A cybersecurity advisory co-authored by the US Cybersecurity and Infrastructure Security Agency (CISA) alongside cybersecurity agencies from Canada, the UK and Australia, has described the need for at-scale security testing against known vectors of attack, including the Log4j vulnerability identified last December. The CISA has identified Iran as a primary source of recent attacks.
“The authoring agencies recommend continually testing your security program, at scale, in a production environment to ensure optimal performance against the MITRE ATT&CK techniques identified in this advisory,” the advisory reads.
MITRE ATT&CK (Adversarial Tactics, Techniques, and Common Knowledge) was launched in 2015 as not-for-profit-led framework outlining known vulnerabilities and attack vectors, and describes the specific techniques used by bad actors that security teams can emulate. The advisory sets out threat vectors, mapped to this framework, from which it recommends evaluating current security coverage.
In a discussion with Bloomberg, a CISA official described attacks using threats up to 10 years old. Static application security testing tools can be readily automated to cover many such vulnerabilities. These tools integrate into development pipelines and are able to quickly identify existing vulnerabilities. Feedback from tests in a CI/CD pipeline can help to improve security coverage more permanently.
Cyber security specialist firms like Mandiant - which was acquired by Google this week - offer security and ransomware validation services, where attacks are replicated through repurposed forms of malware in current use. Research by California-based IT security specialist Barracuda found attacks on financial firms had increased by 200% in the last 12 months.
A recent report by AttackIQ found that the standard endpoint detection tools in its customers’ environments only stopped the top seven adversary techniques 39% of the time, even when fully effective in a lab environment. The cause was found to be insufficient testing, where misconfigurations and infrastructure changes left gaps in defences that could have been caught by a continuous testing method.
The advisory, titled - ‘Iranian Islamic Revolutionary Guard Corps-Affiliated Cyber Actors Exploiting Vulnerabilities for Data Extortion and Disk Encryption for Ransom Operations’ - is a response to attacks linked to the Islamic Revolutionary Guards, which the CISA describes as ‘a driving force behind Iranian state-sponsored cyberattacks’. It details the techniques used in attacks, highlighting VMware Horizon Log4j vulnerabilities for initial access and ongoing use of known Fortinet and Microsoft Exchange vulnerabilities.
“After gaining access to a network, these actors likely determine a course of action based on their perceived value of the data, including data encryption or exfiltration for ransom operations,” the advisory reads.
Iranian state-linked actors were condemned last week for a series of attacks against Albanian government infrastructure in July, leading to the destruction of data and disruption of government functions. Three Iranian nationals were also recently charged with hacking hundreds of companies in the US, accused of ransomware attacks on infrastructure since October 2020.