MITRE Frameworks in Action

MITRE Frameworks

MITRE is a research organization that uses its resources to improve how we defend and understand cyber attacks and the groups that perform them. They are famous for creating their 3 extremely important frameworks the ATT&CK framework, the SHIELD framework, and the D3FEND framework. Each one serves an important role in their research and in the continuing protection against cybercrime.

ATT&CK

The MITRE adversarial tactics, techniques, and common knowledge (ATT&CK) framework “is a curated knowledge base and model for cyber adversary behavior, reflecting the various phases of an adversary’s attack lifecycle and the platforms they are known to target.” (Trellix, n.d.) By using the framework, we can use the tactics and techniques used by threat actors to better protect and predict the actions of them. The matrix that they provide on their website allows cyber security professionals all over the world create threat models that can help visualize these attacks.

D3FEND

The MITRE detection, denial, and distribution, framework, empowerment (D3FEND) framework works with the ATT&CK framework instead of being its own tool. It “maps relationships between ATT&CK’s adversary TTP and defensive countermeasures for developing defensive strategy that corresponds directly to known attacker behavior.” (Black Berry, n.d.) While the ATT&CK framework is designed as almost a first step in visualizing and understanding attacks. The D3FEND framework is a logical second set in the process where the information taken from the original matrix is then used to create a way to protect against future attacks from a specific attack or threat actor.

Shield/Engage

The last 2 frameworks were created as a more defensive approach to cyber security and cyber-attacks. MITRE Engage, formerly known as Shield, “provides active defense information based on ten years of adversary engagement experience.” (exabeam, n.d) Unlike conventional defense against cyber attacks when using active defense the entity that is being attacked will use “limited offensive counterattacks and action for the purpose of preventing enemies from intruding into a contested area or position.” (exabeam, n.d) This is still a work in progress from MITRE, but it is a powerful way for organizations to take the power back from their attackers and reduce damage and losses in a more active approach as opposed to the more common passive security that we are more used to.

Treat actors targeting Dayton G&E

Dayton G&E is a fictitious gas and electric company that has been created for the purposes of this post and any that may require relevant scenarios in the future. They are based in the United States and are a critical energy provider. For this post we will be focusing on threat actors that may want to target them based on location and/or their organizations products (gas and electric).

ALLANITE

“ALLANITE is a suspected Russian cyber espionage group, that has primarily targeted the electric utility sector within the United States and United Kingdom.” (MITRE, 2022) Allanite is a verry interesting group. Unlike other hacking groups that target electric facilities their primary goal is not to harm or disrupt the grid, but to gain an understanding of how the facilities operate and to stay on the network as long as possible. This puts them more in line with an average espionage group where they would rather the facilities and networks are working as well as they can so they can gather more information. They are not in the business of chaos but are in it for the information.

For most of their attacks they used Drive-by compromise to gain access to the network. This is done by creating a compromised website and having a victim click on it. Once they are on the website the victim will be compromised by malware. In most cases this is just used for initial access, but for ALLANITE this was the primary goal. Once on the network they would simply observe and capture data in the background.

Using MITRE D3FEND framework we can see that we can protect against the drive-by compromise in a lot of different ways. The one that catches my eye is the URL Analysis. By using context “such as where it is embedded (ex. emails, files, network protocols), header, path, location, and origin information, as well as information about the content returned from the URL request,” we can protect against malicious sites that are trying to gain access to the network. (MITRE, n.d)

Fox Kitten

Fox Kitten that is linked to Iran. It is suspected of being “active since at least 2017 against entities in the Middle East, North Africa, Europe, Australia, and North America.” (MITRE, 2022) They have targeted multiple industries including oil and gas, technology, government, defense, healthcare, manufacturing, and engineering. However, for this post I will be focusing on how they could potentially target the oil and gas industry.

The campaign of Fox Kitten has been linked with APT39 due to the tools and methodologies that were used in the attacks. “The most apparent overlap in methods includes the use of stolen VPN credentials, lateral movement through RDP, and exfiltration based on file compression in ZIP or RAR formats” (ClearSky, 2020) There are also ties to other APTs such as 33 and 34 due tot eh use of the malware ZeroCleare and Dustman. Because of this APT39 is suspected of either collaborating with them or being a subgroup of the other 2 organizations.

In the D3Fend framework I have opted to map the ATT&CK of “exploit public-facing applications. This is how they were able to gain access to networks and then create backdoors so they can easily gain reentry to the organizations systems. By using the framework, we can see the strategy of using protocol metadata anomaly detection can be a good tool. By doing this Dayton G&E can analyze their network metadata in real time. If there is any anomaly, such as an SQL injection, it will alert the users and it can be stopped before the attacker can gain access. This will prevent an attacker, such as APT39, from leveraging the public facing application and then creating a back door for later.

Temp.Veles

Temp.Veles, also known as XENOTIME, is “a Russia-based threat group that has targeted critical infrastructure.” (MITRE, 2022) I think this is the most threatening group to Dayton G&E due to the destructive nature of the group. They are mostly targeting companies’ safety systems to try to break and compromise energy of other countries. They are well known for their use of the TRITON malware framework. “An attack framework built to interact with Triconex Safety Instrumented System (SIS)” (Johnson, Caban, Krotofil, Scali, Brubacker, Glyer, 2021)

The group was first discovered in 2017 after compromising critical infrastructure in the middle east. In March of 2017 temp.Veles “targeted Saudi Arabian oil refinery Petro Rabigh and an SIS product line known as Triconex made by Schneider Electric.” (Goodin, 2019) These two attacks were a way for the group to not only cripple both the natural energy production of Saudi Arabia, but also reduce the speed at which they could get them up and running due to attacking the safety systems that would either not detect an error or stop equipment due to them detecting a false positive.

The group had also been linked to network scans around the United States electrical grid, but there have been no signs of breach or compromise. A main IOC that is associated with XENOTIME is /+CSCOE+/logon.html. This file allows an attacker to abuse a vulnerability that allows an attacker to create a /+CSCOE+/logon.html file that is not filtered “before inserting them in generated HTML documents.” (Vigilance, 2014)

The reason that XENOTIME is considered such a large threat is because of how destructive it is. “XENOTIME has successfully compromised several oil and gas environments which demonstrates its ability to do so in other verticals. Specifically, XENOTIME remains one of only four threats (along with ELECTRUM, Sandworm, and the entities responsible for Stuxnet) to execute a deliberate disruptive or destructive attack.” (Dragos, 2019)

Using the D3FEND framework we can see that by mapping their technique of remote services: ssh we have a lot of options on how to prevent their next attacks. It has been noted by MITRE that temp.Veles uses ssh-based tunnels to transfer tools, such as their TRITON malware, to the network of the victim. By using the protocol metadata anomaly detection like we did against our last threat actor Dayton G&E would be able to get an alert whenever there is something out of the ordinary is being transferred to their systems. This could detect if a system, such as SIS equipment, was being transferred a malicious tool when all it supposed to be doing is monitoring the operations that are going on in the facility.

References

Black Berry. (n.d.). Mitre d3fend. MITRE D3FEND. Retrieved November 13, 2022, from https://www.blackberry.com/us/en/solutions/endpoint-security/mitre-attack/mitre-defend

Clear Sky. (2020, February). Fox Kitten campaign. Clear Sky Sec. Retrieved November 13, 2022, from https://www.clearskysec.com/wp-content/uploads/2020/02/ClearSky-Fox-Kitten-Campaign-v1.pdf

Dragos. (2019, June 14). Threat proliferation in ICS Cybersecurity. Dragos. Retrieved November 13, 2022, from https://www.dragos.com/blog/industry-news/threat-proliferation-in-ics-cybersecurity-xenotime-now-targeting-electric-sector-in-addition-to-oil-and-gas/

Exabeam. (n.d.). What is Mitre Engage (formerly Mitre Shield)? Exabeam. Retrieved November 13, 2022, from https://www.exabeam.com/explainers/mitre-attck/what-is-mitre-engage-formerly-mitre-shield/#:~:text=MITRE%20Engage%20is%20a%20knowledge,years%20of%20adversary%20engagement%20experience.

Johnson, B., Caban, D., Krotofil, M., Scali, D., Brubaker, N., & Glyer, C. (2017, December 14). Attackers deploy new ICS attack framework “Triton” and cause operational disruption to critical infrastructure. Mandiant. Retrieved November 13, 2022, from https://www.mandiant.com/resources/blog/attackers-deploy-new-ics-attack-framework-triton#:~:text=This%20malware%2C%20which%20we%20call,state%20preparing%20for%20an%20attack.

MITRE. (n.d.). Allanite. Retrieved November 13, 2022, from https://attack.mitre.org/groups/G1000/

MITRE. (n.d.). Fox Kitten. Retrieved November 13, 2022, from https://attack.mitre.org/groups/G0117/

MITRE. (n.d.). Mitre d3fend knowledge graph. D3FEND Matrix. Retrieved November 13, 2022, from https://d3fend.mitre.org/

MITRE. (n.d.). Temp.veles. Retrieved November 13, 2022, from https://attack.mitre.org/groups/G0088/

Trellix. (n.d.). What is the mitre ATT&CK framework?: Get the 101 guide. Trellix. Retrieved November 13, 2022, from https://www.trellix.com/en-us/security-awareness/cybersecurity/what-is-mitre-attack-framework.html

Vigilance. (2014, March 19). Vulnerability Cisco Asa Cross site scripting of WebVPN Login Page. Vigilance. Retrieved November 13, 2022, from https://vigilance.fr/vulnerability/Cisco-ASA-Cross-Site-Scripting-of-WebVPN-Login-Page-14444

Vulndb. (n.d.). TEMP.Veles Analysis. Temp.veles analysis. Retrieved November 13, 2022, from https://vuldb.com/?actor.temp.veles