CYB3R53C

Cybersecurity Starts Here: Explore, Learn, and Secure Your Operations

A suspected foreign nation-state actor has breached the NERVE network, according to MITRE

It was confirmed Friday that the non-profit MITRE had experienced a cyber breach that illustrates the nature of modern cyber attacks. Compromise by a foreign nation-state threat actor was confirmed after suspicions of suspicious activity were detected on its Networked Experimentation, Research, and Virtualization Environment (NERVE). An emergency notification has been sent to local authorities and affected parties, and MITRE is working to restore a secure and expedited way of collaborating.

NERVE is an unclassified collaborative network that provides storage, computing, and networking capabilities. This incident did not appear to affect MITRE’s core enterprise network or its partners’ systems according to MITRE’s investigation. MITRE quickly took action after detecting the breach on the NERVE network, by taking the NERVE environment offline and launching an investigation with the support of in-house and third-party experts. A comprehensive investigation is being conducted, including determining the extent of the possible information involved.

“No organization is immune from this type of cyber attack, not even one that strives to maintain the highest cybersecurity possible,” Jason Providakes, president and CEO of MITRE, said in a media statement. “We are disclosing this incident in a timely manner because of our commitment to operate in the public interest and to advocate for best practices that enhance enterprise security as well as necessary measures to improve the industry’s current cyber defense posture.” 

Providakes added that the threats and cyber attacks are becoming more sophisticated and require increased vigilance and defense approaches. “As we have previously, we will share our learnings from this experience to help others and evolve our own practices.”

Charles Clancy, chief technology officer of MITRE, detailed that in January this past year, over 1700 organizations were compromised by a sophisticated nation-state threat actor. “This threat actor compromised the Ivanti Connect Secure appliance that’s used to provide connectivity into some of our most trusted networks. MITRE was one of those compromised. In the interest of transparency and public interest, we really want to share our experiences, so others can learn from it.”

“We took all the recommended actions from the vendor, from the U.S. government, but they were clearly not enough. As a result, we are issuing a call to action to the industry,” Clancy added. “The threat has gotten more sophisticated, and so too must our solutions to combat that threat.”

“First, we need to advance secure by design principles. Hardware and software need to be secure right out of the box,” Clancy identified. “Second, we need to operationalize secure supply chains by taking advantage of the software bill of materials ecosystem to understand the threats in our upstream software systems. Third, we should deploy zero trust architectures, not just multi-factor authentication, but also micro-segmentation of our networks. Fourth, we need to adopt adversary engagement as a routine part of cyber defense. It can provide not only detection but also deterrence to our adversaries. Adversaries are advancing new threats and new techniques,” he added.

The Attack

“A threat actor performed reconnaissance of our networks, exploited one of our Virtual Private Networks (VPNs) through two Ivanti Connect Secure zero-day vulnerabilities, and skirted past our multi-factor authentication using session hijacking,” the post revealed. “From there, they moved laterally and dug deep into our network’s VMware infrastructure using a compromised administrator account. They employed a combination of sophisticated backdoors and webshells to maintain persistence and harvest credentials.”

Initial Response

MITRE acknowledged that while they followed best practices and recommendations, their initial actions were insufficient. They stated, “we did not detect the lateral movement into our VMware infrastructure. At the time, we believed we took all the necessary actions to mitigate the vulnerability, but these actions were clearly insufficient.”

Containment and Recovery

Upon detecting the breach, MITRE’s incident response team took swift action:

  • “Isolated affected systems and segments of the network to prevent further spread of the attack.”
  • “Established an ad-hoc committee with board oversight to manage the response.”
  • “Launched multiple streams of forensic analysis to identify the extent of the compromise.”
  • “Identified alternative platforms, conducted security audits, and established procedures for project migration.”

Transparency and Communication

MITRE emphasized the importance of transparency: “Maintaining transparent communication with stakeholders, including affected employees, customers, law enforcement, and ultimately the public, is critical.”

Learning and Improvement

The forensic investigation led to the deployment of new sensor suites and enhanced threat hunting efforts. MITRE is committed to ongoing improvement through:

  • “A comprehensive review of its cybersecurity posture, including vulnerability assessments and penetration testing.”
  • “Enhancing employee training and awareness programs.”
  • “Implementing additional security measures based on lessons learned from the incident.”

Future of ATT&CK

MITRE remains dedicated to improving ATT&CK, a valuable cybersecurity framework. Their 2024 goals include:

  • “Bolstering broader usability and enhancing actionable defensive measures.”
  • “Exploring scope adjustments and platform rebalancing, including the introduction of ICS (industrial control system) sub-techniques by October.”

By sharing their experience, MITRE hopes to inform and assist others facing similar threats.

Cyb3r53c Telegram News Channel : https://t.me/cvetool

Share this post