Canada's largest bookseller rejected the pressure of the ransomware gang's countdown timer, despite data threats.

Indigo Books, the company behind Chapters stores and the largest bookseller in Canada, let the deadline to pay a ransomware demand expire, risking the release of employee data.

A LockBit ransomware affiliate group set a Thursday at 3:39 p.m. EST deadline to pay, but Indigo flatly rejected the notion, explaining the extortion money could "end up in the hands of terrorists," according to a statement. So far, contrary to the ransomware group's threat, the compromised Indigo employee data has not been publicly released, according to CBC News.

Indigo was first compromised on Feb. 8, shutting down the retailer's operations down for days. CBC News added that the operation is still struggling to stand up the business with as many product offerings as it had before the ransomware attack.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Indigo Books Refuses LockBit Ransomware Demand

A mayor backing Polish opposition elections in parliament has been targeted by special services with Pegasus spyware.

Polish special services reportedly used the infamous Pegasus mobile spyware to monitor the phone of a mayor backing government opposition, according to a new report.

Polish liberal news outlet Gazeta Wyborcza, characterized by Reuters as being openly against the county's ruling "PiS" nationalists, reported while Sopot mayor Jacek Karnowski was working to elect opposition candidates in Poland's upper house of Parliament between 2018 and 2019, he was targeted by Israel-based NSO Group's Pegasus spyware. The report added that Karnowski's name was also discovered on a list of targets hacked with Pegasus spyware by Poland's special services.

"We will not allow the PiS machine to further destroy democracy, lead Poland to the East and sovietise our country," Karnowski told Reuters in reaction to the report. "The politicians who inspired and commissioned these activities belong in prison."

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Polish Politician's Phone Patrolled by Pegasus

Innocently or not, residential proxy networks can obscure the actual geolocation of an access point. Here's why that's not great and what you can do about it.

With so much of the world’s wealth, assets, and trade secrets existing in the cloud, fraudsters and nefarious players have ample motivation to look for new ways to break into networks. Increased VPN usage provides opportunities for threat actors to operate with nearly total anonymity, and we are seeing an uptick in breaches stemming from the widespread use of commercial or anonymous VPNs.

As a cybersecurity practitioner, I continually stress the importance of examining the context of VPN-driven data. Let's look at the top three trends I see emerging, as well as the role that IP address data will continue to play in the world of cybersecurity and ad fraud.

**1\. Residential Proxy Networks Will Keep Security and Marketing Teams Up at Night**

I am amazed by the growing number of entities offering residential proxy networks and promising a world of possibilities in scraping — search engine results pages, e-commerce sites, and webpages. Residential proxy networks use the IP addresses of consumers who sign up for any number of apps that pay them to share their bandwidth. The website or service will see requests coming from what they think are residential IP addresses and allow access to content that would have been blocked had the site been able to see the original IP address.

If I wanted to, I could access or scrape any site that restricts hosted or bot traffic by disguising myself using a legitimate residential IP address from whatever location I wanted.

Many of these apps are upfront with the users who opt to share their bandwidth, but some are more nefarious players, offering users access to a VPN without telling them that their IP addresses will be shared. In such cases, those IP addresses can be used to scrape websites, commit fraud, or launch distributed denial-of-service (DDoS) attacks.

The existence of residential proxy networks is quite troubling for organizations. Marketing teams may be paying for traffic they believe to be legitimate but is actually fraudulent.

Let's say an ad farm sets up a website for the sole purpose of selling ad space via the open-market exchanges. Your company may be led to believe it's a legitimate website that receives lots of consumer traffic in your target markets and which you verify by checking the IP address type and location. But how do you actually distinguish between real users and hosted or bot traffic hiding behind and proxy residential IDs? Without additional context around residential IPs, you can't make that distinction.

**2\. Security Teams Will Realize That WAFs Have Blind Spots**

Every organization has multiple layers of security, including Web application firewalls (WAFs).

A WAF protects your Web applications by monitoring, filtering, and blocking malicious HTTP/S traffic traveling to a Web application, preventing unauthorized data from leaving the application. It does this by adhering to a set of policies, including context around the IP address, that helps determine which traffic is malicious and which is safe. If, for instance, corporate security policy mandates that all non-residential IP addresses and addresses from a specific geolocation should be blocked, the firewall will block all traffic that matches those criteria.

Unfortunately, the proliferation of residential proxy networks means WAFs have a significant blind spot: Knowing the traffic is residential and has a geolocation that is permissible is no longer sufficient. While organizations deploy WAFs to protect against things like scraping and DDoS attacks, these tools can also be tricked into providing access when they shouldn't. Security teams need a lot more context around IP addresses to understand their incoming traffic.

**3\. Security Teams Will Find Ways to Detect Residential Proxy IPs**

In the face of these networks, context is your best defense. Security teams should ask critical questions about incoming traffic, such as:

*   Is this traffic proxied or VPN?
*   How many devices are connected to that IP address? (If you see hundreds of devices connected to an IP address, it’s probably not an individual person.)
*   Is the IP address stable? Has it been in the same location for 20 weeks?
*   Is the IP address part of a known residential proxy network that’s being used for other things?

All of this VPN-driven data and context provides vital clues that can protect marketing budgets as well as corporate networks.

IP address intelligence data isn’t the panacea for securing a network, but it can go a long way in providing the context security teams to identify when unusual activities are occurring and to investigate further. It can also help them enforce digital access rights, ensuring that users in prohibited or embargoed areas are restricted from accessing certain digital assets.

3 Ways Security Teams Can Use IP Data Context

A two-month-long automated credential-stuffing campaign exposed personal information of Chick-fil-A customers, including birthdays, phone numbers, and membership details.

Fried chicken specialist Chick-fil-A has alerted customers to an automated credential stuffing attack that ran for months, impacting more than 71,000 of its customers, according to the company.

Credential stuffing attacks employ automation, often through bots, to test numerous username-password combinations against targeted online accounts. This type of attack vector is enabled through the common practice of users reusing the same password across various online services; thus, the login info used in credential stuffing attacks is typically sourced from other data breaches and are offered for sale from various Dark Web sources. 

"Following a careful investigation, we determined that unauthorized parties launched an automated attack against our website and mobile application between December 18, 2022 and February 12, 2023 using account credentials (e.g., email addresses and passwords) obtained from a third-party source," the company noted in a statement sent to those affected.

The compromised personal information included customers' names, email addresses, membership numbers and mobile pay numbers, as well as masked credit or debit card number — meaning unauthorized parties could only view the last four digits of the payment card number. Phone numbers, addresses, and birthday and month were also exposed for some customers.

Chick-fil-A added that in the wake of the attacks, it has removed stored credit and debit card payment methods, temporarily frozen funds previously loaded onto customers’ Chick-fil-A One accounts, and restored any affected account balances. The fast-food chain also recommended the best practice that customers reset their passwords, and use a password that is not easy to guess and unique to the website.

Some noted that while password reuse or the use of common and weak passwords is the fault of the users, Chick-fil-A still bears some responsibility.

"This is the new frontier of information security: Attackers have gained access to these users' accounts not through any failure on the part of the website owner, but rather due to the natural human tendency to reuse username/passwords across multiple sites," says Uriel Maimon, vice president of emerging products at PerimeterX. "And yet despite that fact, organizations have a legal and ethical obligation to safeguard the personal and financial information of their users."

He adds, "This underscores the change in paradigm wherein website owners need to not just protect their sites from standard cyberattacks but also safeguard the information they hold on behalf of users. They can achieve this by tracking behavioristic and forensics signals of users logging in in order to differentiate between real users and attackers.”

The chain offered some make goods, in case customers wanted to flee the coop after the incident: "As an additional way to say thank you for being a loyal Chick-fil-A customer, we have added rewards to your account," the statement continued. "Chick-fil-A continues to enhance its security, monitoring, and fraud controls as appropriate to minimize the risk of any similar incident in the future."

It was reported in January that Chick-fil-A had been investigating "suspicious activity" across potentially hacked customer accounts. It's unclear why it took so long to determine that the credential-stuffing event was underway. The company did not immediately respond to a request for comment from Dark Reading.

**Credential Stuffing Attacks on the Rise**

Credential stuffing has become more common lately, fueled by the legions of credentials for sale on the Dark Web. Indeed, the sale of stolen credentials dominate underground markets, with more than 775 million credentials currently for sale according to an analysis this week.

In January, nearly 35,000 PayPal user accounts fell victim to a credential-stuffing attack that exposed personal data likely to be used to fuel additional, follow-on attacks. That same month, Norton LifeLock alerted customers to their potential exposure from its own credential-stuffing attack.

The situation has also prompted a wider conversation. With nearly two-thirds of people reusing passwords to access various websites, some security experts have proposed approaches that do away with passwords altogether, including replacing them with security keys, biometrics, and FIDO (Fast Identity Online) technology.

Chick-fil-A Customers Have a Bone to Pick After Account Takeovers

With critical infrastructures ever more dependent on the cloud connectivity, the world needs a more stable infrastructure to avoid a crippling cyberattack.

As global conflicts continue, cyber has become the fifth front of warfare. The world is approaching 50 billion connected devices, controlling everything from our traffic lights to our nuclear arsenal. We've already started seeing large-scale cyberattacks, affecting critical industries like oil and gas pipelines and hospitals. But we have yet to experience a truly catastrophic incident that would "break the Internet," disrupting financial markets, supply chains, and daily life. 

Could it happen this year?

**Single Points of Failure**

The migration of public and private sector technology to cloud computing means that a large share of our infrastructure, financial systems, supply chains, healthcare, and other critical services are run by just a handful of companies: Amazon, Google, and Microsoft. On the hardware side of things, the story isn't much better. Just three companies — Palo Alto Networks, Cisco, and Fortinet — control more than 50% of the market for security appliances. The ripple effects of a successful attack on one of these companies would leave no part of the connected world untouched, including the security software intended to protect customers in the event of an attack, much of which runs on infrastructure provided by these same cloud companies. 

For data center security experts, there is also another, far less digital, concern to deal with. Suspicious activity and attacks on US power stations hit an all-time high in 2022, with more than 100 attacks reported in the first eight months of the year alone. Data centers are massive buildings, consuming immense quantities of electricity. To cool their ultrahot servers and buildings, data centers use startling amounts of water. According to Google, its data centers used 4.3 billion gallons of water in 2021. If attackers disrupt the supply of power or water to Amazon, Google, or Microsoft's data centers in a coordinated fashion, they could compromise entire regions of their infrastructure, including backups. 

**Follow the Money**

To put the cost of a catastrophic cyberattack in perspective, consider that in 2021, according to Swiss reinsurer Swiss Re, global economic losses from natural catastrophes such as floods, hurricanes, and wildfires reached $270 billion. This is a large number, but consider the fact that Merchant Machine estimates a global Internet outage would cost the global economy $37 billion a day in lost revenue. 

Still, the economics of technology are not in favor of a more secure future. Enterprises, users, and adversaries all have competing monetary interests preventing more investment in security. Technology companies need to iterate and release updates quickly to keep pace with their competitors, and their customers are often not willing to wait — or pay — for extra security features or for all bugs and vulnerabilities to be resolved. Instead, consumers opt to buy insurance against these inevitable incidents, which may create another crisis of its own.

Insurance companies spend significant amounts of money simulating disasters and estimating their cost so that any single large loss would not do significant financial harm to the insurer. For a catastrophic cyberattack, the costs could reach beyond billions of dollars, meaning bankruptcy not just for the insurers but also the reinsurers, which would likely bring about a systemic financial disruption and a near market collapse on a scale dwarfing the financial crisis of 2008. The US government spent $85 billion to bail out AIG and prevent systemic financial system collapse, but the question this time is: Who bails out an insurer with global losses, and what happens when insurers are too cash strapped to pay out claims?

**So, What Now?**

We need to examine critical infrastructure security and ensure there are plans and fail-safes in place capable of withstanding an extended period of disconnect. Organizations migrating to cloud computing must reevaluate their need for data fidelity and whether on-premises storage is necessary. Security leaders should make catastrophic failure planning part of their risk management strategy, and ensure their vendors also have plans in place to mitigate the impact of a loss of cloud\-hosted services. 

On the regulatory front, if we have any hope of preparing for a global event, we need to evaluate the technical chops of regulators and legislators creating the frameworks intended to keep us safe, as well as the metrics we use to measure the financial health of the insurers and reinsurers on the hook. If the spectacular collapse of several blockchain companies in recent years, successful election meddling via social media, or explosion in ransomware attacks have taught us anything, it's that we must demand more of our elected representatives, and elect leaders who can help run the world of tomorrow. Similarly, regulators need to understand the companies and technologies they oversee. 

There will be a reckoning in the connected world, and the only way our economy (and possibly society) will survive it is by working together to create a safer, more stable infrastructure.

It's Time to Assess the Potential Dangers of an Increasingly Connected World

License Scanner and SBOM Utility will boost the capabilities of OWASP's CycloneDX Software Bill of Materials standard.

IBM has contributed two open source supply chain tools — SBOM Utility and License Scanner — to the Open Worldwide Application Security Project (OWASP) Foundation's CycloneDX Software Bill of Materials (SBOM) standard. These two tools will fill two crucial gaps in CycloneDX, which the OWASP describes as a "full-stack" BOM standard that provides advanced supply chain risk reduction.

The software bill of materials, or SBOM, is an inventory listing all individual components used in software. The discovery of the vulnerability in the Log4j library two years ago highlighted just how few organizations really understood what was inside the software they were running. It wasn't enough to just know which third-party components, libraries, and frameworks were being used — organizations need to be aware of all the dependencies _those_ components were using. In response to various supply chain attacks and the Log4j chaos, the White House issued an Executive Order mandating that developers improve the security of their supply chains. One way is to include and maintain an SBOM for every piece of software they distribute.

"IBM has been advocating for all developers and organizations creating modern software to begin their journey to create SBOMs," says Jamie Thomas, IBM's general manager of systems strategy and development. "These tools are foundational complements to aid developers in this journey, so they can better understand the potential risks in their software supply chains."

**Standardizing SBOMs**

Efforts to standardize the SBOM have accelerated with the sharp rise in software supply chain attacks over the past two years.

CycloneDX is one of two primary SBOM standards, the other being the Linux Foundation's Software Package Data Exchange (SPDX). Proponents of CycloneDX, which is newer, describe it as a more lightweight standard better suited to those seeking a machine-readable way to exchange information. The Linux Foundation in 2021 declared SPDX an SBOM standard, though it was initially created for intellectual property and licensing use cases. Both organizations are expanding their respective SBOM standards efforts.

IBM has actively participated in advancing CycloneDX's standards efforts, Steve Springett, director of product security at ServiceNow and chair of the OWASP's CycloneDX working group, tells Dark Reading. "Software supply chain security is a topic of board-level discussions," Springett says. "There are many ways that organizations should improve their software supply chain assurance. And it starts with actually having all the data and more tools to drive more intelligence."

**Licensing Scanner Tool Brings Balance With SPDX**

The CycloneDX working group has introduced some license scanning capabilities over the years, including base-level support for SPDX license IDs. But CycloneDX's licensing capability has lagged the functionality of SPDX. Springett says the addition of IBM's License Scanner fills that void. "It's great that we have a license scanner as part of the project," Springett tells Dark Reading. "Having a dedicated license tool actually will invite more people to the Cyclone DX table that we've built."

Brian Fox, co-founder and CTO of AppSec tool provider Sonatype, agreed. "I think this helps balance things out with CycloneDX on the licensing side," Fox said. "It will provide more building blocks to enable tools in the ecosystem to work better. Being able to more easily add licensed data to your CycloneDX SBOM, if you don't have existing tooling to do that, is a useful utility. Having the ability to validate both formats is also a useful utility."

In an OWASP blog post on Wednesday announcing IBM's contribution, Springett noted that IBM's License Scanner scans files for licenses and legal terms. "It can be used to help identify text matching licenses and license exceptions from the complete, published SPDX License List," he wrote. "It can also be configured to identify additional legal terms, keywords, aliases, and non-SPDX licenses. As a library, License Scanner is designed to be integrated into existing BOM generation software or may be used by itself as a command-line utility."

**SBOM Utility Adds APIs to CycloneDX**

Springett described IBM's SBOM Utility as an API platform that can validate CycloneDX or SPDX-formatted BOMs with their published schemas. It can validate and analyze a variety of BOM types, including hardware (HBOMs) and SaaS (SaaSBOMs). In the future, Springett noted, SBOM Utility will support OWASP's Software Component Verification Standard (SCVS), "which is defining a BOM Maturity Model (BMM) to help in identifying and reducing risk in the software supply chain."

Also, he noted that SBOM Utility could process documents such as Vulnerability Disclosure Reports (VDRs) and Vulnerability Exploitability eXchange (VEX) data formats, which CycloneDX has specified provide risk assessment.

"The SBOM Utility is great because it takes an API approach and allows organizations to slice and dice the CycloneDX data model and all the data in it," Springett says. "If you care about certain aspects of the bill of material, you can quickly query it, which is fantastic. And you can then allow organizations to start creating policy based on the types of data that may or may not exist in that bill of material."

While IBM initially built SBOM Utility and License Scanner for its use, the company has not said whether it plans to release commercial versions.

IBM Contributes Supply Chain Security Tools to OWASP

**HOUSTON, Texas – March 2, 2023** – Hewlett Packard Enterprise (NYSE: HPE) today announced that it entered into a definitive agreement to acquire Axis Security, a cloud security provider. This acquisition will allow HPE to expand its edge-to-cloud security capabilities by offering a unified Secure Access Services Edge (SASE) solution to meet the increasing demand for integrated networking and security solutions delivered as-a-service. Axis Security’s Security Services Edge (SSE) platform addresses the need for improved application performance and increased network security as the number of remote users increases and as enterprises continue to migrate applications to the cloud.

Axis Security’s SSE offerings enable access to corporate and public-cloud resources, and the company’s cloud-based platform will build on Aruba’s existing Software-defined Wide Area Network (SD-WAN) and network firewall offering. This combination will provide a complete edge-to-cloud SASE solution, ensuring that Zero Trust security controls can be applied to people and devices, no matter where they connect – on campus, branch, home, or on the road.

“As we transition from a post-pandemic world, and a hybrid work environment has become the new normal, a new approach is needed for network edge security to protect critical SaaS applications,” said Phil Mottram, executive vice president and general manager, HPE Aruba Networking. “The convergence of Aruba and Axis Security solutions will transform edge-to-cloud connectivity with a comprehensive SASE solution that provides enterprises with the highest levels of security for both IoT devices and all users’ access across geographically distributed locations. Today, we also accelerate our vision to help our customers expand their secure connectivity needs with SASE and private 5G solutions, building on our recently announced agreement to acquire private cellular technology provider, Athonet.

Based in Tel Aviv, Israel, Axis Security provides a cloud-native SSE platform, Atmos, which delivers authenticated user access to private applications at the network edge, a secure web gateway (SWG) to safeguard user access to the Internet, and a cloud access security broker (CASB) that provides secure in-line access to SaaS apps, and Digital Experience Monitoring (DEM) to provide insights into user experience. 

“We developed Axis Security to enable a world where connectivity to every business resource, from anywhere, could always be simple, safe and reliable,” said Dor Knafo, CEO of Axis Security. “Our SSE platform is a natural complement to Aruba’s SD-WAN, network firewall, and dynamic segmentation offerings. Together, we create a unified SASE platform, designed to extend connectivity to edge, and do so through a combination of modern access services – all working together in harmony.”  

**HPE enhances SASE offering with cloud security through integrated Axis Security platform**  
HPE will integrate Axis Security technology with its existing Aruba secure networking offerings to complete its SASE offering, which delivers WAN and cloud security controls directly to the application at the network edge, rather than routing data through the data center. This helps customers by flexibly delivering all of a provider’s networking components as a service with one point of control – instead of acquiring, maintaining, and licensing separate components individually.  
In addition, the HPE GreenLake edge-to-cloud platform will integrate Axis Security’s cloud-native SSE platform, offering customers one single monthly subscription with no capital expenditure.  Customers can deploy these flexible as-a-service solutions with reduced risk and little upfront investment – and scale them according to demand.  

**HPE portfolio integration and availability**  
The transaction is expected to close by the end of the second quarter of the HPE 2023 fiscal year subject to customary closing conditions. HPE will integrate Axis Security’s solutions with its edge-to-cloud security solutions and plans to make them available to customers in the third quarter of the HPE 2023 fiscal year.

**About Hewlett Packard Enterprise**

Hewlett Packard Enterprise (NYSE: HPE) is the global edge-to-cloud company that helps organizations accelerate outcomes by unlocking value from all of their data, everywhere. Built on decades of reimagining the future and innovating to advance the way people live and work, HPE delivers unique, open and intelligent technology solutions as a service.  With offerings spanning Cloud Services, Compute, High Performance Computing & AI, Intelligent Edge, Software, and Storage, HPE provides a consistent experience across all clouds and edges, helping customers develop new business models, engage in new ways, and increase operational performance. For more information, visit: www.hpe.com

Axis Security Acquisition Strengthens Aruba's SASE Solutions With Integrated Cloud Security and SD-WAN

The Decider tool is designed to make the ATT&CK framework more accessible and usable for security analysts of every level, with an intuitive interface and simplified language.

The US Cybersecurity and Infrastructure Security Agency (CISA) has launched Decider, a free tool to help the cybersecurity community more easily map threat actor behavior to the MITRE ATT&CK framework.

Created in partnership with the US Homeland Security Systems Engineering and Development Institute (HSSEDI) and MITRE, Decider is a Web application that organizations can download and host within their own infrastructure, thus making it available to a range of users via the cloud. It's meant to simplify the often onerous process of using the framework accurately and effectively, as well as open up its use to analysts at every level in a given cybersecurity organization.

**ATT&CK: A Complex Framework**

ATT&CK is designed to help security analysts determine what attackers are trying to achieve and how far along they are in the process (i.e., are they establishing initial access? Moving laterally? Exfiltrating data?) It does this via a set of known cyberattack techniques and sub-techniques determined and refreshed periodically by MITRE, that analysts can map on top of what they might be seeing in their own environments.

The goal is to anticipate the bad guys' next moves and shut down attacks as quickly as possible. The framework can also be incorporated into a variety of security tools, and it provides a standard language for communicating with peers and stakeholders during incident response and forensic investigations.

That's all well and good, but the problem is that the framework is notoriously complex, often requiring a high level of training and expertise to select the correct mappings, for instance. It also continually expands, including beyond enterprise attacks to incorporate threats to industrial control systems (ICS) and the mobile landscape, adding to the complexity. In all, it's a sprawling data set to navigate — and cyber defenders often end up in the weeds when trying to use it.

"There are a lot of techniques and sub-techniques that are available and that can get very involved and very technical, and oftentimes analysts are overwhelmed, or it slows them down quite a bit, because they don't necessarily know if the sub-technique they're picking is the right one," James Stanley, section chief at CISA, says, noting that complaints about mis-mappings using the tool are common.

"When you go to the website, there's a lot of information in front of you and it gets daunting quickly. The Decider tool really just brings it into more plain language for an analyst to use, regardless of their level of expertise," he says. "We wanted to give our stakeholders more guidance on how to use the framework, and make it available to, say, junior analysts who could benefit from using it in real time during middle-of-the-night incident response, for instance."

    

Decider uses a series of questions to guide analysts through the framework. Source: MITRE Corp.

On a broader level, proselytizers at CISA and MITRE believe that a wider use of ATT&CK — as encouraged by Decider — will lead to better, more actionable threat intelligence — and better cyber-defense outcomes.

"At CISA, we really want to put the emphasis on using threat intelligence to be proactive in your defense and not reactive," Stanley says. "For a very long time, the industry's go-to for that has been to share indicators of compromise (IOCs), which have very broad, very limited context." 

In contrast, ATT&CK tips the playing field to the defense's advantage, he says, because it's granular and gives organizations a way to understand the specific threat actor playbooks that are relevant to their specific environments.

"Threat actors should know that their playbooks are essentially useless once we highlight what they do and how they do it and incorporate it into the framework," he explains. "Organizations that can use it have a much stronger security posture as opposed to just kind of blindly blocking IP addresses or hashes, like the industry is so used to doing. Decider gets us closer to that."

**Simplifying ATT&CK for Analyst Accessibility**

Decider makes ATT&CK mapping more accessible by walking users through a series of guided questions about adversary activity, with the goal of identifying the correct tactics, techniques, or sub-techniques in the framework to fit the incident in an intuitive way. From there, those results can "inform a range of important activities such as sharing the findings, discovering mitigations, and detecting further techniques," according to CISA's March 1 announcement of the new tool.

    

Decider uses simplified language and definitions for techniques and sub-techniques. Source: MITRE Corp.

  
In addition to the prepopulated guiding questions, Decider uses simplified language that would be accessible to any security analyst, an intuitive search and filter function for uncovering relevant techniques, and a "shopping cart" functionality that lets users export results to commonly used formats. Additionally, organizations can tailor and tune it to their own individual environments, including flagging common mis-mappings.

The hope is for ATT&CK to eventually become a foundational, background tool for cybersecurity organizations, according to John Wunder, department manager, CTI, and Adversary Emulation at MITRE, rather than the unwieldy, if useful, instrument that it has been.

"One thing that I would really love to see as ATT&CK moves more into the background is just a part of the day-to-day operations of cybersecurity and individual analysts just having to pay less attention to it," he says. "It's just something that should form the foundation of what we do and thinking about understanding adversary behaviors, and not something that you have to spend a lot of time thinking through each time you're doing an incident response. Decider is a big step forward to that."

The tool also helps ATT&CK's syntax to become the de facto common nomenclature across tools and security platforms, and for sharing threat intelligence.

"Once you see ATT&CK used across more and more of the ecosystem, and everyone using a common language, then the users of ATT&CK start to see more and more benefit from aligning things to the framework and using it to more effectively correlate tools and so on," Wunder says. "Hopefully through things like Decider that make it easier to use, we'll start to see more and more of that."

CISA, MITRE Look to Take ATT&CK Framework Out of the Weeds

The new White House plan outlines proposed minimum security requirements in critical infrastructure — and for shifting liability for software products to vendors.

The Biden-Harris administration today announced a sweeping new National Cybersecurity Strategy that, among other things, seeks to establish meaningful liability for software products and services and sets mandatory minimum cybersecurity requirements in the critical infrastructure sector.

When fully implemented, the strategy will also strengthen the ability of both federal and private sector entities to disrupt and dismantle threat actor operations and require all entities that handle data on individuals to pay closer attention to how they protect that data.

One key objective of the strategy is for federal regulators to look for opportunities to incentivize all stakeholders to adopt better security practices via tax structures and other mechanisms.

**Rebalancing the Responsibility for Cybersecurity**

"\[The strategy\] takes on the systemic challenge that too much of the responsibility for cybersecurity has fallen on individual users and small users," President Biden wrote in the introduction to his new plan. "By working in partnership with industry, civil society, and State, local, Tribal, and territorial governments, we will rebalance the responsibility for cybersecurity to be more effective and equitable."

Biden's strategy seeks to build collaboration and momentum around five specific areas: critical infrastructure protection, disruption of threat actor operations and infrastructure, promoting better security among software vendors and organizations handling individual data, investments in more resilient technologies, and international cooperation on cybersecurity.

Of these, the proposed initiatives around critical infrastructure security and shifting liability to software vendors and data processors could have the most significant impact.

The critical infrastructure component of Biden's strategy includes a proposal to expand minimum cybersecurity requirements for all operators of critical infrastructure. The regulations will be based on existing cybersecurity standards and guidance such as the National Institute of Standards and Technology's (NIST) Framework for Improving Critical Infrastructure Cybersecurity and the Cybersecurity and Infrastructure Security Agency's (CISA) Cybersecurity Performance Goals.

**A Focus on Secure by Design**

The requirements will be performance based, adaptable to changing requirements, and focus on driving adoption of secure-by-design principles.

"While voluntary approaches to critical infrastructure security have produced meaningful improvements, the lack of mandatory requirements has resulted in inadequate and inconsistent outcomes," the strategy document said. Regulation can also level the playing field in sectors where operators are in a competition with others to underspend on security because there really is no incentive to implement better security. The strategy provides critical infrastructure operators that might not have the financial and technical resources to meet the new requirements, with potentially new avenues for securing those resources.

Joshua Corman, former CISA chief strategist and current vice president of cyber safety at Claroty, says the Biden administration's choice to make critical infrastructure security a priority is an important one.

"The nation has seen successful cyber disruptions in critical infrastructure that have significantly impacted numerous lifeline functions, including access to water, food, fuel, and patient care, to name just a few," Corman says. "These are vital systems that are increasingly suffering disruptions, and many of the owners and operators of this critical infrastructure are what I call 'target rich, cyber poor.'"

These are often among the most attractive targets for threat actors but have the least number of resources to protect themselves, he notes.

Robert DuPree, manager of government affairs at Telos, views congressional support as key to Biden's plans to bolster critical infrastructure cybersecurity.

"The push to impose mandatory cybersecurity requirements on additional critical infrastructure sectors will need congressional authorization in some cases, which in the current political environment is a longshot at best," he said in a statement. "The Republican House majority is philosophically opposed to new government mandates and is not likely to give the Biden Administration such authority."

**Holding Vendors Accountable for Software Security**

In what is likely to a controversial move, Biden's new national cybersecurity strategy also puts emphasis on holding software vendors more directly responsible for the security of their technologies. The plan specifically shifts liability for insecure software and services to the vendors and away from the end users who bear the consequences of insecure software.

As part of the effort, Biden's administration will work with Congress to try and pass legislation that would prevent software manufacturers and publishers with market power to simply disclaim away liability by contract. The strategy provides a safe harbor for organizations with demonstrably secure practices for software development and maintenance.

"Too many vendors ignore best practices for secure development, ship products with insecure default configurations, or known vulnerabilities," and with insecure third-party components, the strategy document said.

In addition to shifting liability to software vendors, the new strategy also calls for minimum security requirements for all organizations handling individual data especially geolocation and health data.

Support in Congress for efforts to shift liability to software vendors has manifested in fits and starts for over a decade, says Brian Fox, CTO and co-founder of Sonatype. "In 2013, H.R.5793 — Cyber Supply Chain Management and Transparency Act known as the Royce Bill started the conversation around introducing software bills of material (SBOM)," he says.

Ultimately that proposal didn't move forward, but the requirement for all software suppliers to the federal government to produce SBOMs on demand ended up being incorporated in a May 2021 Executive Order from President Biden, he says. "More recently, we've seen the Securing Open Source Software Act of 2022 working its way through committees. It seems clear that Congress is looking for a way to move the industry forward, and the strategy lays out specific new elements to be considered."

**Carrot and Stick**

As part of the effort to guide better security behavior, the federal government will use its enormous purchasing clout to get software and service suppliers to contractually adhere to minimum security requirements. It will use grants and other mechanisms — such as rate-making processes and tax structures — to get organizations to invest more in cybersecurity.

Karen Walsh, cybersecurity compliance expert at Allegro Solutions, says if the plan works as intended it could shift corporate mindsets from a "security means penalties" to a "security means attaining rewards" mentality.

"In many ways, this is similar to how the government already offers incentives for clean energy initiatives," Walsh says.

**Fighting Back**

One major focus of the new strategy is on strengthening federal and private sector capabilities to disrupt threat actor operations and infrastructure. The plans include developing a whole-of-government disruption capability, more coordinated takedowns of criminal infrastructure and resources, and making it harder for threat actors to use US infrastructure for cyber-threat operations.

"Dismantling threat actors is unlikely to take place on a broad scale," says Allie Mellen, a senior analyst at Forrester. "It's similar to the idea of 'hack back' — hypothetically great, but difficult to execute on."

Mellen considers the proposed expansion of regulations on critical infrastructure providers as by far the most significant component of the new strategy.

"Not only does it look to establish a set of minimum cybersecurity requirements, but it also begins to link technology providers such as infrastructure-as-a-service (IaaS) companies to these requirements, broadening its reach," she says.

Claroty's Corman says some of the proposals in the new strategy will likely trigger some hard conversations. But it is high time to have them, he notes.

"The more controversial topics, such as software liability, are admittedly going to be tougher to achieve," Corman notes. But the effort is crucial, he says.

"There is a significant gap between the current state and the desired state for critical infrastructure cyber-resilience — we need bold thinking and bold action in order to narrow that gap."

Biden's Cybersecurity Strategy Calls for Software Liability, Tighter Critical Infrastructure Security

Sold for around $5,000 in hacking forums, the BlackLotus UEFI bootkit is capable of targeting even updated systems, researchers find.

BlackLotus UEFI bootkits are deployed to take over the boot process of operating systems: bypassing security measures and deploying their malicious payloads.

Now, researchers with ESET are raising the alarm that even completely updated Windows 11 systems with UEFI Secure Boot enabled are vulnerable to BlackLotus attacks. Worryingly, the new bootkit, first discovered in October 2022, is readily available for as little as $5,000 on hacking forums.

"It was just a matter of time before someone would take advantage of these failures and create a UEFI bootkit capable of operating on systems with UEFI Secure Boot enabled," ESET explained in the report. "As we suggested last year in our RSA presentation, all of this makes the move to the ESP more feasible for attackers and a possible way forward for UEFI threats — the existence of BlackLotus confirms this."

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Source

DARKReading