MITRE’s ATT&CK framework is ever evolving. The latest October update extends enterprise coverage to the cloud and adds a considerable list of cloud-specific adversarial techniques. The cloud has seen phenomenal growth over the past few years, as it offers businesses flexibility, reliability and cost-savings. Along with this growth comes new security risks and high value targets for nation state actors and cyber criminals.

In 2014, source code hosting provider Code Spaces was forced to shut down after an attacker gained access to its AWS IAM and destroyed its entire cloud infrastructure. More recently, a software engineer was arrested after stealing sensitive data, including details pertaining to 106 million credit card applications, from Capital One though a misconfigured AWS S3 bucket.

As the cloud takes over, security practices and understanding needs to evolve. ATT&CK’s enterprise platform categorization now includes Windows, MacOS, Linux, AWS, GCP, Azure, Office 365, Azure AD and SaaS. The 36 initial techniques for cloud include, for example, Data from Cloud Storage Object, which is applicable in the second example above.

MITRE’s ATT&CK framework has already evolved quite a bit this year. Previously, enterprise ATT&CK was primarily focused on information theft — confidentiality and data exfiltration. The Impact Tactic was introduced to address destructive, disruptive and resource hijacking techniques — all of which are particularly relevant to cloud applications. Mitigations were changed from text fields to objects, representing independent entities. This is an improvement in the structure of the taxonomy.

There are several eagerly anticipated changes and additions on the horizon. PRE-ATT&CK techniques will be classified under two new Tactics, uniting PRE-ATT&CK and ATT&CK. Further, ATT&CK ICS for industrial control systems and — the update I’m most looking forward toATT&CK sub-technique restructuring are both in the works.

It’s notable that community input was the primary (Read more...)