Imagine for a moment, a mad scientist scrabbling for body parts to stitch together to create his monster which will then wreak havoc on an unsuspecting village. Dr. Frankenstein’s monster in Mary Shelley’s 1818 novel was quite a bit different, but in popular culture we’ve developed an image of this poorly stitched together monstrosity with a thirst for vengeance and two bolts sticking out of his neck.
I see a cybersecurity incident much like this popular image of Frankenstein’s monster, although perhaps without the bolts. It’s a destructive entity which is composed of many different parts let loose by, if not a mad scientist, then some bad actors. How do you tackle the problem of this monster? Well you could chase it with fire, which it’s famously terrified of (although in the novel it wasn’t) or maybe a better way is to deal with the source.
As a society we can continue to try and educate bad actors and mad scientists to reform their ways – that’s a good start. However that’s not something your typical Security Operations Center is going to be able to do. So let’s look at the next step in the monster building pipeline! That would be to stop the monster/incident being built at all. Look at the different body parts necessary for the creation of the monster and stop those being available.
The MITRE ATT&CK® Matrix for Enterprises
Thankfully we have a not-for-profit organization which is dedicated to providing you with the real-world behaviors and techniques used by bad actors across the globe. Their mission is to solve problems for a safer world: MITRE. Using MITRE ATT&CK® we can follow the steps to build our own multifaceted, hopefully theoretical, monster.
The MITRE ATT&CK® Matrix for Enterprise consists of 14 categories. You can learn more about them and how Orca Security can help here. These then contain techniques which you can explore to understand the logic or approach attackers might use, the techniques seen, and how to spot or prevent these happening in your environment.
Using a matrix like this it’s possible to perform threat modeling exercises to see where any gaps might be in your estate but that will also allow you to work on how you would detect and respond.
Assume that someone wants to access your IT environment and assume that someone will be able to access your IT environment. This exercise focuses on both prevention and mitigation.
Building a Monster: Think Like an Attacker
As any mad scientist worth their salt knows, building the perfect rampaging monstrosity begins with careful planning. Fail to prepare and you prepare to fail. For example, if you fail to get the weather reports in time then you may miss that all-important lightning strike to animate your creation!
Work progressively through the categories in the MITRE ATT&CK® Matrix for Enterprises. Examine the techniques within each one and work on how someone might use those in your environment. How would you detect them and what action could you take if you discovered something?
Each category is a major body part and each technique a possible stitch building that monster. How would you block an adversary from building that multifaceted incident? Could you detect that you were under reconnaissance?
Diving into one category, Lateral Movement, and one technique “Exploitation of Remote Services.” We can imagine how a bad actor might use this as part of their monster. Look across your environment and identify how different risks might come together to enable lateral movement through the exploitation of remote services. What compute resources in your estate connect or have the ability to connect to each other. How would a misconfiguration or vulnerability on one enable an attacker to move laterally across to the other, or beyond? Remember you’re looking to reduce the components that someone could use to build their monster! How would you limit the possibilities and scope of an attack?
No product is going to resolve all your problems, and no product is able to replace the due diligence technology professionals need to take with their organization. Look at where technology has successfully met some of these challenges though so you can focus on the value your teams add.
Find out how to get insights and defense across your cloud estate with Orca here.