Applying the MITRE CREF.pptx
- 1. “You cannot stop a determined threat actor from pwning you.” –quote by me, when telling IT/cybersecurity pros to take other steps to plan for the pain.
- 3. ATT&CK® knowledgebase adversary tactics and techniques D3FEND™ knowledgebase of defensive countermeasures Engage™ framework for adversary engagement and deception CALDERA™ framework for automated adversary/red-team emulation Cyber Resiliency Engineering Framework (CREF) framework for cyber resilience design
- 9. Bending, but not breaking. 1 Withstanding an attack or outage AND recovering quickly. 2 Bouncing back from an attack. 3
- 13. Anticipate Withstand Recover Adapt
- 14. Anticipate Withstand Recover Adapt IDENTIFY PROTECT DETECT RESPOND RECOVER MITRE CREF NIST CSF
- 15. Anticipate Identify Protect Detect Respond Withstand Recover Adapt MITRE CREF & NIST CSF Together <3 CREF CREF CREF CREF CSF CSF CSF CSF
- 17. Incident Response Managed IT Operations Managed Cybersecurity Insights The VEEAM Story and Threat Actors: • Run “kill scripts” on target hosts to disable VSS, delete VSS snapshots • Delete/encrypt backups • Steal credentials for SAN and delete SAN snapshots • Encrypt VMware ESXi hosts • Attack DR sites and cloud resources over VPN from production network
- 18. VLAN 101 I’m simple, but flat and easy to attack.
- 19. The VEEAM Story: Veeam (on-premises backup software and infrastructure) was being deleted or encrypted in ransomware attacks. • Outcome: All servers, backup infrastructure, and storage is accessible to attacker and encrypted/deleted in ransomware attack. VLAN 101 I’m simple, but flat and easy to attack.
- 20. VLAN 101 VLAN 102 1 3 2 4 5 6 7 8 PWR FAN ALM STS HA TMP MGT CONSOLE USB 9 11 13 15 10 12 14 16 17 18 HA1 HA2 PA-3060 Firewall: Block inter-VLAN traffic for 101 and 102. Hole punched into VLAN for admin access. MITRE|CREF Navigator™ →Re-Architect →→Predefined Segmentation
- 21. The VEEAM Story: • We disjoined Veeam Backup Server from domain (so attacker cannot access it by compromising Active Directory). • We segmented the network. • Outcome: Improved restorability, but administrative access to VLAN102 can still be compromised if attacker compromises admin PC. VLAN 101 VLAN 102 1 3 2 4 5 6 7 8 PWR FAN ALM STS HA TMP MGT CONSOLE USB 9 11 13 15 10 12 14 16 17 18 HA1 HA2 PA-3060 Firewall: Block inter-VLAN traffic for 101 and 102. Hole punched into VLAN for admin access. MITRE|CREF Navigator™ →Re-Architect →→Predefined Segmentation
- 22. VLAN 101 VLAN 102 1 3 2 4 5 6 7 8 PWR FAN ALM STS HA TMP MGT CONSOLE USB 9 11 13 15 10 12 14 16 17 18 HA1 HA2 PA-3060 Firewall: Block inter-VLAN traffic for 101 and 102. AWS Azure MITRE|CREF Navigator™ →Reconstitute → Redundancy →→Protected Backup & Restore
- 23. The VEEAM Story: • We added immutable cloud storage for Veeam scale sets. • Outcome: If on-premises infrastructure is completely compromised, we still have a recovery path. VLAN 101 VLAN 102 1 3 2 4 5 6 7 8 PWR FAN ALM STS HA TMP MGT CONSOLE USB 9 11 13 15 10 12 14 16 17 18 HA1 HA2 PA-3060 Firewall: Block inter-VLAN traffic for 101 and 102. AWS Azure MITRE|CREF Navigator™ →Reconstitute → Redundancy →→Protected Backup & Restore
- 24. VLAN 101 VLAN 102 1 3 2 4 5 6 7 8 PWR FAN ALM STS HA TMP MGT CONSOLE USB 9 11 13 15 10 12 14 16 17 18 HA1 HA2 PA-3060 Firewall: Block inter-VLAN traffic for 101 and 102. AWS Azure DRaaS Cloud Credential & Key Vault MITRE|CREF Navigator™ →Reconstitute → Redundancy →→Protected Backup & Restore
- 25. The VEEAM Story: • We used a key vault for AWS and Azure storage keys and associated creds to prevent credential theft. (Admins don’t keep the passwords/keys.) • We added alternate, slower immutable cloud backup of critical VMs as a failsafe. • Outcome: Protection of backup resources and recovery paths. VLAN 101 VLAN 102 1 3 2 4 5 6 7 8 PWR FAN ALM STS HA TMP MGT CONSOLE USB 9 11 13 15 10 12 14 16 17 18 HA1 HA2 PA-3060 Firewall: Block inter-VLAN traffic for 101 and 102. AWS Azure DRaaS Cloud Credential & Key Vault MITRE|CREF Navigator™ →Reconstitute → Redundancy →→Protected Backup & Restore
- 26. Prevent or Avoid Prepare Continue Constrain Reconstitute Understand Transform Re-Architect
- 31. Focus on common critical assets Focus Support agility and architect for adaptability Support Reduce attack surfaces Reduce Assume compromise Assume Expect adversaries to evolve Expect
Editor's Notes
- #17: Most of all: Learn from Failure
- #18: Automation: “Kill scripts” on hosts that delete volume shadow copies using vssadmin.exe Delete Shadows /All /Quiet and disable VSS. Manually (hands on keyboards): Attackers identify Veeam servers and Veeam backup repositories and delete/encrypt the backups (as well as other backup solutions). Manually (hands on keyboards): Attackers delete snapshots on storage arrays (have seen this on EMC and Pure Storage) and disable snapshotting and replication. Manually (hands on keyboards): Attackers identify, attack, and encrypt hot DR sites over live VPNs from the production site. We’re seeing this and learning to protect our backups.