Wednesday, May 6, 2020

ChefConf Online Session Recordings: Chef Infra Week

https://blog.chef.io/chefconf-online-session-recordings-chef-infra-week/

Hello Chefs!

Are you new to the wonders of Automation and Chef Infra? Or are you a battle-scarred professional looking for some deep magic to manage your Chef Server with ease? ChefConf Online has some sessions for you!

Join us this week as we record some of the ChefConf Online sessions for Chef Infra. This is your chance to see a preview of the ChefConf content and interact with our speakers. We'll be recording on various days and times, so hopefully some sessions will work for you. No need to book out your whole day. And if you miss your favorite, sign up for ChefConf at chefconf.io and all the sessions will be available for free starting June 2 on our video on demand platform!

To sign up to attend these recording sessions and the others we have planned for May, visit chefconf.io/session-recordings.

So take a look at this great stuff:

Monday, May 4, 12pm PDT / 3pm EDT

Justin Rivait of CUNA Mutual Group returns to ChefConf with Mise en Place – Preparing Your Organization for a Successful Chef Infra Journey:

The hardest part of integrating Chef Infra into an organization isn't learning the technical aspect – it's helping others to understand "The Why", and to build a solid community of practitioners. Culinary students often learn the concept of "Mise en Place", or "Everything in its Place". From champions, to technical challenges – come learn from my organizations' lessons that enabled us to scale Chef out, and the epics and features that would have helped us grow faster and become more successful earlier in our journey.

As organizations look to bring new tools in to increase the quality of their infrastructure and speed software delivery, it's often engineers that identify what may be able to improve these processes. Generally what follows is a business case presented to leadership in order to secure funding, an initial purchase order, and then a discovery period for those engineers and their product or service owners on how to make the tool work well in their unique ecosystems. For many, it's tempting to start automating and delivering right away – to just get something out there to show value. Often there is low hanging fruit that can be pointed to as a success story – but it's the more complicated patterns that can slow adoption down. In order for real success to happen there must be a strong community and willingness to change the ways in which we work, as well as support from the bottom of the organization all the way to the business leaders that partner with IT. We can increase velocity and adoption of new tools and ideas by following the concept of "Mise en place", or "Everything in its Place" by laying a solid foundation for Chef, or any other new tool or concept in our organizations to remove friction and make new ideas become successful realities.

Come learn how we developed a community of practitioners, built support for Chef, and laid the groundwork for Chef to not only survive, but to excel in our organization. In this talk we'll share how to build a strong business case for Chef to garner support and build new champions. We'll also cover some epics and features that we think are critical to the success of Chef in an organization. Finally, we'll talk about some thoughts around removing friction from the development lifecycle for Chef Infra to make it easier to learn and use.

Tuesday May 5, 10am PDT / 1pm EDT

Join Dan-Joe Lopez from SAP for Chef Infra for Dummies: How SAP Ramps Up New Developers:

Are you new to Chef, configuration management, or automation in general? Are you looking for a quick intro to get you started? This talk is for you!

The SAP DevOps Center of Excellence is a global enablement team, helping our developer teams to adopt the DevOps culture and practices. We act as a knowledge base on topics, technologies and best practices surrounding automation, continuous integration, continuous delivery, micro architecture, etc.

We often work with the development teams to create custom solutions and pipelines, most of which include some chef management. As we work with new development teams, or add members to our own team, we have to quickly ramp up their knowledge of Chef Infra.

In this talk, we'll share with you how we ramp up knowledge in SAP to get our colleagues working with Chef fast and efficiently. You can expect to learn:

  • The basic concepts of declarative configuration management and how it differs from scripted automation.
  • Important terms you'll hear at ChefConf.
  • The anatomy of a Chef cookbook.
  • The process of a Chef client execution.
  • How the Chef Infra Client and Server work together.
  • Where to find resources to expand your knowledge and get your questions answered.

Wednesday May 6, 2pm PDT / 5pm EDT

Chef's Matt Ray presents Chef and Terraform: Better Together:

HashiCorp's Terraform is a popular open-source Infrastructure as Code tool that allows us to quickly provision and manage infrastructure across the cloud. There are a wide variety of complementary integrations between Chef Infra, Habitat, and InSpec with Terraform that enhance the ease of managing infrastructure, applications, and compliance. This talk will dive into what's available and provide live demos of the Terraform integrations working together as we discuss how these complementary technologies achieve the goals of Infrastructure as Code.

Thursday May 7, 12pm PDT / 3pm EDT

Already a seasoned Chef Infra user? Take a deep dive into the Chef Server API with Mark Gibbons. 

Sometimes the knife command just isn't what you want when interacting with the Chef server. Chef Manage is going away or gone. The Chef Server API offers convenient access to the functions behind the knife commands.  Web apps using the API can allow access to sensitive interfaces in a controlled manner.

Some of the functions the API gets used for include managing organizations, managing secrets via Vault, working with cookbooks and nodes, and managing the users on the team. We have many shared orgs with restricted (read only) access that receive updates via CI/CD only. We needed to allow access to organization and user information. How does a user ask for access to an organization when they can't display the information?  How does a use find which organization owns a server? We also wanted to address auditing issues and to find a replacement for some Chef Manage functions and extension functions. We worked through these issues and more via the API.

Thursday May 7, 3pm PDT / 6pm EDT

Automating your environment is a marathon, not a sprint. Graham Davison shares his journey in his talk Third Time's a Charm: Introducing and Evolving a Chef Infra Implementation:

This talk will follow a five-year journey with Chef Infra. We will start with its introduction to an existing on-premise infrastructure and scaling as the environment grew. As we scaled, we extended some of the Chef command-line tools to ease deployment.

Next, we will explore the successful and less successful approaches to moving into a hybrid cloud infrastructure in AWS. We built AMIs using Packer and Chef Infra, but ended up with forked cookbook implementations for on-premise and cloud environments.

Finally, we will explore a cloud-centric deployment integrating AWS features with Chef Infra and Chef InSpec, and adopting Policyfiles.

Sign up for ChefConf Online!

These sessions and more will be available following our keynotes on June 2! If you miss the recording dates, register to attend on June 2 and you'll have access to all sessions on our video on demand platform. Plus you'll have access to other fun events, chats, and Q&A with our team. Don't miss it! Sign up today at chefconf.io

The post ChefConf Online Session Recordings: Chef Infra Week appeared first on Chef Blog.

Chef InSpec Profile for Critical Salt Vulnerabilities

https://blog.chef.io/chef-inspec-profile-for-critical-salt-vulnerabilities/

On April 30, 2020, two critical security vulnerabilities were identified with the SaltStack open source project (github.com/saltstack/salt). These vulnerabilities are critical and must be patched to avoid potential take over of your systems.

This vulnerability has been assigned the highest severity rating, 10.0, according to the Common Vulnerability Scoring System, an open framework for communicating risk.  Chef InSpec is extremely effective at inspecting a system, including identifying vulnerable versions of software, so we wrote a quick profile to test your systems. We recommend running this on every Salt Master in your environment to identify vulnerabilities and verify they have been remediated once patches are applied.

It accomplishes this by checking the following:

  • If your system has any SaltStack packages installed that were released prior to the patched versions of 3000.2 or 2019.2.4
  • If a package is not seen, but we find the salt command line utility available in the path of the user running InSpec, we'll run salt --version and check the output of the command for a patched version of Salt.

The profile is located on GitHub: github.com/chef-cft/salt-vulnerabilities

We'll keep a list of operating systems we've explicitly tested in the repository.

If there's anything Chef can do to help you please don't hesitate to reach out.

Technical Caveats

  • If the salt command line is not installed using the package manager of your operating system, not in the path of the user running InSpec, but is installed, we won't find it. 
  • This is an unlikely scenario. If you're concerned about this scenario you could expand the profile to include a search of the operating system for the executable, and check its version by executing the salt binaries you find. 
  • Searching the entire filesystem for binaries could increase the performance cost of the profile drastically, so it has not been included by default.

How to Use

  1. Download and Install the Chef Workstation here. (downloads.chef.io/chef-workstation/0.17.5).
    On Windows, you can use chocolatey choco install chef-workstation.
  2. Grab the profile from the GitHub repository (github.com/chef-cft/salt-vulnerabilities).
  3. Ensure you have either ssh keys loaded to ~\.ssh\id_rsa or user/password for your servers and then: 
  4. Run inspec exec {path_to_profile} --target ssh://{user}@{salt_master_url}
  5. Review results

Example Failure:

×  Ensure salt is version 2019.2.4 or 3000.2 or newer: Ensure salt is up-to-date (9 failed)
   ✔  System Package salt-api is expected not to be installed
   ✔  System Package salt-cloud is expected not to be installed
   ×  System Package salt-master version is expected to be >= 3000.2
   expected: >= "3000.2"
        got:    "2016.3.0-1.el7"
   ...
Profile Summary: 0 successful controls, 1 control failure, 0 controls skipped

 

Example pass:


✔  Ensure salt is version 2019.2.4 or 3000.2 or newer: Ensure salt is up-to-date
   ✔  System Package salt-api is expected not to be installed
   ✔  System Package salt-cloud is expected not to be installed
   ✔  System Package salt-master version is expected to be >= 3000.2
   ✔  System Package salt-minion version is expected to be >= 3000.2
   ✔  System Package salt-ssh is expected not to be installed
   ✔  System Package salt-syndic is expected not to be installed
   ✔  System Package salt version is expected to be >= 3000.2
   ✔  Command: `salt --version | cut -d ' ' -f2` stdout.strip is expected to be >= 3000.2
   ✔  Command: `salt --version` stdout.strip is expected to be >= 3000.2

Profile Summary: 1 successful control, 0 control failures, 0 controls skipped

The post Chef InSpec Profile for Critical Salt Vulnerabilities appeared first on Chef Blog.

Thursday, March 12, 2020

Critical Patch Released for 'Wormable' SMBv3 Vulnerability — Install It ASAP!

Critical Patch Released for 'Wormable' SMBv3 Vulnerability — Install It ASAP!
https://thehackernews.com/2020/03/patch-wormable-smb-vulnerability.html

Microsoft today finally released software updates to patch a recently disclosed very dangerous vulnerability in SMBv3 protocol that could let attackers launch wormable malware, which can propagate itself from one vulnerable computer to another automatically. The vulnerability, tracked as CVE-2020-0796, in question is a remote code execution flaw that affects Windows 10 version 1903 and 1909,

Is the cybersecurity skills gap real?

Is the cybersecurity skills gap real?
https://cybersecurity.att.com/blogs/security-essentials/is-the-cybersecurity-skills-gap-real

An independent guest blogger wrote this blog.

If you do a web search for "cybersecurity skills gap," you'll get many, many pages of results. It's certainly a hot topic in our industry. And it's a matter that security practitioners and human resources people often disagree on.

But before I get further into the matter, it would help to know what it is we're talking about when we use the phrase "cybersecurity skills gap."

From the perspective of employers, it means that potential job applicants don't have the specific cybersecurity skills they're looking for, and possibly the people they already employ don't have the skills to be promoted into new cybersecurity related positions. This can be a really tricky area, because computer technology evolves very quickly, and often universities, colleges, and vocational schools cannot change their curriculum at the same speed. Accordingly, the cyber threat landscape can change quickly too!

From the perspective of many job seekers and security people, including myself and many of my colleagues I've spoken with, the phrase "cybersecurity skills gap" can sound like a taunt. Some of us have spent years in computer science programs, and many more years in IT courses and acquiring industry specific certifications. So we don't have a particular niche certification or ten years experience with Windows Server 2016. We have loads of related knowhow, and we match many of the other job requirements, why won't employers give us a chance and let us learn the rest? A few others have had a knack for computing since childhood, but the expense of college tuition and certification exams can seem insurmountable when you're just starting out and have little money. How do we get our foot in the door in the first place when you need experience for a job, but you can't get experience until you get a job?

The cybersecurity skills gap phenomenon can hurt people in the industry who want good jobs, but it hurts companies and the security of their networks even more. According to the 2018 (ISC)² Cybersecurity Workforce Study, more than 2.9 million cybersecurity related job positions worldwide were unfilled. In the time that's passed, that number likely grew. These are positions spanning a wide range of roles, from SOC analysts to DFIR, from penetration testers to application security specialists. Not having people work in these positions that organizations have recognized as needs inevitably weakens cybersecurity everywhere, and companies lose huge amounts of money in cyber attacks and data breaches.

I have my own personal views on the matter. But cybersecurity people on Twitter also talk a lot about unrealistic job posting expectations and their impact on the skills gap.

Shawn Thomas is a SOC manager. He tweeted about his exasperation with job posting requirements.

"If your entry level job in infosec requires:

A masters

At least 3 certs

Prefers two years of experience.

YOU ARE NOT ALLOWED TO COMPLAIN THAT ITS HARD TO FIND CANDIDATES

Additionally the discouragement students have when they hear that should make you feel bad about yourselves."

I also have an industry friend who has done a lot of her own research into the skills gap matter. Plus she has experience hiring for cybersecurity roles, experience that I lack. Alyssa Miller is a security evangelist and hacker, and she shares her knowledge at so many security conferences that it'd overwhelm me to do the same. She has written many posts on her blog about the skills gap, so I wanted to learn a bit from her.

She recognizes many factors in the skills gap problem, ranging from unrealistic job posting requirements ("Must have a CISSP, a Master's in Computer Science, and ten years experience with Metasploit Framework 5.0. An entry level role, salary $40,000 per year."), to interviewers' prejudice against body piercings and tattoos (of which I have many). But I wondered if a corporate reluctance to spend time and money on training may be a factor too.

She said, "I absolutely think companies are reluctant to invest in training people and it definitely is a contributing factor to the skills gap. Over the last few decades, budgets for training have been one of those easily leveraged pools of money that takes an early hit when cost cutting is needed. Additionally, some organizations seem to be afraid that if they pay to train their people, those people will be worth more in the open market and will leave the company, nullifying their investment.  What they fail to see is that by investing in those people and showing that they value them, that actually encourages them to stay."

I hope an HR manager is reading this! Ping-pong tables may be nice, but providing your employees with specific training so they can take on roles with greater responsibility within your organization is much nicer.

Interviewers also need to broaden their idea of what a good security practitioner looks like. They could physically look like anyone! They could be a 40 year old white man in a Brooks Brothers suit, but they could also be a 20 year old multiracial woman in a wheelchair with purple hair and a wardrobe from Hot Topic. Conversely, you shouldn't be afraid to hire a 60 year old either. I asked Miller about a term frequently used in HR, "culture fit."

"There's a lot of bias in the hiring process and yes culture fit is one of them. Security and tech in general, thrive on diversity. More than that, we need it to truly advance and be better. Diversity of thoughts, experiences, ideas, backgrounds, it all helps create better technology and better solutions to problems. Culture fit is a term that gets overused and misapplied. As you pointed out, hiring managers who don't really understand how to develop culture or who are not well trained in evaluating talent will often default to finding someone who's like the people we have today and term it culture fit."

We'd like to have a positive impact on companies that hire cybersecurity people. So Miller has some advice for you.

"(My advice) first is investing in your people as we discussed, but not just the security team. Develop clear skills development plans that allow resources to transition from other non-security or even non-IT roles into security and then enable those plans. Second, you have to actively work to eliminate biases in your hiring. Not just along the lines of things like ethnicity, gender, and so forth, but things like appearance, experience, and so on. Be willing to hire the person with purple hair or a full sleeve tattoo. Artificially limiting your pool based on foolish criteria is always a bad idea. Finally, embrace remote working. I can't believe in 2020 we're still having this conversation but I'm amazed how many roles I see that still require a local in-office resource when the technology exists for people to do that job from a remote location. I've heard from hiring managers who are still afraid of how to manage remote people so they just don't allow it.  That's wrong on so many levels."

I honestly believe that a lot of companies really do want to do something to help close the skills gap and improve the cybersecurity of their organizations by hiring more people. Millions of unfilled cybersecurity job roles hurts everyone involved-- people in the industry, people looking to get into the industry, businesses of all sizes in all industries, and everyone's security as a whole. Fortunately, this is a solvable problem. But it will take a lot of team work and a lot of mind opening.

But that's just my opinion and the opinion of many others in our industry.


Microsoft Issues March 2020 Updates to Patch 115 Security Flaws

Microsoft Issues March 2020 Updates to Patch 115 Security Flaws
https://thehackernews.com/2020/03/microsoft-patch-tuesday-march-2020.html

Microsoft today released security updates to fix a total of 115 new security vulnerabilities in various versions of its Windows operating system and related software—making March 2020 edition the biggest ever Patch Tuesday in the company's history. Of the 115 bugs spanning its various products — Microsoft Windows, Edge browser, Internet Explorer, Exchange Server, Office, Azure, Windows

LVI Attacks: New Intel CPU Vulnerability Puts Data Centers At Risk

LVI Attacks: New Intel CPU Vulnerability Puts Data Centers At Risk
https://thehackernews.com/2020/03/intel-load-value-injection.html

It appears there is no end in sight to the hardware level security vulnerabilities in Intel processors, as well as to the endless 'performance killing' patches that resolve them. Modern Intel CPUs have now been found vulnerable to a new attack that involves reversely exploiting Meltdown-type data leak vulnerabilities to bypass existing defenses, two separate teams of researchers told The

Warning — Unpatched Critical 'Wormable' Windows SMBv3 Flaw Disclosed

Warning — Unpatched Critical 'Wormable' Windows SMBv3 Flaw Disclosed
https://thehackernews.com/2020/03/smbv3-wormable-vulnerability.html

Shortly after releasing its monthly batch of security updates, Microsoft late yesterday separately issued an advisory warning billions of its Windows users of a new critical, unpatched, and wormable vulnerability affecting Server Message Block 3.0 (SMBv3) network communication protocol. It appears Microsoft originally planned to fix the flaw as part of its March 2020 Patch Tuesday update only,

Beware of 'Coronavirus Maps' – It's a malware infecting PCs to steal passwords

Beware of 'Coronavirus Maps' – It's a malware infecting PCs to steal passwords
https://thehackernews.com/2020/03/coronavirus-maps-covid-19.html

Cybercriminals will stop at nothing to exploit every chance to prey on internet users. Even the disastrous spread of SARS-COV-II (the virus), which causes COVID-19 (the disease), is becoming an opportunity for them to likewise spread malware or launch cyber attacks. Reason Cybersecurity recently released a threat analysis report detailing a new attack that takes advantage of internet users'

Microsoft Hijacks Necurs Botnet that Infected 9 Million PCs Worldwide

Microsoft Hijacks Necurs Botnet that Infected 9 Million PCs Worldwide
https://thehackernews.com/2020/03/necurs-botnet-takedown.html

Microsoft today announced that it has successfully disrupted the botnet network of the Necurs malware, which has infected more than 9 million computers globally, and also hijacked the majority of its infrastructure. The latest botnet takedown was the result of a coordinated operation involving international police and private tech companies across 35 countries. The operation was conducted

LogRhythm Labs: Cybersecurity Expertise Delivered into Your LogRhythm Deployment

LogRhythm Labs: Cybersecurity Expertise Delivered into Your LogRhythm Deployment
https://logrhythm.com/logrhythm-labs-cybersecurity-expertise-delivered-to-your-deployment/

What is LogRhythm Labs?

LogRhythm Labs is the team that researches and creates the content that goes into the LogRhythm NextGen SIEM Platform. The team mission is to:

Research and deliver world-class security, compliance, intelligence, and operational risk content to protect our customers from damaging cyberthreats, meet their compliance needs, and reduce their operational risk.

Labs, therefore, exists to provide the threat, compliance, and operational content that enables the LogRhythm platform to provide out-of-the-box value and usability to our customers.

Labs content is delivered within discreet modules consisting of analytics rules, reports, searches, and dashboards. Additional content may also include automation via our SOAR offering, RespondX, or automated lookup via Web Contextualisation.

Content is regularly added, actively maintained, and released as part of our weekly Knowledge Base update directly into the platform. Customers can use as much or as little of the content as they like, and we include the ability to clone the provided content for bespoke requirements.

Labs consists of three focused teams: Compliance Research, Threat Research, and Strategic Integrations. I'll explain these in more detail below.

Compliance Research

LogRhythm employs a team of subject matter experts in the compliance space. And when it comes to compliance, change seems to be the only constant. New regulations are released, existing regulations change over time, and our customers rely on LogRhythm to help them comply with complex regulatory frameworks and standards.

LogRhythm delivers compliance content in support of numerous regulatory frameworks, including NIST, HIPAA, ISO27001, GDPR, and PCI, as well as many other regulatory frameworks from the United States, Europe, the Middle East, and the Asia Pacific regions.

The Compliance Research team has also developed the Consolidated Compliance Framework. This is a unique offering designed to offer greater efficiency, and to reduce management and analyst overhead to customers needing to demonstrate compliance with multiple mandates or regulations.

When amendments are enacted to any of the supported regulations, we develop the necessary updates to the compliance module's library of report packages, investigations, rules, and alerts that are specifically mapped to individual controls as specified by the relevant regulations.

Threat Research

LogRhythm's Threat Research team continuously researches the latest trends in cyberthreats. Cyberthreats are constantly evolving, and the methods used in a malicious attempt change over time. Furthermore, as new technology (e.g., mobile devices, sensors, and internet of things, or IoT) is released by vendors, threat actors begin to look for methods and techniques to compromise those devices immediately.

The Threat Research team develops and maintains content aligned with the threat landscape as it evolves, considering the latest tactics and techniques that attackers are leveraging. The team leverages original research, threat intelligence, and other industry resources, as well as their own wide experience to deliver effective threat detection capabilities.

Skilled cybersecurity resources are at a premium, and it's beyond the reach of most organizations to build and resource their own threat research unit. Threat Research does the research and content development that provides all of our customers with wide and deep threat detection capability right out of the box, providing enormous added value beyond a simple software platform. Even those organizations that are resourced for their own threat research can get a significant boost to the efficacy of their operations by using our prebuilt content for their core requirements, and as a powerful basis for further development.

The team maintains our User and Entity Behavior module, as well as our Network Detection and Response module. During 2019 a brand-new module aligned to the MITRE ATT&CK framework was also released. Because ATT&CK is so comprehensive and constantly growing, we have adopted an Agile release methodology to enable iterative updates, thus allowing new content to be continually delivered to our customer base. This approach will also enable us to release content supporting the additional frameworks MITRE has launched aligned with Cloud and ICS.

Strategic Integrations

Our Strategic Integrations team is comprised of subject matter experts in integration and operational technology. This teams' research spans a wide range of verticals, including healthcare, transport, energy, manufacturing and more. This research encompasses ICS, OT, sensors and medical devices, in addition to the operational systems used in the relevant industry vertical (for example electronic health record systems, human resource management systems, etc). The goal is to reduce risk and pre-emptively identify risk as it affects the operations of a business.

This team delivers content that can assist in reducing operational risk, gaining insight into OT, IoT, and IIoT device activities, promoting good IT hygiene, and integrating specialist device types into the LogRhythm ecosystem. As you can imagine, this is a busy and constantly changing environment as digital transformation affects every aspect of life, and more and more devices interact with our physical as well as digital lives.

What Content Did Labs Release in 2019?

  • Threat
  • Compliance
    • Extensive Revisions to Consolidated Compliance Framework (CCF)
    • Criminal Justice Information Service Module
    • ISO 27001 Module
    • Australian Signal Directorate Module
  • Strategic Integrations
    • IT Operations Module
    • Physical Security Integrations (three releases)

What Content is Available in the LogRhythm NextGen SIEM Platform?

Compliance Modules:

ASD, NY DFS, CJIS, ISO 27001, UAE-NESA, PCI-DSS, MAS-TRMG, NIST, NERC CIP, GDPR, SOX, NEI, 201 CMR 17, NRC, HIPAA, GPG-13, DoDI 8500.2, FISMA, SOX COSO, GLBA, NIST CSF, NIST 800-53, CIS CSC

Threat Modules:

Core Threat Detection, UEBA, NDR, MITRE ATT&CK, Retail Cybercrime, Threat Feed integrations

Strategic Integrations:

IT Operations, Epic, Healthcare Security, Financial Fraud Detection

Embedded Expert Content Delivered Straight to Your Deployment

The LogRhythm Labs team works tirelessly to research and deliver new content into the LogRhythm NextGen SIEM Platform so your team can:

  • Get immediate value from your deployment
  • Easily keep up with the changing threat landscape and digital transformation
  • Reduce the reliance on in-house research expertise

The Labs team is your partner in making sure you have content and resources that you need to be successful and get value from your LogRhythm investment — and all of this content comes at no extra cost to you.

Find documentation around all of our modules on the LogRhythm Community under Documentation and Downloads: https://community.logrhythm.com

2020 ATT&CK Roadmap

2020 ATT&CK Roadmap
https://medium.com/mitre-attack/2020-attack-roadmap-4820d30b38ba?source=rss----6da19bd08fba---4

Taking a look back at 2019 and presenting a 2020 roadmap for ATT&CK

Written by Blake Strom and Amy Robertson

We started 2019 with a bold series of goals, and with the help of the MITRE ATT&CK® community and hard work from our team, we've accomplished many of those and more.

With your input, we developed and published the Impact tactic to address integrity and availability attacks against enterprise systems. We reworked how mitigations are represented in ATT&CK to make the information easier to use. The (ongoing) Sightings pilot was launched to collect contributions on raw sightings of ATT&CK techniques, and we kicked-off the second round of ATT&CK Evaluations with a new actor and a new approach leveraging contributions. The "Getting Started with ATT&CK" series was unveiled, and we're looking forward to sharing more use cases in the coming months. We released ATT&CK for Cloud, a needed expansion to ATT&CK that wouldn't have been possible without significant community contributions. Our work on restructuring ATT&CK with the sub-techniques continued through feedback from the community, and we're targeting a release in the upcoming months. You told us that ATT&CKcon 2.0 was a success, and the Threat Report ATT&CK Mapper (TRAM) enjoyed a beta release. Finally, we started an ATT&CK training series which kicked off with the release of our ATT&CK for Cyber Threat Intelligence (CTI) training.

To our ATT&CK community, we're grateful for your passion, support and involvement and we're excited about a new decade of collaboration. Our team has been working towards some significant adjustments to ATT&CK in 2020, including a few new additions and several modifications that have been percolating for a while. We look forward to connecting with you as we forge ahead with our 2020 Roadmap.

Members of the ATT&CK Team at ATT&CKcon 2.0

Restructuring, Refinement and Revamping

We have a lot planned for Enterprise ATT&CK in 2020. We'll be restructuring the framework with sub-techniques, revamping ATT&CK's data sources, and refining Mobile, PRE-ATT&CK, Cloud, and ICS. We'll also be publishing a new extension of ATT&CK to cover behavior against network devices such as routers. Throughout all these updates and adjustments, we welcome your feedback. Our goal is to ensure that ATT&CK continues to be a valuable resource, and if an adjustment undermines usability, or if there are ways to enhance your overall experience, we want to know.

The sub-techniques journey is nearly complete — we're targeting a soft launch in March and you can read about the latest details here. We've been working to minimize the impact of the associated realignment and have addressed many of the concerns that you raised. To simplify the transition, we're refining a crosswalk from old technique IDs to new ones, or mapping newly broken out sub-techniques to higher level techniques.

The sub-techniques will be published on a companion site alongside the main ATT&CK site, clearly charting out the changes. This companion site will give everyone a few months to preview and process the full scope of the changes before we finalize that version and make it official. The old site will then be added to the previous versions for reference. Once we release the new ATT&CK framework with sub-techniques, we welcome your feedback on the good, the bad, and the needs-adjustments.

We're also nearly finished revamping the data sources used for Enterprise techniques and we're excited about the enhancements. Data sources are one of the most critical aspects of ATT&CK, and we'll be sharing some additional details in the coming weeks about our new methodology to define sources. The details won't be ready to be included in the sub-technique update, but we will be posting the new data sources definitions and details to GitHub to get them out faster. The updated data sources model will be implemented into the site after the sub-techniques are published.

On the ATT&CK for Cloud front, we've been working towards refining it into sub-techniques and getting new contributors on board to help us expand. ATT&CK for Cloud was built around nearly 100% community contributions for techniques, and we'll continue to leverage this expertise to add enhance the model. Our goal is to jump back into expanding Cloud with new techniques after sub-techniques is released and publish the second set of techniques in the fall.

The adversary behavior model for Network Infrastructure Devices is being developed with routers, switches, and firewalls in mind. We've been leveraging open source reporting and have coordinated closely with industry. The Network research will ultimately impact the current ATT&CK structure with a new platform, but we are developing it with sub-techniques in mind. We're targeting an initial release of our research in the fall and will use the contributor process you're already familiar with to keep it updated.

We're still working to improve consistency and integration between PRE-ATT&CK, Mobile ATT&CK, and Enterprise ATT&CK and are moving towards an eventual "One ATT&CK" model. This will include refining ATT&CK based on the changing threat landscape for enterprise systems focusing on Windows, Mac, and Linux. The technical content in PRE-ATT&CK will be brought up to the same level of ATT&CK for Enterprise and will be integrated into ATT&CK with two new tactics. Our goal with this revamp is to better prepare users to identify who to defend against and the applicable defensive options. The team will continue to refine the Mobile ATT&CK model focusing on Android and iOS, with the addition of sub-techniques and upgraded data sources. We plan to assess merging the Mobile and Enterprise ATT&CK models later in the year.

In the same vein, we're moving forward with our research and refinement of ATT&CK for ICS techniques. ATT&CK for ICS is a community-driven project, and we'll maintain this close collaboration with stakeholders to hone the knowledge base. All the technique adjustments and releases will be based on your input and any new threat reporting on incidents. The separate ATT&CK for ICS wiki that was published in January 2020 will allow the ICS knowledge base to mature separately from the rest of ATT&CK, allowing for more rapid updates. We also plan on evaluating if merging ATT&CK for ICS with the main ATT&CK knowledge base makes sense towards the end of the year, including translating the information into STIX and integrating it into the main ATT&CK website and tools like the ATT&CK Navigator. We'd appreciate your involvement on this approach, and we look forward to hearing about what you think as we move forward.

Mapping, Developing, and Sightings

On the mapping automation front, we're moving full speed ahead. The Threat Report ATT&CK Mapper (TRAM) was beta released in December, and we'll continue developing it this year. TRAM is currently a functional prototype and we plan on improving the interface, adding some new features, and enhancing overall functionality throughout the year. Some of our targeted updates include the ability to ingest additional file types, more output formats, and supporting multiple users simultaneously. As we add and update these features, we'll announce the changes and keep our public repository current. We're looking forward to hearing about your experience with TRAM as we move towards more feature implementations.

TRAM's Workflow

Our team has also been working to map ATT&CK to NIST 800.53 v4. Mapping ATT&CK to common control frameworks will better support efforts to identify controls that mitigate relevant threats, and identify capability gaps. We'll be collaborating with CIS on their current model that maps CIS controls to ATT&CK to expand the mappings into other frameworks. We hope to share more details on the model and where it'll be featured soon. Our current prototype for NIST 800.53 will be published to the ATT&CK GitHub and we'd like your involvement in maintaining and updating it. Our goal is to provide a flexible mapping structure that evolves with the environment, and is user-friendly. If you've already started a mapping, or have some ideas about what types of mappings would be most valuable, reach out and let us know.

Cyber Analytics Repository (CAR) will be updated this year with new analytics. We'll be developing analytics internally, working through external contributions, and adding implementations for new and existing analytics. We'll also be updating how we capture ATT&CK coverage for better accuracy and compatibility with sub-techniques. We're planning updates to CAR sensors to better reflect the current product landscape, and data model revisions showcasing modern sensor data, which will directly support the creation of analytics against the data. We're also hoping to update the CAR Exploration Tool (CARET) to improve UI, usability, and to take advantage of the other structural changes to ATT&CK.

We launched our ATT&CK Sightings pilot in 2019 to empower defenders globally by providing them with continuous information about what ATT&CK techniques adversaries are using and how they're using them. The Sightings program will do this by collecting anonymous contributions of observations of ATT&CK techniques in the wild from numerous, diverse sources and then publishing insights based on that data.

The pilot is ongoing, and we've set a deadline of April 30 to get commitments and pilot data sets from the initial cohort of contributors. We're actively working with contributors to overcome barriers and provide value back. This program is community-driven and can't be successful without your help. You can read our recent Sightings update for more information about how you can contribute and what's next for the Sightings pilot.

Finally, ATT&CK Evaluations will be conducting a new round under a new format emulating the Carbanak and FIN7 groups. MITRE-Engenuity will assume the reins moving forward, and continue to advance ATT&CK Evaluations. You can find more details about the Carbanak+FIN7 Evaluation here.

We will be hosting a new type of event May 18–20 to bring US government organizations together to discuss how they use ATT&CK and how they've overcome challenges. The call for presentations is open through March and you can find out more here.

We also know there's a lot of interest in the next ATT&CKcon. We're working through initial planning right now and we'll have more details to share in April.

ATT&CKing the Next Decade

The future of ATT&CK depends on community engagement as much as it does where adversaries go next. ATT&CK's success hinges on our partnership with the community and our collective ability to innovate and share knowledge. With you, as the community, serving as advisors, collaborators and champions, ATT&CK will be more impactful than ever.

We'll continue to leverage your input at every stage, including how to evolve ATT&CK. We're excited about how ATT&CK will advance in 2020, but we're even more energized by where we see ATT&CK going in the next few years.

©2020 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 19–00696–24.


2020 ATT&CK Roadmap was originally published in MITRE ATT&CK® on Medium, where people are continuing the conversation by highlighting and responding to this story.