Stop Training the Adversary with Authentic, Fine-Grained, Denial-Type Policy Enforcement
Cybersecurity seeks to protect networks, devices, and data from unauthorized use. Common cybersecurity practices hinge on systems of overt and fine-grained enforcement of authorized use polices. This is the source of one of the cyber threat’s great asymmetric advantages.
For several years, industry threat reports have published dwell times across their incident responses. This is the amount of time between the point when an adversary has obtained unauthorized access to cyber resources and when the resource defenders learn about the intrusion. Dwell time has reduced over the years from hundreds of days in the early 2010s to 10s of days in the early 2020s. Mandiant notes that even though the average dwell time has dropped to 24 days in their data set, it only takes a few days for adversaries to achieve their objective. Apart from that, long dwell times result in very uncertain risk assessments. Forensic reconstruction becomes increasingly difficult as system state drifts with usage and diagnostic data sources age-out. Not only does the decaying quantity and fidelity of evidence impede assessment, but the space of background and false positive data increases. The high degree of uncertainty makes it very difficult for the victim organization to rationally leverage their cyber infrastructure to their best benefit. Aside from the negative impact of the threat actor’s mission itself, there are many false assumptions that the organization can infer which would negatively impact their mission if they cannot tightly identify their exposure. This uncertainty cost can be even greater than the impact of the first-order adversary action.
In contrast, the cyber threat actor has a constant stream of timely authentic data with which to guide their TTPs. Consider a model of cyber threat operations that is a turn-based sequence of adversary action followed by target response. The more truthful and diverse feedback the adversary elicits from the target, the better they can adapt to the limitations imposed by the system’s security measures. Conventional denial type policy enforcement alerts threat actors to their failures quickly and therefore extracts only limited costs. The adversary does not have time to build large parts of their operation on false predicates that will only be revealed later.
Consider a cyber threat trying to access a file on a remote share. Operating systems quickly deny file access requests with authentic feedback. It may be that:
- the current account does not have permission
- the drive is not mounted
- there is no route to host
- the file path was invalid
- the file access is locked by a running process
- the file has been quarantined by antivirus
Even though the adversary fails to obtain the file in all instances, each response suggests a different course of action. In the first case, the threat actor may seek to run a privilege escalation technique or harvest different credentials. In the second and third cases, they may attempt to establish a connection to the remote service or move laterally to a different system where the drive is mounted. The next case one may result in a broader use of wildcards or a different path specification. Terminating a process or unloading a driver may be necessary to overcome process locks, while the last message may indicate a need to slow or change operational methods if there are antivirus actions denying targeted files.
The MITRE Engage framework seeks to undermine this advantage by reducing the truthfulness, timeliness, and diversity of adversary feedback. The perfectly orchestrated engagement composes feedback responses that cause the adversary to think that their mission has successfully completed when in fact, they were only given a false narrative with some elements of truth. In this case, the defender creates a dwell time in the adversary’s operations. If the adversary was after data which the defender subverted, it may be months before they discover the to be worthless. Now the adversary has the dwell time problem of figuring out what went wrong, how long it has been going on, and how much of the data they’ve exfiltrated has been corrupted.
MITRE Engage is an operational planning construct for executing that perfect adversary engagement. In addition to the narrow application of technology such as tripwires, honeypots, sensors, and special drivers for detection and manipulation, Engage spans the goal setting, the self-assessments, the adversary assessments, the infrastructure requirements, the execution plan, and the operational cycle required to perform a successful engagement. Check out the Engage Starter kit for a detailed articulation of the Engage Matrix actions: https://engage.mitre.org/starter-kit/ It is the method by which defenders will deliver the right responses to adversary actions in a manner that incurs crippling dwell time into their operations.
References:
This is a guest blog post by Dr. Alex Tsow. Dr. Tsow is a Principal Cyber Operations Engineer at the MITRE Corporation. He is coauthor of Cyber Denial, Deception and Counter Deception, a book that adapts proven operational planning frameworks to the tactics, tools, and procedures of the cyber domain. Over his career Dr. Tsow has developed and deployed cyber capabilities that incorporate the need to hide, blend, misdirect, and monitor. His early cyber security career began in analysis of phishing techniques and development of novel router compromise methods at Indiana University.
Dr. Tsow’s research interests focus on disinformation, their interplay with algorithmic curation, and their operational threat actors.
©2022 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited PR_21–01759–31
