map to host resources and allow unforeseen access. They may even abuse hypervisor, Kubernetes or Docker processes and APIs to cause damage to the underlying layers. This relates closely with Exploitation for Privilege Escalation (T1068), which tackles **any** vulnerability in software (host, app, and everything in between) to execute controlled code. Many Metasploit scripts, for instance, achieve privilege escalation by finding known vulns and capitalizing on them.

How can we mitigate or prevent Privilege Escalation?

As attackers gain access to higher authorization and privileges, they are empowered to do more. Not only do they have more access and deeper impact, but they also have access to commands that can obfuscate their presence, or cover their tracks! Had Benedict Arnold not been implicated in correspondence carried by his British handler, he likely would have doomed the Revolution. One can surmise that the Ukrainian government is continually monitoring for similar activity, and protecting the integrity of their command & control networks to avoid this same outcome.

So what now?

So how can defenders in the cyber battlefield mitigate or eliminate this threat?

• Log and audit, folks! We all can do a better job monitoring the OS logs for our devices and infrastructure. Yes, they are chatty. Take advantage of things like Microsoft's Sysinterals and SwiftOnSecurity's Sysmon template, or Auditd if you're using Linux. This step will allow you to see when something fishy is going on.

• Ensure that many of the OS mechanisms in place are disabled or properly hardened. The Center for Internet Security's benchmarks & hardening guides spend a lot of time ensuring that any work-around is harder to take advantage of.

• Use privilege account management features and privileged access management (PAM) tools. Sounds simple, but that additional process overhead can prevent a lot of pain.

• Monitor and restrict file and registry access. Many of the TTPs we discussed above take advantage of injecting into scripts, libraries, or executables, or accessing them for cover. Use signed code whenever possible! Limit software installs and downloads as much as possible and retrain users to understand why.

• Ratchet down on user, group and local admin privileges. The lower the adversary must start, the harder it will be for them to climb the ladder. Don't forget service accounts too! And local accounts are the bane of any security program's existence.

• Sandbox and isolate properly, especially for containers and VMs. Some supply chain security is a huge help here - validate upstream repositories and vendors are clean before going to production.

• Patch your code!

Conclusion

Privilege Escalation is nasty stuff, folks! And the more we prevent it, the more we interrupt adversary plans for causing damage, moving laterally, stealing information, or operating long term in our environments. The Continental Army learned the game of espionage quickly, but their efforts in counter-espionage were what saved their revolution from a disastrous end. The Ukrainians have also learned that quickly, and in a few years we may see it was vital to their survival. That same vigilance is necessary in cyberspace. Success can mean the entire game - for both sides. Don't make it easy on the adversary to win! Make their loss embarrassing!

I hope that this post was helpful in understanding the role privileges play in cyberspace. Much of what an attacker wants to accomplish hinges on the Privilege Escalation tactic being successful. In subsequent posts, we'll take a look at the possibilities that unlocking privileges can grant. As always, let me know if this is helpful, and have a great week folks!

I was on the road until yesterday, but I wanted to get back on the blog and update horse. So here we are! After learning about and supporting the launch of a new solution, I got sucked into some saved news articles and blogs on the trip home that convinced me we need to rethink a lot of things to get caught up with adversaries. Ransomware operators are constantly evolving, we should too! And no one has it figured out, as we'll see in a couple of paragraphs. So let's think outside of the magic quadrants and waves about new ways to solve our problems.

Ransomware re-spins show resilience where we don't need it

The sheer number of ransomware operations is growing exponentially. Ransomware-as-a-Service (RaaS) certainly drives this, but the options attackers can use is also growing. While Lockbit and Emotet garner a lot of law enforcement attention, other ransomware operators are evolving to fill the void and capture market share. Yep, RaaS is a market all its own - stand by for an evil version of Gartner to pop up and start ranking them!

It seems that HelloKitty - the folks who attempted to ransom/extort Cisco in 2022 - have relaunched as HelloGookie. As part of this "news release" they released source code from previous hacks of CD Projekt (a game developer) and information they claim was related to that Cisco breach. Tracked since 2020 and covering hypervisors like ESXi, both Windows and Linux OSes, and using other tactics, it seems they are looking to branch out.

And then there is Akira, who is now extorting Linux and racked up $42M in total proceeds as of January.

One of the O.G. criminal actors, FIN7, has even revived Carbanak to offer a backdoor auto industry players through a new "free IP scanner" ruse. Stay vigilant, and for goodness sake don't use free tools you don't understand!

Even thought leaders have bad days

MITRE, the non-profit organization that brings us awesome projects like the Common Vulnerabilities and Exposures (CVE) Database, or the Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK) Database was recently hit by a supply chain attack. Lest we think they only operate in these tools, keep in mind that they do a ton of research and policy development for the US Government. Lots of sensitive stuff! So when we find out that the notorious Ivanti VPN issues impacted them as well, it raises some alarms.

So far, they have only announced this breach impacting the Networked Experimentation, Research, and Virtualization Environment (NERVE), which is a shared R&D network. This is good - MITRE also contributes heavily to energy, transportation, telecommunications, and other critical areas.

• Want to read more? MITRE's official release of the breach notification is here. It openly affirms that they plan to disclose more as time goes on. Openness is key, folks!

• Want to get nerdy? MITRE CTID's own post sharing the process is fascinating and well-written, and is firmly in the "well done" category of honest disclosure! And it is very instructive to see CTID using their own creation (ATT&CK) to detail the entire picture, including the under-utilized Data Sources and Mitigations categories, as well as related efforts like Engage. Not to be too self-possessed, they also point to great resources from CISA, the US Executive Branch, and multiple 3rd party intelligence sources. Nicely done folks!

This week in AI

AI continues to advance at a rapid clip, and it feels like we're well past controlling its evolution. A couple of interesting, fascinating, and deeply concerning articles hit me this week while I was on the road. Meta announced the newest version (3) of its Llama LLM this week. Almost buried in the story? The LLM continued to learn even after Meta stopped training it. I am no AI guru, but it would seem we need fail-safes in LLMs. This is to ensure that they abide by boundaries. Especially when a sobering report by the folks at UIUC show that adversaries are quickly weaponizing LLMs like GPT-4. Armed with only threat advisories, threat actors enlisted GPT-4 to automatically carry out exploits against the posted vulnerabilities.

And if you're worried about influence campaigns leveraging AI, it is only getting easier. China's APTs are scary enough, but their branching into AI scares the crap out of me. And this just compliments their adjacent activity in compromising critical infrastructure.

Thank goodness we have regulations and laws coming to help contain the risk, right? Think of all the gaps we discuss around cybersecurity. Open positions, pay vs. responsibility, lack of entry level, poor budgets, insufficient or non-existent processes. One we need to address pronto? The knowledge gap in government policy makers. Governments of all sizes and levels are proving woefully inadequate in addressing these critical questions. I fear they're too far behind to ever have a meaningful impact. The toothpaste is already out of the tube.

Things I am keeping an eye on

• Cisco announced best practices for preventing password spraying attacks on VPNs. This was immediately followed by a massive uptick in those attacks.

• CISA has been stepping up its proactive alerts on ICS and critical infrastructure. This week, they warned of swaths of ICS controllers being vulnerable and without patches available. Step up your compensating controls, folks!

• LastPass continues to suffer a lot of setbacks, including this report of users being scammed out of their master passwords.

• Jim Clausing from SANS ISC released a pretty slick tool that helps to pull down an SBOM from a Linux image. There a lot of paid tools that do this, but this freebee is a really cool idea.

• We get myopically focused on the endpoint as the predominant entry objective for an adversary. This article makes a great case for how the new identity-driven attacks on SaaS apps. This makes it easy to do damage without ever touching endpoints.

• BlackHat Asia really started up the conference season with a bang. One of the very concerning reports was of adversaries using PAN's Cortex XDR agent (an EDR agent with more SaaS-supported features) as an Evil XDR offensive tool.

• I plan to stand up MISP again soon - its been a few years. This tutorial is looking promising for helping me out with that!

• This certification graph tool seems interesting - going to see what it says and what I think about it.

Good Reads

• Folks know by now I love talking about MITRE ATT&CK and its associated projects. I learn so much more when the story of an adversary is broken down into consumable steps. The new Kubenomicon Threat Matrix takes the concept into a really cool direction. It not only shows how adversaries might hit a ccontainer-based application, but reinforces the learning I am doing on that front from a cloud and container fundamentals perspective. This is awesome!

• In trying to continue on this CTI learning path, I came across a great post by Joe Slowik. Here he is covering CTI as a mindset and function. It is an eye-opening look at where CTI fits and why we're (mostly) doing it wrong. Take a look, it'll make you reevaluate how we treat the need!

I hope this entry - late as it was, was helpful and engaging. If you have any inputs, recommendations, or criticism, please send them my way! Have a great rest of the weekend!

Hey folks! After a busy week, I am finally sitting down to see what is new in the world of threat actors and trends. We're barrelling into Friday with a lot of attention on probably THE key software vendor in the world (Microsoft), and more attention on Volt Typhoon. Yet even hardware vulnerabilities are a thing, and it just goes to show how our supply chain is riddled with dependencies. And those dependencies open doors to vulnerabilities. So let's check in and see some of the more interesting threads!

Microsoft Email breach becomes more concerning by the day

As we've discussed in multiple prior updates, Microsoft has had a very difficult time with a breach of its ubiquitous Exchange Online email service by multiple threat actors, most notably Midnight Blizzard and Storm-0558. Well, it seems that the former's efforts detected in January have been riling CISA and the US Government. CISA's Emergency Directive is a pretty bad sign that this impacted serious government business.

It seems that emails between Microsoft and their customer (the Federal Civilian Executive Branch) were snooped on, and included authentication details. Whoops! ED-24-2 directs all agencies to take action, review emails, reset credentials, and more.

• Want to read more? HPE looks like they were hit before MS, which goes to show how prolific this APT is.

• Want to get nerdy? Wiz.io has a very interesting write-up on the "how" of the breach, based on publicly available information.

Chinese persistence in Critical Infrastructure

CISA created a High Risk Communities center on their website, and it is full of awesome guidance and resources. Maybe you're tempted to ignore that - maybe that is out of scope? Adversaries certainly aren't passing up opportunities to cross-train and reuse techniques, neither should you!

Chinese threat actors in particular have been honing their skills on western infrastructure for some time. In that spirit, CISA has released a fact sheet to help decision makers prepare for PRC-backed threats like Volt Typhoon. What is inside? Advice we should all heed: patch your stuff, harden OSes, monitor for LOLBins, train continuously, and update/rehearse IR and DR plans. These are all good advice we keep getting, but maybe your organization needs a name for the fear - well here you go! Volt Typhoon it is!

Diversity of skills and operations are a Chinese hallmark. Look at recent research by folks like Trend Micro, who have done a lot of work on malware families they call Earth Lusca and Earth Krahang, leveraged by an APT known as TAG-22. These threat actors are perfecting their skills in leveraging cross-organizational trust to pivot between victim organizations. Right now, the research is focused on operations in Southeast Asia. It is probably an objective to start replicating this in western governments and infrastructure soon, if they are not already.

This week in AI

I think we're seeing so much AI painted on pretty much everything these days that it can desensitize us to a great use case. Toothbrushes with AI? Seriously? But I think we can all see some positive uses in helping get through more tedious tasks. One of the things that slows a lot of organizations down in cybersecurity is the collection and processing of intel. This write-up by Thomas Roccia offers a slick look at how LLMs might really help. And another wonderful person to follow, Roberto Rodriguez from Microsoft has done some awesome open experimentation with GenAI and Jupyter Notebooks. I think it is worth following along and potentially trying myself!

Things I am keeping an eye on

• Software supply chains are rightfully a big focus, but don't sleep on the hardware! Binarly released a research paper showing how server firmware for Intel, Lenovo, and Supermicro included vulns that bypass security controls. Patch it, you say? The Intel and Lenovo hardware in question is no longer supported - so it is eternally vulnerable.

• DPRK threat actors have been actively using two new sub-techniques from the upcoming MITRE ATT&CK matrix. I think we all love innovation, but not by the bad guys.

• Even security companies get hit once in a while. Lastpass admitted an employee fell victim to a voice phishing attack that used a deepfake of their CEO.

• Apple warned a LOT of people from over 150 countries that mercenary spyware from folks like NSO Group is targeting them. If you are an NSO Group customer, we are not friends.

• This research on alternate app-level protocols for carrying out DDoS attacks has my head spinning. Very insightful, and very concerning!

• A bipartisan effort in Congress sees a serious attempt at tackling online privacy! This is a huge effort - the current state is rife with fractures, inconsistencies, and a lack of cohesion. Who knew Congress had it in them???

Good Reads

• The folks at Active Countermeasures (who also count Black Hills Information Security and Antisiphon as sister companies) run an awesome blog chock-full of info, and this blog on tunneling C2 beacons by Fann Rossouw is very informative. They also have a slick place to see their upcoming training here.

• Last week we touched a lot on the XZ supply chain open source attack, and this timeline looks like the outline for a multi-part mini-series. I think that Nick Offerman might make a good protagonist. Maybe vs. Amy Poeler? Parxz & Wreck folks! (it is late).

I hope that this week's summary of things I found interesting is helpful. As always, please have a good and safe weekend and feel free to reach out and chat!

Happy weekend, folks! Loads of cool stuff going on in the day job, but lots chatter focused on 2 areas on opposite sides of the software ecosystem. The resourcefulness of adversaries never ceases to amaze me. Both stories offer a lot of intricate technical details, but the big takeaway is that we're in serious trouble unless we tackle best-practices, hygiene, and find support for the massive base of open source projects. So let's get going!

Open Source projects need our help

Since the beginning of the Internet Age, applications and operating systems have been dependent on open source. Despite the riches raked in by for-profit companies for their software, all of them stand on the shoulders of open source software libraries and packages. I think we all get it - using open source accelerates innovation. Why reinvent the wheel, right? But it is high time that we all consider how we support those open source projects. The maintainers of those efforts are usually coding these as a passion project or hobby. And they are all overwhelmed and outmatched. Need proof? Heartbleed, Log4j, Java and NPM vulnerabilities, Shellshock, and multiple Apache Struts CVEs can jog your memory.

Last week an attentive Microsoft engineer Andres Freund luckily stumbled on a performance issue, and traced it back to a hijacked open source compression library used in most modern Linux flavors known as XZ Utils. An adversary made a 2+ year effort to gain trust as a contributor and eventually gain commit-level privileges. They then disabled testing of their contributions and slowly nudged the code base to support their efforts to embed a malicious backdoor flaw into the package. This interferes with authentication in SSH and injects code to open up a backdoor. Holy cow!

Lucky for us, Andres caught it - before the code could be promoted to released versions of Linux. But we have a big problem. Expecting these projects to operate with no funding, 1 to a few contributors, and zero support in testing and validation is supply chain suicide. It is time for the many prosperous companies that benefit from these heroic efforts give back and assist in securing these projects for the greater good.

• Want to learn more? Kevin Beaumont does a great job talking about this entire caper holistically.

• Want to get nerdy? The SANS ISC does a splendid job of explaining the technical how of this backdoor here.

Microsoft struggles to use their own tools securely

Lest we think that Open Source cannot be relied on and that professionals and closed source are the safest bet, Microsoft shows that no one is infallible. If you recall, APT Storm-0588 compromised Microsoft's Exchange Online email service through information from a developers laptops and a stolen Azure signing key. Despite happening 10 months ago, Microsoft is still not publicly aware of what happened, and CISA and the US Department of Homeland Security called them out for their handling of the matter. Don't confuse with the breach of their own senior leadership team's email accounts, which it appears they are still struggling with months later - talk about persistence!

• Want to learn more? Bleeping Computer's synopsis boils it down for us. Ars Technica goes into more details about how the breach was made.

• Want to get nerdy? You can read Microsoft's own analysis of the situation here.

This week in AI

Seeing the confluence of massive AI adoption and the emergence of so many open-ended concerns, what is obvious is that we've already lost control of AI's propogation. Talking to my good friend Mark Stephens, he clued me in on a book by Nick Bostrom called "Superintelligence: Paths, Dangers, Strategies". Amongst other things, he discusses how AI - given a simple goal of making the best paper clip - would make decisions that eventually threaten human life. Needless to say, that book is on order!

Things I am keeping an eye on

• Ivanti has finally released a version of their VPN head-end software that addresses currently known CVEs.

• VMware vulnerabilities let to the compromise of a hosting firm's compute resources. Adversaries must be bummed that folks are looking elsewhere - APTs invested heavily in VMware-related exploits.

• A contractor for the US DoD was breached by IntelBroker, driving home that we also need to find a way to secure our partners.

• Sophos is warning of a trend toward compromising backups - don't forget to protect those fallback plans, folks!

• Omni Hotels are the latest multi-national to fall victim to an attack. Hoping they can return to full operations soon!

• The inspirational and awesome Rachel Tobac has her own episode on DarkNet Diaries! Be sure to check it out - she is a leading voice on the perils of social engineering.

• It seems LockBit's reputation continues to struggle after recent take-downs.

Good Reads

• Nothing too new - I am about 1/4th of the way into Children of Ash and Elm (the Viking history book). It's amazing how misunderstood they are. The many languages and transitions of knowledge between groups and regions contributed to that confusion. Seems like history certainly rhymes!

• I am also reading the latest SANS Threat Hunting Survey results, and as explained in David Bianco's video highlights, it is concerning that more than a third of customers Threat Hunt without a formal process, and the same percentage find that it impairs security, rather than improves it!

I hope that this update unravels a little of the many mysteries we are all being impacted by in cyberspace. If you have any feedback please send it along!