Home / Robin's Newsletter

Robin’s Newsletter #158

MITRE and NSA want to D3FEND your network. Aussie 'safety by design' toolkit. EU launches 'joint cyber unit' to coordinate 'nightmare' attacks.

 Vol. 4  Iss. 26  27/06/2021, last updated 11/07/2021   Robin Oldham  ~6 Minutes

Subscribe to Robin's Newsletter

This week

MITRE corporation releases D3FEND to map technical countermeasures

The MITRE Corporation released a technology-focused framework called D3FEND this week. The model defines cyber security countermeasures that can be used by security teams to help defend systems from threat actors.

The model was funded by the U.S. National Security Agency (NSA). Where MITRE’s previous ATT&CK model defines the tactics and techniques used by threat actors, D3FEND sets out how they may be frustrated or thwarted.

“D3FEND establishes terminology of computer network defensive techniques and illuminates previously-unspecified relationships between defensive and offensive methods.” — NSA press release

The countermeasures are grouped under five categories: harden; detect; isolate; deceive; evict. There are two long-term goals of D3FEND:

  1. create a sustainable knowledge framework for characterising cyber security countermeasures and their relationships
  2. accelerate knowledge discovery to keep pace with technological changes in the cyber domain.

Particularly within the Managed Security Services Provider (MSSP) and Managed Detection and Response (MDR) have begun advertising their service coverage against ATT&CK and I’d expect wider cyber technology vendors to begin advertising their products and services aligned to D3FEND. That could make it much easier for CISOs and security teams to understand the market and identify gaps that could previously have been identified using tools like the Cyber Defense Matrix.

In 2019 the security team at Dutch financial services firm Rabobank released a tool they called DeTTECT that can be used to, amongst other things, indicate if you have sufficient data sources with sufficient quality available to be able to see traces of ATT&CK techniques

d3fend.mitre.org, therecord.media, nsa.gov, cyberdefensematrix.com, DeTTECT

Interesting stats

50% of misconfigured Docker APIs are attacked by botnets within 56 minutes of being exposed, according to Aqua Security scmagazine.com

205 days average time taken to fix critical vulnerabilities, according to WhiteHat Security zdnet.com

$358,000 average paid for standalone cyber claims in 2020, up from $149,000 in 2019, according to Fitch Ratings, who suggest this means many cyber insurers may be facing losses from policies when factoring in sales and underwriting overheads therecord.media

Other newsy bits

Safety by Design framework

This week I learned that Australia has an eSafety Comissioner, (Julie Inman Grant, @tweetinjules) when their office published a new framework for tech companies to assess and bake ‘safety by design’ into their products and services. The framework isn’t specific to the Australian jurisdiction and the tools can be used by any organisation globally. It covers aspects from online harms themselves, through user empowerment, to moderation, escalation and enforcement. As well as principles and tools for internal use, there are resources developed with investors and venture capital firms to help ensure investees are building capacity for managing online safety risks. It’s some pretty cool work! zdnet.com, esafety.gov.au

EU launches new joint cyber unit for ‘nightmare’ attacks

The European Union has launched a new ‘joint cyber unit’ to help respond to large-scale cyber-attacks across multiple member states. The unit will be headquartered in Brussels and centrally coordinate the work of ENISA (the European Union Agency for Cybersecurity), CERT-EU and Europol’s EC3 cybercrime centre, amongst other national and European agencies. bbc.co.uk, europa.eu

In brief

Attacks, incidents & breaches

  • North Korea alleged to be behind the breach at South Korean nuclear research institute theregister.com
  • Fertility clinic Reproductive Biology Associates (RBA aka MyEggBank) shows how pin-pointing unauthorised access can be tough: 2 months to identify 38,000 patients whose personal data was accessed by cybercriminals in ransomware attack bleepingcomputer.com
  • FCUK: French Connection victim of REvil ransomware attack theregister.com
  • 700GB of data from Taiwanese chip manufacturer ADATA leaked online following Ragnar Locker ransomware attack bleepingcomputer.com
  • Internet registry Asia Pacific Network Information Centre (APNIC) left ‘whois’ database in public cloud bucket for three months theregister.com
  • Microsoft announces Solarwinds attacks also compromised support agent, was used to launch attacks on customers reuters.com

Threat intel

  • A week after arrests - that cryptocurrency exchange Binance says relate to laundering of $500M therecord.media - Cl0p group dumps new data on victims, suggesting the group is still functioning arstechnica.com
  • FIN7 group used threats of legal action, posed as disgruntled customers, impersonated the U.S. Securities and Exchange Commission, to dupe marks into opening malware payloads cyberscoop.com
  • Official Python repository, PyPI, hosted fake packages downloaded roughly 5,000 times that included code to install crypto-mining software on infected machines arstechnica.com
  • Ransomware gangs increasingly using virtual machines to ‘hide’ code from detection tools, Symantec zdnet.com
  • Financial services brokers warned of phishing campaign pretending to be from U.S. securities regulator, FINRA bleepingcomputer.com
  • Akamai says application attacks against the games industry increased 340% year-on-year 2019-2020 scmagazine.com


  • Around 30 million Dell laptops, desktops, servers and tablets for business and consumers vulnerable to issue that allows attackers to spoof being official dell.com domain and trigger malicious firmware updates therecord.media
  • Zyxel firewall and VPN devices being targeted by attackers who are bypassing authentication using hidden/backdoor accounts (for the second time (vol. 4, iss. 2)) arstechnica.com
  • Interesting writeup of novel attacks against ATM cash machines via Near-Field Communications (NFC), including a chain allowing ‘jack potting’ of one brand of machines wired.com

Security engineering

  • Google unveils schema to help map between vulnerabilities and package names, versions for open source projects theregister.com
  • FIDO Alliance releases user experience guidelines for passwordless authentication to try and boost adoption theregister.com

Internet of Things

  • Western Digital My Book Live network attached storage (NAS) devices are being remote-wiped, owners urged to disconnect devices from the Internet theregister.com
  • 30% year-on-year increase in the use of USB in production facilities, says Honeywell, in new ICS threat report honewell.com


  • Brave launches privacy-focused search engine that doesn’t track users therecord.media
  • Google delays rollout of cookie replacement FLoC ’til 2023 following backlash from regulators, campaigners and major websites arstechnica.com

Public policy

  • Chris Inglis’ appointment as national cyber director confirmed by the Senate in role to co-ordinate cyber policy across the U.S. government scmagazine.com
  • Australia’s opposition Labor Party has introduced a bill that would require victims of ransomware to notify the country’s cyber security agency if ransom payments are made zdnet.com

Mergers, acquisitions and investments

  • Amazon snaps up end-to-end encrypted messaging app Wickr ft.com
  • Ping Identity has acquired Israeli firm SecuredTouch to boost fraud and bot detection in PingOne identity platform zdnet.com
  • Sticking with identity… Passwordless startup Transmit Security has closed a staggering $543 million Series A funding round techcrunch.com
  • Illumio closes Series F round led by Thoma Bravo, raises $225M on a $2.75B valuation for their zero trust platform techcrunch.com

And finally

John McAfee found dead in Spanish prison

Iain Thomson over at The Register has a look back at the life of John McAfee who was found dead in a Barcelona prison cell this week after a Spanish court approved his extradition to the United States on charges of tax evasion and breaking securities laws. McAfee made his fortunes with the eponymous antivirus software though since cashing out when his company was bought by Intel he’s led an oft-controversial life. Like or loath him, there is no doubting the impact he had shaping the early cyber security technology industry. theregister.com