What cybersecurity pros can learn from the MITRE ATT&CK breach

May 6, 2024
The MITRE incident has some important take-aways for cybersecurity professionals.

Taking the crown for the most ironic cyberattack of the year, the MITRE Corporation, one of the most authoritative research institutions on cybersecurity supporting U.S. government agencies including aviation, defense, and homeland security, announced in April that a foreign nation-state threat actor had compromised an unclassified network called the NERVE (Networked Experimentation, Research and Virtualization Environment) used for research, development and prototyping. The nonprofit had endured 15 years without suffering a major cyber incident.

How Did The Attack Happen?

According to a blog post by MITRE’s own threat investigation unit, Center For Threat-Informed Defense, threat actors took advantage of zero-day vulnerabilities in Ivanti VPN, which allowed them to by-pass multi-factor authentication (MFA) systems using session hijacking. Next, they leveraged remote services like Remote Desktop Protocol (RDP) and Secure Shell Protocol (SSH) to gain access to a valid administrator account.

After compromising credentials, they moved laterally, gaining deep access to the network’s VMware virtualization infrastructure. Once inside, they employed a combination of backdoors and web shells to maintain persistence and exfiltrate data to command-and-control servers. Attackers even crafted their own virtual instances to successfully evade detection for three months.

Although the investigation is still ongoing, MITRE believes that there were a minimum of eight ATT&CK TTPs (tactics, techniques and procedures) used by threat actors in this cyberattack. 

Key Takeaways For Cybersecurity Pros

Below are some important take-aways for cybersecurity professionals from the MITRE incident:

1. Never Underestimate The Importance Of Patching

Not just MITRE, but even CISA (US’s premier cybersecurity agency) and thousands of other organizations have fallen victim to the Ivanti vulnerabilities. Ivanti has released fixes but there’s a high probability that many others are still vulnerable. We don’t need to look too far back to recall Log4j. Even though it was discovered and announced two years ago, 38% of applications remain unpatched. Along with social engineering, unpatched vulnerabilities are said to be the biggest reasons for breaches and ransomware attacks, which is why patching is obvious. 

2. Opt For A Layered Defense

As the MITRE attack demonstrates, an attack doesn’t happen in a single step. Adversaries take a host of steps to breach an organization’s defenses. Each step is an opportunity to detect or defend against the adversary. A multi-layered security approach ensures that even if an attacker breaches one layer of defense, subsequent layers still have a chance to detect and block the attack.

3. Invest In Employee Training and Awareness

Employees need to be extra cautious and vigilant to detect potential signs of infiltration, lateral movement or compromise. Through regular employee training and security awareness initiatives, organizations can improve threat awareness, detection, response and mitigation efforts. Moreover, the MITRE cyberattack proves that breaches can happen even to organizations that are most prepared. Every business should have well-documented and well-practiced incident response plans in place.

4. Maintain An SBOM List

There’s a disturbing rise in software supply chain attacks. Gartner predicts that 45% of global organizations will experience a software supply chain attack by 2025. To mitigate these risks, organizations must maintain an SBOM (software bill of materials), a list of ingredients that make up software components along with their version, origin, and potential vulnerabilities. This list allows organizations to make informed decisions about software components and their relative security risks.

5. Regular Security Checks and Continuous Monitoring

The MITRE incident shows that cybercriminals can plant backdoors into environments, leading to follow-on attempts that happen weeks and even months after the initial compromise. This is why it’s necessary for organizations to monitor their attack surfaces round the clock and conduct regular security testing so they can detect signs of infiltration, unusual patterns or indicators of compromise (IoCs).

6. Robust Access Control and Network Segmentation

Implementing granular access control such as zero-trust security or principle of least privilege (PoLP) and network segmentation helps limit the blast radius during a data breach. If user credentials (or a portion of the network) are compromised, attackers won’t be able to move laterally because there will be restrictions on their ability to access other systems and resources. In addition, it is also advisable that organizations switch to phishing-resistant MFA instead of conventional MFA as the latter is more susceptible to session hijacking.

The MITRE incident proves that no one is immune to cyberattacks and breaches. While conducting regular patching is key, it’s also important to focus on layered defenses, employee awareness initiatives, granular access control and continuous monitoring for building better detection capabilities and stronger defenses.

Perry Carpenter is co-author of “The Security Culture Playbook: An Executive Guide to Reducing Risk and Developing Your Human Defense Layer.” [2022, Wiley] His second Wiley book on the subject. He is chief evangelist and security officer for KnowBe4, provider of security awareness training and simulated phishing platforms used by more than 65,000 organizations worldwide.

Email: [email protected]

X: @PerryCarpenter

LinkedIn: https://www.linkedin.com/in/perrycarpenter/

About the Author

Perry Carpenter | Chief Evangelist and Security Officer, KnowBe4

Perry Carpenter is the author of Transformational Security Awareness: What Neuroscientists, Storytellers, and Marketers Can Teach Us About Driving Secure Behaviors (Wiley, 2019) and the host of the 8th Layer Insights podcast on The CyberWire network. He is Chief Evangelist and Security Officer for KnowBe4, the world's largest security awareness training and simulated phishing platform. He holds a MS in Information Assurance (MSIA) from Norwich University and is a Certified Chief Information Security Officer (C|CISO).