Advanced Cyber Threats Impact Even the Most Prepared

Lex Crumpton
MITRE-Engenuity
Published in
7 min readApr 19, 2024

Written by Lex Crumpton and Charles Clancy.

Foreign nation-state cyber adversaries are tenacious. Their attacks are evolving to get around the industry’s most sophisticated defenses. Last year was exploitation of routers, and this year’s theme has been compromise of edge protection devices.

MITRE, a company that strives to maintain the highest cybersecurity possible, is not immune.

Despite our commitment to safeguarding our digital assets, we’ve experienced a breach that underscores the nature of modern threats. In this blog post, we provide an initial account of the incident, outlining the tactics, techniques, and procedures (TTPs) employed by the adversaries, as well as some of our ongoing incident response efforts and recommendations for future steps to fortify your defenses.

In April 2024 we confirmed that MITRE was subject to an intrusion into one of our research and prototyping networks. MITRE’s security team immediately began an investigation, cut off all known access to the threat actor, and brought in third-party Digital Forensics Incident Response teams to perform their own independent analysis alongside our in-house experts.

Our top priority is to share our experience to help inform others facing similar threats. Even though MITRE’s investigation into the incident is still ongoing, we felt it important to share an overview on our work to date and importantly, what’s next.

You can learn a lot from being hacked, and that knowledge can transform an entire industry. Fifteen years ago was the last time we suffered a major cyber incident and it was a seminal moment for MITRE. It crystalized for us the importance of understanding a hacker’s behavior as a means to defeat them. It motivated creating behavioral taxonomies that catalog adversary TTPs, which ultimately led to the creation of MITRE ATTACK®. This further gave rise to the concept of adversary engagement to elicit more behavioral data, now part of MITRE ENGAGE™.

Our work on ATT&CK and focus on further understanding adversary behaviors to drive defensive change led to the concept of threat-informed defense and ultimately launching the Center for Threat-Informed Defense. We work in partnership with sophisticated security teams from around the world to advance threat-informed defense for all. It is in this spirit that we share this early analysis and deliver on our commitment to advance the global community.

Incident Overview

Starting in January 2024, a threat actor performed reconnaissance of our networks, exploited one of our Virtual Private Networks (VPNs) through two Ivanti Connect Secure zero-day vulnerabilities, and skirted past our multi-factor authentication using session hijacking. From there, they moved laterally and dug deep into our network’s VMware infrastructure using a compromised administrator account. They employed a combination of sophisticated backdoors and webshells to maintain persistence and harvest credentials.

MITRE followed best practices, vendor instructions, and the government’s advice to upgrade, replace, and harden our Ivanti system, but we did not detect the lateral movement into our VMware infrastructure. At the time we believed we took all the necessary actions to mitigate the vulnerability, but these actions were clearly insufficient.

Observed ATT&CK Techniques

To provide a comprehensive understanding of the attack, the table below provides some of the initial corresponding ATT&CK tactics, techniques, and procedures. This is a necessarily incomplete list as the investigation is ongoing.

Incident Response Efforts

Upon detecting the breach, our incident response team initiated a coordinated response plan. Key actions included:

  • Containment: We isolated affected systems and segments of the network to prevent further spread of the attack. Simply changing edge firewall rules was insufficient as this network had connectivity to labs across the enterprise, and effective containment required shutting down access infrastructure and isolating edge systems in a diverse set of laboratories. An accurate network inventory was critical to doing this in a timely way.
  • Governance: Effective response and recovery require an aligned board and management team. MITRE’s board of trustees chartered an ad-hoc committee to provide governance and oversight. Our CTO led the overall company-wide response, balancing and coordinating across the CIO and CISO on incident response, business unit leadership on customer engagement and project recovery and continuity, and enterprise communications and general counsel teams.
  • Analysis: We launched multiple streams of forensic analysis to identify the extent of the compromise, the techniques employed by the adversaries, and whether the attack was limited to the research and prototyping network or had spread further. While this process is still underway, and we have a lot more to uncover about how the adversary interacted with our systems, trusted log aggregation was perhaps the most important component to enabling our forensic investigation.
  • Remediation: With the compromised system contained for the forensic analysis, we needed new compute, storage, and networking resources for projects to use instead. We quickly identified alternative platforms, conducted a thorough security audit of each, and established a procedure for projects to migrate to new systems. The highest-priority projects will be back online in clean environments with fewer than two weeks of downtime.
  • Communication: It is critical to maintain transparent communication with stakeholders, including affected employees, customers, law enforcement, and ultimately the public. With an investigation underway, finding the right balance about what to share and when can be challenging. We’re making the decision to inform the public because we work in the public interest, and the more we collectively understand and can combat this threat the better we will all be.
  • Enhanced Monitoring: The forensic investigation necessitated rapid deployment of new sensor suites to collect information from affected systems, many of which can help improve our monitoring in an enduring way. We also were able to leverage indicators of compromise from the compromised system and from partners and law enforcement to augment threat hunting efforts across other parts of our network.

Best Practice Tips for Detection

As our investigation continues and concludes we will release more targeted resources to help with detecting the specific TTPs observed in our incident. However, in the meantime we recommend the following high-level strategies to enhance detection capabilities:

  • Anomaly Detection: Monitor VPN traffic for unusual patterns, such as spikes in connections (DS0029) or unusual geographic locations.
  • Behavior Analysis: Look for deviations in user behavior, such as unusual login times (DS0002 or DS0028) or accessing unfamiliar resources.
  • Network Segmentation: Segmenting networks can limit lateral movement (DS0029), making anomalous activities more apparent.
  • Threat Intelligence Feeds: Stay updated with threat intelligence feeds to identify known malicious IP addresses (DS0029), domains, or file hashes (DS0022).
  • Adversary Engagement: Deploy adversary engagement resources in your environment, such as deception environments and honey tokens that not only trigger detection but provide deeper insights into adversary TTPs.

Best Practice Tips on Hardening Your Networks

As our investigation continues and concludes we will release more targeted resources to help with hardening infrastructure tied to the specific TTPs observed in our incident. However, in the meantime we recommend the following high-level strategies to harden networks:

  • Strong Authentication (M1032): Implement robust access controls, including strong multi-factor authentication mechanisms and least privilege principles.
  • Regular Patch Management (M1051): Keep systems and software up to date to mitigate known vulnerabilities.
  • Least Privilege Access (M1026): Restrict user privileges to limit the impact of compromised credentials.
  • Network Segmentation (M1030): Employ network segmentation to limit the impact of a potential breach and contain malicious activity.
  • Vulnerability Assessments (M1016): Conduct regular security assessments and penetration testing to identify and address weaknesses proactivity.
  • Threat Intelligence Program (M1019): Read and act on published reporting from trusted sources such as CISA’s cybersecurity advisories, which include detection and mitigation techniques.

Next Steps and Call to Action

While our initial response efforts have helped mitigate the immediate impact of the cyber-attack, we recognize the ongoing need for vigilance and adaptation. Moving forward, we are committed to:

  • Incident Review: Conducting a comprehensive review of our cybersecurity posture, including vulnerability assessments and penetration testing, to identify and address potential weaknesses.
  • Enhanced Training: Enhancing employee training and awareness programs to reinforce the importance of cybersecurity best practices and threat awareness.
  • Strengthen Defenses: Implement additional security measures based on lessons learned from the incident.

Beyond the specifics of this particular incident, MITRE is committed to its public interest mission to strengthen cybersecurity for the entire industry. Zero-day vulnerabilities in the devices used to protect our networks are unacceptable. We further commit to working across our stakeholders in the U.S. government, industry, and the public to:

  • Advance the National Cybersecurity Strategy and CISA’s Secure by Design philosophy to make software and hardware products more secure out of the box.
  • Operationalize Software Bill of Materials to improve software supply chain integrity and the speed with which we can respond to upstream software vulnerabilities in products.
  • Broadly deploy zero trust architectures with robust multifactor authentication and micro-segmentation.
  • Expand multi-factor authentication beyond simply two-factor systems to include continuous authentication and remote attestation of endpoints.
  • Broaden industry adoption of adversary engagement as a routine tool for not only detecting compromise but also deterring them.

In our next update, we will delve deeper into the technical details of the attack, providing insights into the adversary’s tactics and our efforts to counter them. We remain steadfast in our commitment to safeguarding our digital assets and maintaining the trust of our stakeholders in the face of evolving cyber threats.

Stay tuned for further updates and insights.

About the Center for Threat-Informed Defense

The Center for Threat-Informed Defense is a non-profit, privately funded research and development organization operated by MITRE Engenuity. The Center’s mission is to advance the state of the art and the state of the practice in threat-informed defense globally. Comprised of participant organizations from around the globe with highly sophisticated security teams, the Center builds on MITRE ATT&CK®, an important foundation for threat-informed defense used by security teams and vendors in their enterprise security operations. Because the Center operates for the public good, outputs of its research and development are available publicly and for the benefit of all.

© 2024 MITRE Engenuity, LLC. Approved for Public Release. Document number CT0115.

--

--