Tag Archives: Mitre ATT@CK

Are your Security Self-Services Secure?

27 January 2021

In the Fox IT blog post “Abusing cloud services to fly under the radar“[1], Wouter Jansen reports on a threat actor who got illegal access to the networks of high-tech and aviation companies and stayed undetected for more than 3 years. The post gives a great introduction to the MITRE ATT&CK framework, absolutely recommendable.

In section Initial access we read: “From this portal it was possible to launch the web-based VPN. The VPN was protected by two-factor authentication (2FA) by sending an SMS with a one-time password (OTP) to the user account’s primary or alternate phone number. It was possible to configure an alternate phone number for the logged in user account at the company portal” (my emphasis).

This describes a well-known issue with self-services: Once successfully authenticated against the company network a second factor often can be changed without enhanced authentication. Self-Services are designed with best user experience and responsiveness in mind, IT security often plays a subordinate role.

From my point of view, exchange of the second factor should always be approved by a line manager or his proxy. This may take a while, but it makes life much harder for an attacker. In addition, the likelihood of detection goes up.

Here is some food for thought: Are your security self-services designed with security in mind?

Have a great week!

References

  1. Jansen W. Abusing cloud services to fly under the radar [Internet]. Fox-IT International blog. 2021 [zitiert 26. Januar 2021]. Verfügbar unter: https://blog.fox-it.com/2021/01/12/abusing-cloud-services-to-fly-under-the-radar/

How to get the best ROI for investments in cyber security?

28 September 2019

During a workshop this week we had a discussion on risk management and investment in cyber security. Risk is the product of likelihood of occurrence (LoO) and severity of impact (SoI). So, to reduce the risk we can either try to reduce the SoI, or the LoO, or both.

We do risk management because we have limited resources. The big question is always: Where shall I spent my resources?  Or, where can I gain the best ROI? Shall I reduce the likelihood of occurrence or the severity of the impact? Or both?

The Cyber Kill Chain is a great model to study this.

Cyber Kill Chain - Risk Management - Cost

Cyber Kill Chain – Risk Management – Cost

We can reduce the likelihood of occurrence starting during the delivery phase up to the command & control phase. Once the attacker crosses the red line the LoO is 100 %.

The severity of impact can be reduced starting at the midst / end of the exploitation phase. WannaCry, for example, started the encryption immediately during installation of the malware and contacted in parallel its command & control server. Once the attacker crosses the red line, the impact and thus the costs for recovery are high.

The big problem with reducing the likelihood of occurrence is that we have in the best case only some seconds to minutes until the attacker crosses the red line. For efficient use of this time we need to invest in preventive or proactive means.

Cyber security awareness training, for example, is a very efficient preventive measure to reduce the LoO during the delivery and exploitation phase, because the exploitation of about 35% (Data NIST NVD, CVSS V3, UI:R) of vulnerabilities published in 2018 requires user interaction. Priority patching is another preventive measure with can stop an attacker early.

Backup and emergency recovery are great means to reduce the severity of impact. But the latest attack on Norsk Hydro makes clear that, even with the best crisis management, the recovery of some thousand systems from scratch takes some time.

When used in context with the existing security controls, the Cyber Kill Chain provides support in setting priorities in cyber security investment. The Mitre ATT@CK framework, which is based on the Cyber Kill Chain, brings the required methodology in the planning process. Give it a try.

Have a great weekend.