Analyzing Zero-Days like Operation MidnightEclips CVE-2024–3400 with the help of the M3TID
From Knowledge to Understanding — Threat-Informed Defense in Vulnerability Management
A few days ago, the Center for Threat Informed Defense released a detailed documentation of how to systematically conduct assessments to develop and evaluate a threat-informed defense program. As always, the goal is to gain deep technical understanding of real world attacker’s behaviors, including the technologies they use but also to understand the own defensive stack to measure, maximize and mature own security posture.
The Measure, Maximize, & Mature Threat-Informed Defense (M3TID) project extends this concept of leveraging threat understanding to improve a security program by working towards an actionable definition of threat-informed defense and its associated key activities, as well as a formalized approach to measure threat-informed defense maturity. This maturity model complements existing cybersecurity maturity models by incorporating a measure of how well threat information is leveraged.
The explanation of the threat-informed defense and dimensions are described in the “project introduction article” of Mike Cunningham here.
For the first time, we get a detailed summary of how to specifically assess the maturity level of your own company with regard to the components Cyber Threat Intelligence, Defensive Measures and Testing & Evaluation. In addition to the weighting of the individual components, progress can also be visibly worked out and tracked for the first time. The result is a catalogue of 5 essential components of each key component with further maturity levels with over 75 criteria.
What about using it for a vulnerability management assessment?
Specifically for vulnerability management, I then thought about how to focus on how to implement an assessment from risk-based to threat-informed in the area of cyber threat intelligence.
Threat-Informed Defense differs from traditional risk management in that it prioritizes the likelihood of a threat occurring and informs that probability from real-world observations of actual adversary tradecraft. Informing a defensive posture with real threat information is a way to ground the probability estimation in evidence. To further maximize the return on threat-driven investments, Threat-Informed Defense encourages the use of threat information that is common across adversaries and time rather than simply reacting to easily changed indicators of malicious activity. The goal is to leverage knowledge of real adversary behavior and probability of attacks to provide a lens through which to prioritize security investments — whether they be in people, processes, or technology.
Essentially, the levels don’t differ much from the original assessment, but focus on zero-day exploits like we saw again this weekend with the Palo Alto’s CVE-2024–3400.
In the current article, I briefly describe how to translate risk-based vulnerability management to Threat-Informed Defense, how to assess its maturity based on the assessment, and give a concrete technical example using threat modeling findings for the latest zero-day exploit of Palo Alto CVE-2024–3400 to identify the attacker and give recommendation for threat hunting. I admit that it takes some experience to understand the attack patterns of APTs, but it is still possible to build a threat-informed defense program with the help of the M3TID method with relatively few resources, even if you don’t necessarily have the technical automation and experience of larger corporations that can afford such programs.
Where to start in Vulnerability Management?
In view of the mass of vulnerabilities, many companies are overwhelmed to prioritize and quickly implement patching or closing defense gaps in a timely and clear manner. While most assessments create a risk-based overview, the threat-informed view should help to define the prioritization of vulnerabilities as quickly as possible and to understand them technically. Within a few hours, even in larger companies, it should be ensured that not only visibility is created about a specific vulnerability, but that it can also be classified on probability (EPSS) and, if immediate patching is not possible, the technical requirements can be given immediately to hunt and implement VIP detection with the help of tests and evaluations, as robust as possible. In an emergency, analytical seen precision can be more important in your detection than recall, because currently it is not likely that the ephemeral components such as ports in the script of the backdoor can change within 24 hours. The goal as always is rapid improvement!
Regardless of the current published vulnerabilities, the most important vulnerabilities should be identifiable with the latest research on threat actors such as hacktivists, ransomware or APTs.
To do this, it is advisable to take a closer look at the research of those companies that can say with certainty with a high volume of data that certain vulnerabilities are used again and again for certain attackers. For example, various researchers have proven to be very useful to correlate, e.g. Recorded Future, which has published an excellent summary of the vulnerabilities of common ransomware groups since 2017, or Greynoise, which specializes in correlating large amounts of data to vulnerabilities and even mapped them to the impact of the CVE. And don’t forget that OCD has the worldwide overview from the CyberSOCs. The whole research and latest developments you can find in our Security Navigator 2024.
Once you know the initial vector and what impact the vulnerability can have mapped to the MITRE ATT&CK TTPs, it is additionally useful to look at the attacker’s entire attack flow with the aim of finding gaps in the own environment as quickly as possible by knowing the attack patterns.
Deception as part of the maturity
This could be even more efficient in the future with the help of deception solutions, to study not only the attacks, but also detect the attacker in a high-end automation with the aim of eviction. Although many companies have already started to take threat-informed approaches, the area of deception is still covered in a very rudimentary way. On the one hand, this may be due to the fact that there is still a lack of visibility between MITRE ATT&CK and the necessary MITRE Engage techniques, also in terms of know-how, but also due to the outdated view that it is difficult to introduce deception solutions.
In the meantime, however, there are simple to implement community tools and EDR systems such as Microsoft Defender also offer integrated deception capabilities.
While the newly developed M3TID method essentially consists of assessing the degree of maturity in dealing with CTI in terms of operational effectiveness, I have modified the procedure a little specifically for vulnerability management in order to be able to address the requirements of vulnerability management. I would do both assessments. However, I have left the assessment areas of the Defensive Measure and Testing & Evaluation the same, as the focus is the same. The assessment should be carried out in addition to the actual assessment with the aim of adapting vulnerability management to the actual enterprise-centric threat-informed approach through collaboration and sharing. This is often not possible initially because enterprises have departments (OU) working independently of each other and have to look at threat intelligence from different perspectives. While the assessment for threat modeling on an attacker normally looks at the entire attack and the corresponding for e.g software capabilities of the attacker, other factors play a role in vulnerability management, such as the probability of occurrence, zero-days, but also how many assets would be affected and what needs to be done after the impact to protect corresponding crown jewels such as AD DC. As we saw this weekend with the Palo Alto vulnerability within the Operation MidnightEclips campaign, the attackers gained access to NTDS.dit, see also my article on Volt Typhoon. I assume that this vulnerability is also due to an attack by Volt Typhoon and will determine my hypothesis based on the technical conditions in the course of the article.
From Risk-Based to Threat-Informed
In five steps, which are also classically part of the risk-based assessment in the vulnerability management of OCD one could integrate the threat-informed component. In addition to the identification of vulnerabilities with the help of non-threat-informed sources as well as the impact analysis with for e.g. mapping CVE to the MITRE ATT&CK, technical in-depth analysis can be carried out by enriching the information, which then help to evaluate and implement the defensive measure. In the weighting of the M3TID, the defensive measure plays the highest role with 50%, because the goal is a quick implementation in the preventive sense to prevent attacker from getting into the systems. Only if the improvement of security controls is not possible, other measures such as threat hunting and robust detections - in the sense of analytical engineering — must be able to be introduced through evaluation and as measurable, visible, rigid and structured as possible implemented. It is part of a holistic threat modeling. The goal is to measurably monitor progress for the continuous improvement of your own defensive stack.
After the assessment, the goal should be to be able to provide a concrete statement about what needs to be scanned, monitored and tested regularly with the help of the threat-informed view of vulnerability management. In addition to prioritizing the vulnerabilities, the company should then know what the probability of occurrence is (EPPS likelihood), how many devices are affected regardless of the scans, also with the help of vulnerability management insights, which can be recognized, for example, through onboarding into EDR, as is the case with Microsoft Defender. While broader scans could “forget” vulnerabilities, other systems close the gap via their own information about the infrastructure. In addition, asset management can provide insightful information about self-developed software solutions and their APIs.
Starting an assessment
The first step would be to use the M3TID method of the MITRE Engenuity CTID to specifically implement the maturity level for e.g. vulnerability management. For this purpose, I have considered the following maturity levels and of course these can be developed individually. This is only an example of how you can additionally take the original assessment for the M3TID of the CTID and is not part of the actual assessment described in the documentation, while the DM Definition & Scoring and T&E Definition & Scoring components have remained the same in my example assessment for vulnerability management.
Contents of the assessment for CIT VM are:
How well do you understand the Adversaries that my target your organization regarding your vulnerabilities
What level of information is being used to track adversaries (vulnerability scanner, CTI, own VM Management Scoring etc.)
I.1 Depth of Threat Data
Level 1: none
Level 2: Vulnerability is known but hardly understood.
Level 3: Vulnerability is known, patching of some systems done
Level 4: Vulnerability is known and prioritized and it’s harder for the adversary to use it. Techniques and Impact is known.
Level 5: Fully assessed, tested and it is very difficult to exploit the vulnerabilities but zero-days. AttackFlow/Playbook exists for Vulnerability
I.2 Breath of Threat Information
Complementary to the depth component score, roughly how many relevant Techniques are understood at that level of depth also after an exploit (Impact).
Level 1: none
Level 2: CTI report seen with vulnerabilities and having such vulnerabilities, some remediation done.
Level 3: Patches are prioritized as reactive measurement
Level 4: From reactive to proactive prioritization of known vulnerabilities
Level 5: Fully threat-informed automated top vulnerabilities and remediation
I.3 Relevance of Threat Data
Where is the threat information coming from and how timely is it
Level 1: none
Level 2: Generic Understanding of latest CVE
Level 3: Internal reports, understand own prioritized vulnerabilities, EPSS, patching
Level 4: Recent, in-depth reporting about impact, EPPS and prioritization makes in combination with the help of threat modeling
Level 5: Threat-Informed, threat-modeled, (automated) briefings & calculations for relevant vulnerabilities
I.4 Utilization of Threat Information
How is the threat information being used by an organization
Level 1: None
Level 2: Lightly /occasionally read
Level 3: Regularly ingested for analysis
Level 4: Analyzed automatically and /or by trained analyst
Level 5: Contextualized in disseminated report from risk-based to threat informed automated vulnerability management and effectively “operationalized”.
I.5 Dissemination of Threat Reporting for Vulnerability Management
What threat information is passed along within an organization [4]
Level 1: none
Level 2: Tactical reporting with information about the vulnerability and CVE score
Level 3: Tactical reporting focused on TTPs with CVE Impact and Patching Priorities
Level 4: Operational reporting on pertinent security trends like Zero-Day exploitation
Level 5: Strategic reporting on business impact of vulnerabilities and EPSS likelihood in own environment with the help of high automation vulnerability management platforms scoring and automated patching.
New reference: [5] https://mitre-engenuity.org/cybersecurity/center-for-threat-informed-defense/our-work/mapping-attck-to-cve-for-impact/
With the result of the assessment, the individual areas can now being successively improved.
Assessment Results
Especially in my example, it can be said that the company has already dealt with Threat-Informed Defense and has also already started to systematically analyze vulnerabilities according to prioritization and to build up a technical understanding of a knowledge of vulnerabilities with the aim of long-term visibility through automation.
Corresponding visibility through automation can be obtained with the Cyber Threat Intelligence Platform from Tidal Cyber in the Enterprise Edition. Here, you can use the systematic creation of threat profiles for your own defensive stack (security posture) and track the progress of the optimizations via dashboards with your own confidence score.
Testing & Evaluation as part of the maturity model
An essential part is also the area of continuous testing of attacks, purple teaming with collaboration of the teams to jointly increase the defensive capabilities. Companies often lack this and find it difficult to implement it on a regular basis. The highest form of coverage would then be a combination of analytic engineering of robust detections, automated evaluation of tests and deception automation with realistic mapping of one’s own networks. See also my article on deception in the sense of an informational advantage over attackers. In this article, I take essential components from the doctrine of the US Army and translate this into the threat-informed view.
Concrete Example: Threat-Informed Analysis of the Palo Alto Vulnerability CVE-2024–3400
First, let’s look at the insights we can gather technically in the context of our threat modeling experience.
A critical command injection vulnerability in Palo Alto Networks PAN-OS software enables an unauthenticated attacker to execute arbitrary code with root privileges on the firewall. The vulnerability, assigned CVE-2024–3400, has a CVSS score of 10.0.
This issue is applicable only to PAN-OS 10.2, PAN-OS 11.0 and PAN-OS 11.1 firewall configurations with a GlobalProtect gateway and device telemetry enabled. This issue does not affect cloud firewalls (Cloud NGFW), Panorama appliances or Prisma Access. For up-to-date information about affected products and versions, please refer to the Palo Alto Networks Security Advisory on this issue.
Please read also the CERT alert of Orange Cyberdefense (updated 18.04.2024)
Let’s start with what stands out about the zero-day exploit and can be relevant for further understanding of the analysis. For this purpose, we look at the various publications of for e.g the BSI, blog written by Palo Alto itself as well as the technically excellently analyzed blog of Veloxity and correlate the following contents:
· We can see from the IP addresses and the technical blogs that Asus routers have been exploited
· We see that attackers are using the Go language and Python scripts.
· We see different backdoors for Socks5 on VPN, SSH port built into the script, such as port 8123, 8443, 31289
· We can see from the threat reports that both NTDS.dit and DPAPI keys were seen with stolen cookies.
· In addition, networks via SMB and WinRM were affected.
· The proxy tool GOST was used as a reverse shell and a newly defined python-based backdoor UPSTYLE, which is already available on AnyRun and contains a Base64 within the Base64.
Based on the technical content compared to older attacks by state actors, I most likely assume a zero-day campaign by a Chinese APT, most likely Volt Typhoon. Volt Typhoon, for example, exploits older deprecated Cisco and Asus routers, including for its own botnets. We also see parallels with the Palo Alto campaign attack in the technical documentation published by CISA about Volt Typhoon. Here it would be interesting to know if there are any artifacts from secretdump.py to be found that confirm that the NTDS.dit and DPAPI keys were extracted via it. Volt Typhoon has also used Python scripts as well as Go in older campaigns, and the way the socket connections are made also suggests parallels. I had the fun of chasing the second Base64 on CyberChef through Magic. I came across ancient Chinese characters with a confused message. This may be a coincidence, but I reserve the right not to publish this in detail.
Due to Volexity’s technical documentation, it is now possible to create your own YARA and Sigma Rules within the first hour or take the YARA rule from Veloxity.
So you can hunt specifically the techniques in a timely manner, correlate this with your own telemetry and build robust detections. If a patch is available, the recommendation is of course to patch as soon as possible.
Recommendation Palo Alto you can find here.
Until then, it is recommended to continue to monitor the vulnerability and track the ports accordingly. More hunting suggestions can be found in detail in my article about NTDS.dit and Volt Typhoon for exploiting the DC with the description which telemetry you should use to track such incidents.
Sysmon as part of the M3TID
By the way Sysmon is an outstanding telemetry opportunity also to block malicious behavior.
As part of the M3TID assessment it ensures threat-informed detection requirements. You can also hunt specifically — in a created Sysmon configuration mapped to the MITRE ATT&CK — with for e.g Google Chronicle after specific MITRE ATTACK Techniques or EIDs
I will write an article about it in the future more detailed.
Conclusion
With the help of the new project M3TID, you can carry out an assessment as quickly as possible to understand your company’s own maturity level with regard to Threat-Informed Defense. In addition, there are a number of assessments for optimization, the vulnerability analysis is just one of them.
You want to learn more about Threat-Informed Defense Assessments? Come and visit us at the Detect & Defend
Cheating is over! Be there when compliance meets cybersecurity. The introduction of NIS2 and DORA forces companies to significantly improve their IT security measures in order to meet regulatory requirements. We present these requirements and tell you the secrets aka magic potions for implementing these requirements. True to this year’s motto “Level Up — Compliance meets Cybersecurity”, we not only want to take the conference topics and content a step further, but also take you to the next level with us towards the ultimate cyber resilience & compliance.
At the Detect & Defend this Wednesday in Frankfurt and next week in Munich, I will show you in detail how such assessments can be carried out systematically and threat-informed with the CTI Platform Tidal Cyber.
In Munich Ian Davila the Lead Adversary Emulation Engineer of Tidal Cyber will assess you and show you in detail how you can improve your defensive stack with Tidal Cyber Enterprise.
More information you can find here.
Be part of the community and discuss topics that concern you with more than 200 IT security decision-makers.
