RSA 2020 is rapidly approaching, and Fidelis Cybersecurity is excited to be attending. In advance of the conference, I’d like to give a short preview of the APT28 attack simulation that Fidelis will be presenting at RSA this year. You don’t want to miss this information-packed session, so be sure to schedule a meeting or demo with us at BOOTH #1441 in advance of the conference.
Many will remember APT28 as the advanced persistent threat that targeted the Democratic National Committee email system in the 2016 Presidential Election. APT28, commonly referred to as “Fancy Bear,” employs sophisticated methods consistent with the capabilities of nation-state sponsored threat actors. With the 2020 Democratic primaries currently underway and worries about election interference mounting ever since 2016, this session will demonstrate how attackers execute an advanced persistent threat like we saw in 2016. We will do this by simulating an attack using APT28’s methods and show how the attack progresses (and can be identified or stopped) throughout multiple stages of the kill chain. This will be shown by mapping attacker tactics, techniques and procedures (TTPs) against the MITRE ATT&CK threat framework, showing how to build a holistic defense by operationalizing threat frameworks, and demonstrating how threat frameworks can be leveraged to streamline security stacks to maximize defensive coverage against APT28.
Regular readers of our Threatgeek blog will already know that we are passionate advocates of leveraging threat-based frameworks such as MITRE ATT&CK to operationalize defensive capabilities. Threat-based frameworks provide a quantifiable method for assessing both attacker actions and defensive capabilities needed to defend against them. The MITRE ATT&CK framework shows the progression of attack stages, from Initial Access to Impact, and allows cyber defenders to visualize what tactics attackers are using at each step of the kill chain, and what alternative tactics they may utilize if a preferred method fails. This information can then be compiled into a Threat Heat Map. With this heat map, threats can be computed for individual threat actions based on the applicability, prevalence, maneuverability, and visibility of the adversary action.
To illustrate, APT28 will commonly begin its Initial Access phase by exploiting Replication Through Removable Media, Spearphishing Attachments, Spearphishing Links, Trusted Relationships, or Valid Accounts. This gives organizations looking to defend against APT28 a valuable starting point, since they now know the common threat tactics utilized by this attack and can prioritize accordingly.
MITRE ATT&CK also provides enterprises with a risk-based assessment of defensive capabilities. By methodically mapping defensive capabilities to a threat framework, cyber defenders can easily see where they have coverage against specific threat actions and where they are lacking defensive depth. Although defensive capabilities are needed throughout the adversary lifecycle, some threat objectives/actions can be prioritized for additional focus based on the heat map composed of multiple actor and intrusion sets. This provides defenders with a clear, risk-based evaluation of their current overall security posture and enables evidence-based decision making to further improve defensive strength.
Operationalizing capabilities also grants defenders one more significant advantage – elimination of redundancy. In our experience, enterprise security stacks are often far from optimized. This is due largely to the prevalence of siloed point solutions within the stack. These point solutions are often adopted as organizations have tried to close (either real or perceived) security gaps by adopting the latest and greatest best-in-class security products. However, many organizations fail to properly implement these point solutions into their wider enterprise, adding solutions into their security stack without full consideration of how those solutions will play with existing products and capabilities. The result is a security stack with a multitude of narrow solutions, none of which are communicating with one another to provide holistic defensive coverage. Worse yet, some of these solutions may overlap with one another, producing duplicative alerts that only slow down security analysts who must painstakingly triage and correlate those alerts to gain an accurate picture of what is happening.
This can be easily addressed by mapping the defensive coverage capabilities of each product to the MITRE ATT&CK framework. Mapping the security stack to a threat-based framework gives security teams visibility not only of where they are lacking defensive depth, but also where they have defensive overlaps. By identifying these overlaps, organizations are able to assess the value of each security product within the stack and provide justification for either keeping or removing a specific product. For example, if an organization finds that they have 3 products with the ability to stop spearphishing attempts, they can present an evidence-based business case for consolidating their stack by removing the duplicative products. This streamlining of the security stack helps to save valuable budget dollars while also reducing the security analyst workload.
If you are interested in gaining an expert understanding of the APT28 attack methodology, the role of threat frameworks in defending against them, and where opportunities for security stack consolidation exist, be sure to book a meeting today.
In addition to our APT28 attack simulation, Fidelis will be hosting a variety of activities at BOOTH #1441.
VISIT OUR COMMAND POST TO: