This week
MITRE corporation releases D3FEND to map technical countermeasures
The MITRE Corporation released a technology-focused framework called D3FEND this week. The model defines cyber security countermeasures that can be used by security teams to help defend systems from threat actors.
The model was funded by the U.S. National Security Agency (NSA). Where MITRE’s previous ATT&CK model defines the tactics and techniques used by threat actors, D3FEND sets out how they may be frustrated or thwarted.
“D3FEND establishes terminology of computer network defensive techniques and illuminates previously-unspecified relationships between defensive and offensive methods.” — NSA press release
The countermeasures are grouped under five categories: harden; detect; isolate; deceive; evict. There are two long-term goals of D3FEND:
- create a sustainable knowledge framework for characterising cyber security countermeasures and their relationships
- accelerate knowledge discovery to keep pace with technological changes in the cyber domain.
Particularly within the Managed Security Services Provider (MSSP) and Managed Detection and Response (MDR) have begun advertising their service coverage against ATT&CK and I’d expect wider cyber technology vendors to begin advertising their products and services aligned to D3FEND. That could make it much easier for CISOs and security teams to understand the market and identify gaps that could previously have been identified using tools like the Cyber Defense Matrix.
In 2019 the security team at Dutch financial services firm Rabobank released a tool they called DeTTECT that can be used to, amongst other things, indicate if you have sufficient data sources with sufficient quality available to be able to see traces of ATT&CK techniques
d3fend.mitre.org, therecord.media, nsa.gov, cyberdefensematrix.com, DeTTECT
Interesting stats
50% of misconfigured Docker APIs are attacked by botnets within 56 minutes of being exposed, according to Aqua Security scmagazine.com
205 days average time taken to fix critical vulnerabilities, according to WhiteHat Security zdnet.com
$358,000 average paid for standalone cyber claims in 2020, up from $149,000 in 2019, according to Fitch Ratings, who suggest this means many cyber insurers may be facing losses from policies when factoring in sales and underwriting overheads therecord.media
Other newsy bits
Safety by Design framework
This week I learned that Australia has an eSafety Comissioner, (Julie Inman Grant, @tweetinjules) when their office published a new framework for tech companies to assess and bake ‘safety by design’ into their products and services. The framework isn’t specific to the Australian jurisdiction and the tools can be used by any organisation globally. It covers aspects from online harms themselves, through user empowerment, to moderation, escalation and enforcement. As well as principles and tools for internal use, there are resources developed with investors and venture capital firms to help ensure investees are building capacity for managing online safety risks. It’s some pretty cool work! zdnet.com, esafety.gov.au
EU launches new joint cyber unit for ‘nightmare’ attacks
The European Union has launched a new ‘joint cyber unit’ to help respond to large-scale cyber-attacks across multiple member states. The unit will be headquartered in Brussels and centrally coordinate the work of ENISA (the European Union Agency for Cybersecurity), CERT-EU and Europol’s EC3 cybercrime centre, amongst other national and European agencies. bbc.co.uk, europa.eu
In brief
Attacks, incidents & breaches
- North Korea alleged to be behind the breach at South Korean nuclear research institute theregister.com
- Fertility clinic Reproductive Biology Associates (RBA aka MyEggBank) shows how pin-pointing unauthorised access can be tough: 2 months to identify 38,000 patients whose personal data was accessed by cybercriminals in ransomware attack bleepingcomputer.com
- FCUK: French Connection victim of REvil ransomware attack theregister.com
- 700GB of data from Taiwanese chip manufacturer ADATA leaked online following Ragnar Locker ransomware attack bleepingcomputer.com
- Internet registry Asia Pacific Network Information Centre (APNIC) left ‘whois’ database in public cloud bucket for three months theregister.com
- Microsoft announces Solarwinds attacks also compromised support agent, was used to launch attacks on customers reuters.com
Threat intel
- A week after arrests - that cryptocurrency exchange Binance says relate to laundering of $500M therecord.media - Cl0p group dumps new data on victims, suggesting the group is still functioning arstechnica.com
- FIN7 group used threats of legal action, posed as disgruntled customers, impersonated the U.S. Securities and Exchange Commission, to dupe marks into opening malware payloads cyberscoop.com
- Official Python repository, PyPI, hosted fake packages downloaded roughly 5,000 times that included code to install crypto-mining software on infected machines arstechnica.com
- Ransomware gangs increasingly using virtual machines to ‘hide’ code from detection tools, Symantec zdnet.com
- Financial services brokers warned of phishing campaign pretending to be from U.S. securities regulator, FINRA bleepingcomputer.com
- Akamai says application attacks against the games industry increased 340% year-on-year 2019-2020 scmagazine.com
Vulnerabilities
- Around 30 million Dell laptops, desktops, servers and tablets for business and consumers vulnerable to issue that allows attackers to spoof being official dell.com domain and trigger malicious firmware updates therecord.media
- Zyxel firewall and VPN devices being targeted by attackers who are bypassing authentication using hidden/backdoor accounts (for the second time (vol. 4, iss. 2)) arstechnica.com
- Interesting writeup of novel attacks against ATM cash machines via Near-Field Communications (NFC), including a chain allowing ‘jack potting’ of one brand of machines wired.com
Security engineering
- Google unveils schema to help map between vulnerabilities and package names, versions for open source projects theregister.com
- FIDO Alliance releases user experience guidelines for passwordless authentication to try and boost adoption theregister.com
Internet of Things
- Western Digital My Book Live network attached storage (NAS) devices are being remote-wiped, owners urged to disconnect devices from the Internet theregister.com
- 30% year-on-year increase in the use of USB in production facilities, says Honeywell, in new ICS threat report honewell.com
Privacy
- Brave launches privacy-focused search engine that doesn’t track users therecord.media
- Google delays rollout of cookie replacement FLoC ’til 2023 following backlash from regulators, campaigners and major websites arstechnica.com
Public policy
- Chris Inglis’ appointment as national cyber director confirmed by the Senate in role to co-ordinate cyber policy across the U.S. government scmagazine.com
- Australia’s opposition Labor Party has introduced a bill that would require victims of ransomware to notify the country’s cyber security agency if ransom payments are made zdnet.com
Mergers, acquisitions and investments
- Amazon snaps up end-to-end encrypted messaging app Wickr ft.com
- Ping Identity has acquired Israeli firm SecuredTouch to boost fraud and bot detection in PingOne identity platform zdnet.com
- Sticking with identity… Passwordless startup Transmit Security has closed a staggering $543 million Series A funding round techcrunch.com
- Illumio closes Series F round led by Thoma Bravo, raises $225M on a $2.75B valuation for their zero trust platform techcrunch.com
And finally
John McAfee found dead in Spanish prison
Iain Thomson over at The Register has a look back at the life of John McAfee who was found dead in a Barcelona prison cell this week after a Spanish court approved his extradition to the United States on charges of tax evasion and breaking securities laws. McAfee made his fortunes with the eponymous antivirus software though since cashing out when his company was bought by Intel he’s led an oft-controversial life. Like or loath him, there is no doubting the impact he had shaping the early cyber security technology industry. theregister.com