New Techniques - Library Version Pinning, Ghost Message Monitoring, User Untime Login, Eliminate Credentials In Code, Non Standard Cloud Region Access #155
AashiqRamachandran
started this conversation in
General
Replies: 1 comment 1 reply
-
|
Thank you for the submission. Please create two new issues for Library Version Pinning and the credential removal. The issues have a technique template for you to fill out. The other techniques will require more discussion, but let's act on the two above now. |
Beta Was this translation helpful? Give feedback.
1 reply
-
|
Created Both Issues @netfl0 ! Please find both issues attached below |
Beta Was this translation helpful? Give feedback.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
-
Submitting a few new techniques that could potentially add value to the MITRE D3FEND Repository 😄
Library Version Pinning
Contributed By:
Cyware Labs, Aashiq Ramachandran
Synonyms:
Dependency Pinning
MITRE D3FEND Technique:
Application Hardening
MITRE D3FEND Tactic:
Harden
Definition:
Ensure only certain versions are used ie. "pinned down" for all libraries used across scripts and code to ensure only vetted versions are being used organization wide.
How It Works:
Version Pinning is the practice of freezing third party dependency versions used in code. This way we ensure all third party code that is being ingested is stamped with a version number that has been verified to contain non-malicious code.
With supply chain attacks increasing, version pinning ensures we do not default to the latest version without prior verification, reducing the attack surface for supply chain attacks
Considerations:
While pinning down versions ensures that only known versions of libraries are used, any inherent vulnerabilities present in that version of dependency might go unnoticed. As a countermeasure, a robust upgrade and patching plan must be in place.
Ghost Message Monitoring
Contributed By:
Cyware Labs, Aashiq Ramachandran
MITRE D3FEND Technique:
Message Analysis
MITRE D3FEND Tactic:
Detect
Definition:
Forward message/ message headers to a common data lake or queue to allow automated monitoring of malicious messages/ credentials in code
How It Works:
Ghost Message Monitoring is where we forward messages / message headers from all monitored message stacks such as slack, email etc. to a common data lake.
This message forwarding can in turn trigger automated processes to allow for messages/ message headers to be automatically analyzed, enriched or extracted!
This message/ message header forwarding can also act as a log source to assist in further investigations.
With scenarios such as credentials being shared over messages, messages being received / sent to taken over emails, ghost message monitoring can help detect such cases proactively, and in a timely fashion
Considerations:
Not all organizations might be in line with sending messages to a data lake. In such cases, we can attempt to send the messages to an non-persistent queue, where the messages are discarded post analysis. If sharing the overall messages is a concern, we can tweak the workflow to work with message metadata gained from headers, rather than the message itself
User Untime Login
Contributed By:
Cyware Labs, Aashiq Ramachandran
Synonyms:
Malicious Logins
MITRE D3FEND Technique:
User Behaviour Analysis
MITRE D3FEND Tactic:
Detect
Definition:
Monitor user login timelines, at a per user level to identify a login that seems to break out of pattern from the baseline
How It Works:
We attempt to collect, and monitor sign in logs for individual users at an organization level. This data is then baselined at a user level, where we create a pattern baseline per user. Once this baseline is created, we detect potentially any logins per user that vary outside bounds of normal behavior.
For example, if a user normally logs in at 10am, and logs off at 6pm, a sign in at 3am might be indicative of credentials being compromised.
Considerations:
For this to work effectively, we need to collect sign in logs at a per user level, and baseline at a per user level. As and when we collect more data, we can predict user patterns in a better manner
Eliminate Credentials In Code
Contributed By:
Cyware Labs, Aashiq Ramachandran
MITRE D3FEND Technique:
Application Hardening
MITRE D3FEND Tactic:
Harden
Definition:
Remove any "credentials" or "access keys" from compiled source code.
How It Works:
Credentials, or secrets in compiled code, can lead to compromise of target services. Credentials in code must be detected and eliminated promptly.
Credentials apart from being eliminated must also be disabled once it's made its way into git/ version control history.
Credentials are always to be accessed via a secret manager, and not to be held in persistent memory in an un-encrypted form
Considerations:
While configuring a credential manager, it is important to handle role accesses, and credential keys correctly to ensure unauthorized entities are not able to access stored credentials
Non Standard Cloud Region Access
Contributed By:
Cyware Labs, Aashiq Ramachandran
MITRE D3FEND Technique:
Application Hardening
MITRE D3FEND Tactic:
Harden
Definition:
Monitor and lock down all cloud asset regions that are "not" actively being used
How It Works:
Post cloud environment compromise, threat actors often set in rootkits, or backdoors of types in organizational non standard regions as a method to avoid detection.
To prevent this, it is recommended to proactively monitor and lock down all non standard regions at a service provider level and/ or to ensure all assets are forwarded to a central inventory base to ensure any rogue assets are caught and remediated prior to escalation.
Beta Was this translation helpful? Give feedback.
All reactions