An NDR Addendum to CISA Analysis Report: Federal Agency Compromised by Cyber Actor

On September 24, 2020, the Cybersecurity and Infrastructure Security Agency (CISA) released an analysis report (AR20-268A) regarding a federal agency compromised by a malicious cyber actor.  As in other analysis reports from CISA, the report describes the tactics, techniques and behaviors of the adversary by using the MITRE ATT&CK framework and published a copy of the indicators of compromise they identified using the OASIS STIX cyberthreat intelligence exchange standard.

As I read the report, I reflected on how far the security community has come in sharing knowledge on threats both publicly and privately through security trust groups. The report serves as a fantastic illustration of the collective capabilities threat actors use to achieve their mission, using the MITRE ATT&CK framework to describe and attribute behaviors.

Everything About the Report Made Me Smile…Until…the End.

Then I Hung My Head and Sighed (Sad Face Emoji).

The last section of the analysis report is titled “Prevention” that literally says:

• “Deploy an Enterprise Firewall”
• “Block Unused Ports”
• And my all-time favorite, “Keep software up to date”

These guidance items pale in comparison to the value provided in the report on the behavior of the threat actor. They were an afterthought or no thought at all. No mention on how to use the valuable information provided in the report to effectively and efficiently “detect” and “respond” to the threat in your own network and thus protect your organization. No mention of the technologies that could help you. No guidance on best practices.

So, what else could I do but write an…

Unofficial ADDENDUM to the Analysis Report (AR20-268A)

NOTE: This addendum provides steps organizations should take against activity identified in AR20-268A.

Detection and Response

Deploy Network Observability Instrumentation/Visibility Plane

Organizations should deploy enterprise-wide network observability instrumentation (full traffic visibility rather than logs and SNMP MIBS) to understand network flows, traffic changes and serve as a visibility plane for network detection and response (NDR) technologies. Network observability solutions, which include analytics such as de-duplication, SSL decryption and application layer analysis are preferred.

Deploy Endpoint Detection and Response (EDR) Technology

Organizations should deploy EDR technology on as many managed endpoints and systems as possible. EDR technologies will provide organizations with behavioral and analytical detection techniques to identify early-stage cyberthreat activity categories such as initial access, execution, persistence and privilege escalation.

The threat actor activities identified in AR20-268A that EDRs can assist to identify include:

• Initial access: Valid Accounts*, Exploit Public-Facing Applications, External Remote Services; *Depending on implementation, EDR may or may not have visibility for this specific example
• Execution: Command and Scripting Interpreter, PowerShell, Scheduled Task/Job
• Persistence: Account Manipulation, Create Account: Local Account
• Defense evasion: Impair Defenses: Disable or Modify Tools
• Credential access: Exploitation for Credential Access
• Discovery: System Network Configuration Discovery, Query Registry
• Collection: Email Collection, Data from Network Shared Drive, Data Staged, Data from Local System, Archive Collected Data
• Command and control: Proxy, Non-Standard Port

Deploy Network Detection and Response (NDR) Technology

Organizations should deploy NDR technology with visibility across the entire network (aided by network observability instrumentation). NDR technology provides organizations with behavioral and machine learning techniques to identify malicious activity broadly across the full MITRE ATT&CK framework, with a focus on post-exploitation categories.

The threat actor activities identified in AR20-268A that NDRs can assist to identify include:

• Initial access: Valid Accounts, Exploit Public-Facing Applications, External Remote Services
• Execution: Command and Scripting Interpreter*, PowerShell*, Scheduled Task/Job*; *these techniques are commonly visible by NDR technology, however, the specific tactic/activity as described in AR20-268A would not be visible to NDRs.
• Credential access : Exploitation for Credential Access
• Discovery: Remote System Discovery
• Collection: Data from Network Shared Drive, Data Staged*; *data that has been staged for collection can be detected by NDR during exfiltration if the data staging process produces a known signature, such as an encrypted zip.
• Command and control : Proxy, Non-standard Port

Additional Recommendations

Organizations should also implement EDR and NDR technologies that provide

• A combination of threat intelligence, machine learning and behavioral analytics to identify and categorize observed activity as malicious
• Retention of all observed endpoint and network activity (rich metadata) for up to 30 days
• Rapid ability to triage and validate findings
• Searchability of all retained metadata activity to support threat hunting and investigation effort
• Guided investigation and next-step workflows to build case evidence to enable rapid, informed response actions

In closing, make no mistake, I am a big fan of the work CISA is doing to publish these analysis reports, and believe the intent of the content they provide is remarkable, albeit delayed in communicating (the STIX information they shared in the report shows <indicator:Sighting timestamp="2019-04-01T00:00:00"/>, meaning the attack dates back to April 2019 and this report was released in September 2020). Further, while Gigamon does offer a world class NDR — ThreatINSIGHT — I am not suggesting it or any other EDR or NDR could have identified every behavior of AR20-268A. But as a security community, we must follow through and move beyond recommendations for just prevention. We must communicate, advocate, and teach what is possible to achieve by sharing reports like these in a timely manner and applying detect and respond technologies and the role they can play in protecting organizations.