DoD Cyber Experts Address the MITRE ATT&CK Framework, Zero Trust, and Nation-state Attacks

Posted by Victor Monga on Jan 18, 2023 10:00:00 AM

By Victor Monga, CISO, Adversity Testing Foundation, Los Angeles Fuel Chapter Leader

I recently had a chance to interview John Davis, the VP of Public Sector at Palo Alto Networks, and Jonathan Reiber, the VP of Cybersecurity Strategy and Policy at ATTACKIQ. Both of them have storied careers in the public sector and US Department of Defense (DoD), and the conversation covered a gamut of topics. Some of the topics the two of them covered during my almost one-hour conversation included zero trust, rogue nation-state threats, the MITRE ATT&CK framework, and more. This post explores some of these in greater detail.

Threats from Rogue Nation-States

Davis explained that the axis of rogue nation-state actors—China, Russia, Iran, and North Korea—are using information warfare tactics, including cyber-attacks, to stay in a “gray zone” and frustrate the responses of Western democracies. Davis and Reiber noted that the US and its allies have largely adhered to a posture of restraint in the use of their own offensive cyber capabilities due to the recognition that their own systems are not entirely secure. However, there is a shift towards a “defend-forward-and-persistent-engagement” posture, as seen in the DoD’s Department of Defense's cyber strategy, which recognizes that the fight in the realm of cyber is no longer solely on the traditional battlefield but rather in the “gray space.” This shift also involves a move towards zero trust, which verifies the identity of users and devices and continuously assesses their trustworthiness.

Business Email Compromise Remains a High Threat

Business email compromise (BEC) continues to be a significant cyber threat. The growing sophistication and automation of cyber threats, including ransomware and industrial control system attacks that impact critical infrastructure, as well as supply chain attacks, such as the SolarWinds event. However, Davis and Reiber noted that BEC is still one of the top threat vectors that his team deals with on a daily basis. BEC involves attackers compromising a company's email system and using it to send fraudulent emails to employees, customers, or suppliers in an attempt to steal money or sensitive information. These attacks can be difficult to detect and often result in significant financial losses for businesses. In order to protect against BEC, it is important for companies to educate their employees on how to recognize and report suspicious emails and to implement robust email security measures.

Using the MITRE ATT&CK Framework and Zero Trust Architecture (ZTA)

The MITRE ATT&CK framework is a comprehensive resource for understanding the tactics, techniques, and procedures used by cyber attackers. It is a matrix of behaviors that can help organizations understand the steps that an attacker may take to compromise their systems and data. By using the MITRE ATT&CK framework, organizations can better prepare for and defend against potential cyberattacks.

One way that organizations can use the MITRE ATT&CK framework is by performing a threat assessment. This involves analyzing the organization's current security posture and identifying potential vulnerabilities that an attacker may exploit. The threat assessment should consider the various tactics, techniques, and procedures outlined in the MITRE ATT&CK framework, as well as the organization's specific industry and business needs.

In addition to the MITRE ATT&CK framework, organizations can also utilize a Zero Trust Architecture (ZTA) to combat cyberattacks from rogue nation-states. Zero Trust is a security model that assumes that all users and devices are untrusted by default and requires continuous authentication and authorization to access resources. This means that even if a user or device is already within the organization's network, they must still be verified before they are granted access to certain resources.

To implement a Zero Trust Architecture, organizations can use a number of different technologies and practices. These may include multi-factor authentication, network segmentation, and micro-segmentation. Network segmentation involves dividing the organization's network into smaller, more secure segments, which can help to limit the scope of an attack and reduce the potential damage. Micro-segmentation involves dividing the network even further, creating even smaller, more secure segments for specific applications or resources.

Together, organizations can use the MITRE ATT&CK framework and Zero Trust Architecture to better understand and prepare for potential cyberattacks from rogue nation-states. By performing a threat assessment and implementing a Zero Trust Architecture, organizations can better protect their systems and data from these types of attacks.

Developing a Dynamic Threat Response Posture

In an offensive or dynamic cybersecurity environment, a zero trust approach is ideal for effectively protecting an organization against cyber threats. A zero trust model assumes that all users and devices are untrusted by default and requires continuous authentication and authorization to access resources. This means that even if a user or device is already within the organization's network, they must still be verified before they are granted access to certain resources.

The advantage of a zero trust approach in an offensive or dynamic cybersecurity environment is that it allows organizations to continuously validate every stage of a digital interaction, rather than relying on a static checklist of security measures. This enables organizations to respond to and defend against unexpected or changing threats more effectively.

One way to implement a zero trust architecture is through the use of automated tools and processes. These may include network segmentation, micro-segmentation, and multi-factor authentication. Network segmentation involves dividing the organization's network into smaller, more secure segments, which can help to limit the scope of an attack and reduce the potential damage. Micro-segmentation involves dividing the network even further, creating even smaller, more secure segments for specific applications or resources. Multi-factor authentication requires users to provide additional forms of identification, such as a security token or biometric data, in addition to their username and password, to access certain resources.

By utilizing these technologies and processes, organizations can better protect themselves against cyber threats in an offensive or dynamic environment. A zero trust approach enables organizations to continuously validate and authenticate users and devices, and to respond to changing threats in real-time, helping to ensure the safety and security of their systems and data.

Observations on the Ukraine War and Fewer Cyberattacks Than Expected

There are several reasons why Russian cyberattacks were not worse during the Ukraine War. One reason is that Russian decision makers may have assessed that cyberattacks were not as useful in this conflict and therefore were not employed on the same scale as before the beginning of armed conflict. Another reason is that Ukraine quickly became a tougher cyber target by improving its cyber defenses and becoming more resilient to cyber-attacks. This was achieved through a surge of support in the form of defensive cyber operations capabilities from the US and its allies, as well as the sharing of cyber threat intelligence from the US and its allies and commercial entities.

Another factor contributing to the lower level of cyber activity is the possibility that monkey wrenches were thrown into the gears of Russian cyber operations. It is likely that the US and its allies have taken a forward-leaning approach to defending against Russian cyber threats, which may have disrupted or hindered some of their cyber operations. Additionally, Russian decision makers may have been hesitant to increase the scale and impact of their cyber operations due to the heightened sensitivities in the conflict, as they may have been concerned about drawing a more direct and kinetic engagement by NATO.

Finally, Russian cyber operations may have been more targeted and specific, rather than spreading in an uncontrolled manner, due to concerns about things spilling outside and potentially drawing in a more direct confrontation with NATO. Overall, these factors may have contributed to the lower level of Russian cyberattacks during the Ukraine War.

Measuring the Effectiveness of Cybersecurity Programs

Measuring the effectiveness of cybersecurity measures can be a challenging task, as it requires evaluating the ability of these measures to protect against real-world threats. One way to measure the effectiveness of cybersecurity measures is to focus on outcomes, rather than just tasks or compliance with certain standards. For example, instead of simply reporting on the number of patches applied or the percentage of systems that are compliant with a particular standard, it can be more useful to measure the effectiveness of cybersecurity measures by looking at how well they protect against actual attacks or breaches.

One way to do this is to conduct simulated attacks or penetration tests to see how well the cybersecurity measures hold up against real-world threats. This can help to identify weaknesses in the current system and allow for the implementation of additional measures to improve the overall effectiveness of the cybersecurity system.

Another way to measure the effectiveness of cybersecurity measures is to track and analyze relevant metrics, such as the number of successful attacks, the time it takes to detect and respond to threats, and the overall impact of attacks on the organization. By analyzing these metrics over time, it is possible to identify trends and areas for improvement in the cybersecurity system.

Overall, it is important to approach the measurement of the effectiveness of cybersecurity measures with a focus on outcomes, and to continuously assess and adjust the system based on real-world threats and performance metrics.

Summing Up The Conversation: Zero Trust Is Pivotal

So, what are some of the key takeaways from the video interview I conducted with Davis and Reiber? To begin, they emphasized the importance of moving from a static defense to an active or dynamic defense in order to effectively protect against cyber threats. The MITRE ATT&CK framework and Zero Trust Architecture play a critical role, automating and advancing software analytics in cybersecurity and the need to continuously validate every stage of a digital transaction, all to ensure the effectiveness of cybersecurity measures. Davis and Reiber also highlighted the importance of measuring the effectiveness of cybersecurity measures by focusing on outcomes and tracking relevant metrics, rather than just tasks or compliance with standards. Fuel User Group members will find their discussion useful, particularly, their emphasis on the need for a proactive and dynamic approach to cybersecurity in order to effectively protect against cyber threats.

You can listen to the entire conversation with Davis and Reiber here on the Fuel User Group YouTube Channel.

 

Posts by Topic

see all

Subscribe to Blog Updates

Recent Posts

Posts by Topic

see all