Robin’s Newsletter #158

27 June 2021. Volume 4, Issue 26
MITRE and NSA want to D3FEND your network. Aussie 'safety by design' toolkit. EU launches 'joint cyber unit' to coordinate 'nightmare' attacks.
Join hundreds of subscribers who get this first, every Sunday. Subscribe

This week

MITRE corporation releases D3FEND to map technical countermeasures

The MITRE Corporation released a technology-focused framework called D3FEND this week. The model defines cyber security countermeasures that can be used by security teams to help defend systems from threat actors.

The model was funded by the U.S. National Security Agency (NSA). Where MITRE’s previous ATT&CK model defines the tactics and techniques used by threat actors, D3FEND sets out how they may be frustrated or thwarted.

“D3FEND establishes terminology of computer network defensive techniques and illuminates previously-unspecified relationships between defensive and offensive methods.” — NSA press release

The countermeasures are grouped under five categories: harden; detect; isolate; deceive; evict. There are two long-term goals of D3FEND:

  1. create a sustainable knowledge framework for characterising cyber security countermeasures and their relationships
  2. accelerate knowledge discovery to keep pace with technological changes in the cyber domain.

Particularly within the Managed Security Services Provider (MSSP) and Managed Detection and Response (MDR) have begun advertising their service coverage against ATT&CK and I’d expect wider cyber technology vendors to begin advertising their products and services aligned to D3FEND. That could make it much easier for CISOs and security teams to understand the market and identify gaps that could previously have been identified using tools like the Cyber Defense Matrix.

In 2019 the security team at Dutch financial services firm Rabobank released a tool they called DeTTECT that can be used to, amongst other things, indicate if you have sufficient data sources with sufficient quality available to be able to see traces of ATT&CK techniques,,,, DeTTECT

Interesting stats

50% of misconfigured Docker APIs are attacked by botnets within 56 minutes of being exposed, according to Aqua Security

205 days average time taken to fix critical vulnerabilities, according to WhiteHat Security

$358,000 average paid for standalone cyber claims in 2020, up from $149,000 in 2019, according to Fitch Ratings, who suggest this means many cyber insurers may be facing losses from policies when factoring in sales and underwriting overheads

Other newsy bits

Safety by Design framework

This week I learned that Australia has an eSafety Comissioner, (Julie Inman Grant, @tweetinjules) when their office published a new framework for tech companies to assess and bake ‘safety by design’ into their products and services. The framework isn’t specific to the Australian jurisdiction and the tools can be used by any organisation globally. It covers aspects from online harms themselves, through user empowerment, to moderation, escalation and enforcement. As well as principles and tools for internal use, there are resources developed with investors and venture capital firms to help ensure investees are building capacity for managing online safety risks. It’s some pretty cool work!,

EU launches new joint cyber unit for ‘nightmare’ attacks

The European Union has launched a new ‘joint cyber unit’ to help respond to large-scale cyber-attacks across multiple member states. The unit will be headquartered in Brussels and centrally coordinate the work of ENISA (the European Union Agency for Cybersecurity), CERT-EU and Europol’s EC3 cybercrime centre, amongst other national and European agencies.,

In brief

Attacks, incidents & breaches

  • North Korea alleged to be behind the breach at South Korean nuclear research institute
  • Fertility clinic Reproductive Biology Associates (RBA aka MyEggBank) shows how pin-pointing unauthorised access can be tough: 2 months to identify 38,000 patients whose personal data was accessed by cybercriminals in ransomware attack
  • FCUK: French Connection victim of REvil ransomware attack
  • 700GB of data from Taiwanese chip manufacturer ADATA leaked online following Ragnar Locker ransomware attack
  • Internet registry Asia Pacific Network Information Centre (APNIC) left ‘whois’ database in public cloud bucket for three months
  • Microsoft announces Solarwinds attacks also compromised support agent, was used to launch attacks on customers

Threat intel

  • A week after arrests - that cryptocurrency exchange Binance says relate to laundering of $500M - Cl0p group dumps new data on victims, suggesting the group is still functioning
  • FIN7 group used threats of legal action, posed as disgruntled customers, impersonated the U.S. Securities and Exchange Commission, to dupe marks into opening malware payloads
  • Official Python repository, PyPI, hosted fake packages downloaded roughly 5,000 times that included code to install crypto-mining software on infected machines
  • Ransomware gangs increasingly using virtual machines to ‘hide’ code from detection tools, Symantec
  • Financial services brokers warned of phishing campaign pretending to be from U.S. securities regulator, FINRA
  • Akamai says application attacks against the games industry increased 340% year-on-year 2019-2020


  • Around 30 million Dell laptops, desktops, servers and tablets for business and consumers vulnerable to issue that allows attackers to spoof being official domain and trigger malicious firmware updates
  • Zyxel firewall and VPN devices being targeted by attackers who are bypassing authentication using hidden/backdoor accounts (for the second time (vol. 4, iss. 2))
  • Interesting writeup of novel attacks against ATM cash machines via Near-Field Communications (NFC), including a chain allowing ‘jack potting’ of one brand of machines

Security engineering

  • Google unveils schema to help map between vulnerabilities and package names, versions for open source projects
  • FIDO Alliance releases user experience guidelines for passwordless authentication to try and boost adoption

Internet of Things

  • Western Digital My Book Live network attached storage (NAS) devices are being remote-wiped, owners urged to disconnect devices from the Internet
  • 30% year-on-year increase in the use of USB in production facilities, says Honeywell, in new ICS threat report


  • Brave launches privacy-focused search engine that doesn’t track users
  • Google delays rollout of cookie replacement FLoC ’til 2023 following backlash from regulators, campaigners and major websites

Public policy

  • Chris Inglis’ appointment as national cyber director confirmed by the Senate in role to co-ordinate cyber policy across the U.S. government
  • Australia’s opposition Labor Party has introduced a bill that would require victims of ransomware to notify the country’s cyber security agency if ransom payments are made

Mergers, acquisitions and investments

  • Amazon snaps up end-to-end encrypted messaging app Wickr
  • Ping Identity has acquired Israeli firm SecuredTouch to boost fraud and bot detection in PingOne identity platform
  • Sticking with identity… Passwordless startup Transmit Security has closed a staggering $543 million Series A funding round
  • Illumio closes Series F round led by Thoma Bravo, raises $225M on a $2.75B valuation for their zero trust platform

And finally

John McAfee found dead in Spanish prison

Iain Thomson over at The Register has a look back at the life of John McAfee who was found dead in a Barcelona prison cell this week after a Spanish court approved his extradition to the United States on charges of tax evasion and breaking securities laws. McAfee made his fortunes with the eponymous antivirus software though since cashing out when his company was bought by Intel he’s led an oft-controversial life. Like or loath him, there is no doubting the impact he had shaping the early cyber security technology industry.


  Robin's Newsletter - Volume 4

  MITRE D3FEND ATT&CK Safety by Design eSafety European Union Joint Cyber Unit ENISA