There are more machines and automated connections in the world today than ever before due to the shift to cloud, the adoption of DevOps technologies, and the modern application architecture. More automated connections mean more machine identities, and this inevitably leads to a larger attack surface for malicious actors to exploit. Unfortunately, attackers are developers themselves and understand the lack of machine identity protection prevalent in far too many organizations. Therefore, there has been a massive increase in attacks on machine identities, including Hildegard, KOBALOS and the infamous SUNBURST attack, just to name a few. Most other reports you read on these attacks will specifically cite lack of machine identity management as the root cause, but that is what all of these events boil down to.
So what does this all mean for you, and how can you make knowledgeable decisions about your security and machine identity program? Let’s turn to David Bianco’s classic Pyramid of Pain.
Relevant to virtually every security context, it represents the types of intelligence artifacts that we use in detection and protection programs. Essentially, the idea here is that certain actions that attackers will take against you are more difficult to change than others. For instance, indicators of compromise (IoC) is incredibly low on the list. You can register a new IP address or change a hash value relatively easily, yet these types of actions remain too high a focus for many security operations centers. The further up the list you go, the harder it is for attackers to change. The most painful thing for attackers to reinvent is their tactics, techniques and procedures (TTPs). Katie Nichols of MITRE explains that “adversaries are humans just as we are, and they have their own preferred behaviors.” Those behaviors are TTPs, and it is our best chance of detecting them in our networks, particularly now that we understand just securing the perimeter is not enough.
What exactly is ATT&CK?
This is where ATT&CK by MITRE is uniquely valuable. It is a knowledge base of such adversaries’ behaviors, including their preparation stage, what they do once on the network, and how they get out. Consider this a Wikipedia for threat behavior, a resource you can use to detect bad actors on your network quickly and efficiently. This standard knowledgebase of TTPs is open and free, based on information shared by the wider security community from real-world incidents and experiences.
Experts at Venafi took this general framework and created the Machine Identity Threat Model. It is free and accessible to all when you visit https://threatmodel.venafi.com/. It looks at the problem from the perspective of the attacker, with carefully mapped and documented TTPs that are associated with machine identities and real-world machine identity attacks.
Check out this video for a details technical demo on how exactly the Venafi Machine Identity Threat Model works:
The threat model is continuously updated on a daily basis, always representing the very latest in threat intelligence. As new attacks come to light, that information will always be added as additional content to this matrix. So be sure to regularly check to stay in the loop!
As you can see, this model is a unique resource created by Venafi and available to anyone who is ready to become a pro at identifying and preventing machine identity threats. But if you want to take it to the next level, you can share this model with your team to garner organization-wide support for your machine identity management program. Here are a few areas where it can be implemented today:
Always ensure your detection team is collecting the right data and be aware of how this behavior looks within your environment and toolset. You can use this model to assess your security tools, such as your SIEM or your EDR and your processes, both for identifying attacks on machine identities and for the remediation process. You can also perform gap analysis to identify areas or specific types of behaviors you may currently be blind to.
This is an opportunity to look beyond threat detection and focus on mitigation and prevention. Consider how you plan your resources and tools around machine identities, and make your decisions based on gap analysis. If you did find gaps in the detection process, what tools do you need to fill them in? Security is not just about technology it strongly relies on people and processes. So where can you implement policies that will help you be more secure?
If you had a red team or purple team perform threat simulation, make sure they're taking these behaviors into account when stimulating attacks in their drills.
If you have a threat intelligence team, always be positive that they’re tracking these adversaries and inform offenders based on what they are doing and prioritize frequently used techniques.
This threat model looks at adversaries across the attack life cycle and, guided by the pyramid of pain, looks beyond simply securing your perimeter. It assumes that your attackers may already be in the network and provides you with knowledge and TTPs that will help you make informed decisions on security planning and operations.
Don’t fall prey to attacks that members of this incredible community have already figured out how to avoid! Check out the Venafi Machine Identity Threats Model for free at https://threatmodel.venafi.com/.