MITRE, the creators the popular ATT&CK Framework release version 15, with a key focus on detection engineering, visibility and ICS.
Download the Microsoft 365 Security Guide - FREE
Complete the form to download your FREE Microsoft 365 Security Guide today, including:
Sign up on the form and receive the guide instantly.
Get Your 'Vulnerability Management Template' FREE!
Your Vulnerability Management Template Includes:
Secure your organisation today by completing the form for your Vulnerability Management Template.
Download the, 'How to secure Microsoft Office Desktop Deployments Technical Guide' - FREE
Complete the form to download your free technical guide and secure your organisation today.
Yesterday, MITRE released version 15 which now documents up to 800 unique pieces of Software, over 150 Groups and up to 30 Campaigns. One of the key changes that has been made is to the ‘Detections’ section of MITRE ATT&CK, MITRE are moving away from their ‘CAR Analytics’ pseudo-code method of sharing detection opportunities for TTP’s and towards vendor-specific detection code.
MITRE have introduced 7 new tracked Groups, some of the notable ones being Akira and Mustard Tempest.
Akira is a ransomware as a service (RaaS) group that emerged mid-2023 and found great early success in brute forcing VPNs without MFA, typically Cisco SSL VPNs. They orchestrated careful campaigns against hypervisors and SQL servers, sometimes spanning weeks in dwell time to ensure they evaded detection and maintained their persistence. Akira gained notoriety for their 1980s style Data Leak Site (DLS) on the dark web.
Mustard Tempest has been a prolific and efficient player in the ransomware ecosystem since 2017. This threat actor is mainly known to operate as an Initial Access Broker (IAB) by operating the ‘SocGholish’ malware distribution network. The group has had affiliations with Lockbit and is known to deploy remote access tools.
For a deep dive analysis of initial access malware, read a recent blog post from our Incident Response team on GootLoader malware which is used as initial access malware.
MITRE also introduced fresh updates to the ICS side of MITRE ATT&CK, with new Campaigns, Techniques and more.
Three new ICS campaigns highlight the diversity in motivations and the different means that each threat actor can demonstrate during attacks against ICS/SCADA systems.
MITRE have introduced the campaign that was orchestrated in December 2023 that targeted Ivanti Pulse Secure VPNs (Now known as Connect Secure). The exploitation of these appliances resulted in havoc for many organisations in multiple sectors and regions of the world, including a successful exploitation of MITRE’s own Ivanti VPN.
MITRE also introduced multiple minor changes and updates to existing enterprise campaigns.
Previously, MITRE used a ‘pseudo-code’ approach, typically driven by a separate MITRE project known as ‘Cyber Analytics Repository’ (CAR). MITRE recognise that this was difficult to understand by cyber defenders and have moved towards specific (real-world) query syntax such as Splunk Processing Language.
An example can be found on the detections section of the Execution via PowerShell TTP:
We’d recommend you create a threat model that documents your organisations crown jewels and the relevant threat actors, their TTPs and the related detections and mitigations reported by MITRE to drive your cyber resilience efforts.
You can utilise the MITRE ATT&CK Framework and the latest changes to track the most recent threat actors, understand your detection coverage and re-focus your efforts on relevant threat actors and their tactics, techniques, and procedures (TTPs).
A SOC team can also report on all detection coverage of the relevant threats to you. The Precursor SOC map all detections to MITRE ATT&CK and ensure coverage of the latest versions of MITRE ATT&CK to maximise your resilience.
Precursor Security
Welcome to the world of cybersecurity and penetration expertise with Precursor Security. As the driving force behind our commitment to fortifying the digital landscape, we stand as a collective embodiment of experience, innovation, and a shared dedication to online safety.