Daily Archives: October 23, 2020

Flare-On 7 Challenge Solutions

We are thrilled to announce the conclusion of the seventh annual Flare-On challenge. This year proved to be the most difficult challenge we’ve produced, with the lowest rate of finishers. This year’s winners are truly the elite of the elite! Lucky for them, all 260 winners will receive this cyberpunk metal key.

We would like to thank the challenge authors individually for their great puzzles and solutions:

  1. fidler – Nick Harbour (@nickharbour)
  2. garbage – Jon Erickson
  3. Wednesday – Blaine Stancill (@MalwareMechanic)
  4. report – Moritz Raabe (@m_r_tz)
  5. TKApp – Moritz Raabe (@m_r_tz)
  6. CodeIt – Mike Hunhoff (@mehunhoff)
  7. re_crowd – Chris Gardner, Moritz Raabe, Blaine Stancill
  8. Aardvark – Jacob Thompson
  9. crackinstaller – Paul Tarter (@Hefrpidge)
  10. break – Chris Gardner
  11. Rabbit Hole – Sandor Nemes (@sandornemes)

This year’s Flare-On challenge was the first to feature a live public scoreboard, so players could track their progress and the progress of previous Flare-On challenge champions. Despite this increased data at your fingertips, we are still going to bring you even more stats. As of 11:00am ET, participation was near record setting levels at 5,648 players registered. 3,574 of those players finished at least one challenge.

The U.S. reclaimed the top spot for total finishers with 22. Singapore was once again in second place, but in uncontested first place per capita, with one Flare-On finisher for every 296,000 living persons in Singapore. This is the first year we have included a per capita finishers by country chart, and we did it to highlight just what a remarkable concentration of talent exists in some corners of the world. Consistent top finisher Russia took third place, and a growing player base in Germany and Israel came into full bloom this year, with those countries edging out other frequent top five countries such as China, India and Vietnam.

All the binaries from this year’s challenge are now posted on the Flare-On website. Here are the solutions written by each challenge author:

  1. SOLUTION #1
  2. SOLUTION #2
  3. SOLUTION #3
  4. SOLUTION #4
  5. SOLUTION #5
  6. SOLUTION #6
  7. SOLUTION #7
  8. SOLUTION #8
  9. SOLUTION #9
  10. SOLUTION #10
  11. SOLUTION #11

MITRE ATT&CK Tactics Are Not Tactics



Just what are "tactics"?

Introduction


MITRE ATT&CK is a great resource, but something about it has bothered me since I first heard about it several years ago. It's a minor point, but I wanted to document it in case it confuses anyone else.

The MITRE ATT&CK Design and Philosophy document from March 2020 says the following:

At a high-level, ATT&CK is a behavioral model that consists of the following core components:

• Tactics, denoting short-term, tactical adversary goals during an attack;
• Techniques, describing the means by which adversaries achieve tactical goals;
• Sub-techniques, describing more specific means by which adversaries achieve tactical goals at a lower level than techniques; and
• Documented adversary usage of techniques, their procedures, and other metadata.

My concern is with MITRE's definition of "tactics" as "short-term, tactical adversary goals during an attack," which is oddly recursive.

The key word in the tactics definition is goals. According to MITRE, "tactics" are "goals."

Examples of ATT&CK Tactics


ATT&CK lists the following as "Enterprise Tactics":

MITRE ATT&CK "Tactics," https://attack.mitre.org/tactics/enterprise/

Looking at this list, the first 11 items could indeed be seen as goals. The last item, Impact, is not a goal. That item is an artifact of trying to shoehorn more information into the ATT&CK structure. That's not my primary concern though.

Military Theory and Definitions


As a service academy graduate who had to sit through many lectures on military theory, and who participated in small unit exercises, the idea of tactics as "goals" does not make any sense.

I'd like to share three resources that offer a different perspective on tactics. Although all three are military, my argument does not depend on that association.

The DOD Dictionary of Military and Associated Terms defines tactics as "the employment and ordered arrangement of forces in relation to each other. See also procedures; techniques. (CJCSM 5120.01)" (emphasis added)

In his book On Tactics, B. A. Friedman defines tactics as "the use of military forces to achieve victory over opposing enemy forces over the short term." (emphasis added)

Dr. Martin van Creveld, scholar and author from the military strategy world, wrote the excellent Encyclopedia Britannica entry on tactics. His article includes the following:

"Tactics, in warfare, the art and science of fighting battles on land, on sea, and in the air. It is concerned with the approach to combat; the disposition of troops and other personalities; the use made of various arms, ships, or aircraft; and the execution of movements for attack or defense...

The word tactics originates in the Greek taxis, meaning order, arrangement, or disposition -- including the kind of disposition in which armed formations used to enter and fight battles. From this, the Greek historian Xenophon derived the term tactica, the art of drawing up soldiers in array. Likewise, the Tactica, an early 10th-century handbook said to have been written under the supervision of the Byzantine emperor Leo VI the Wise, dealt with formations as well as weapons and the ways of fighting with them.

The term tactics fell into disuse during the European Middle Ages. It reappeared only toward the end of the 17th century, when “Tacticks” was used by the English encyclopaedist John Harris to mean 'the Art of Disposing any Number of Men into a proposed form of Battle...'"

From these three examples, it is clear that tactics are about use and disposition of forces or capabilities during engagements. Goals are entirely different. Tactics are the methods by which leaders achieve goals. 

How Did This Happen?


I was not a fly on the wall when the MITRE team designed ATT&CK. Perhaps the MITRE team fixated on the phrase"tactics, techniques, and procedures," or "TTPs," again derived from military examples, when they were designing ATT&CK? TTPs became hot during the 2000s as incident responders drew with military experience drew on that language when developing concepts like indicators of compromise. That fixation might have led MITRE to use "tactics" for their top-level structure. 

It would have made more sense for MITRE to have just said "goal" or "objective," but "GTP" isn't recognized by the digital defender world.

It's Not Just the Military


Some readers might think "ATT&CK isn't a military tool, so your military examples don't apply." I use the military references to show that the word tactic does have military origins, like the word "strategy," from the Greek Strategos or strategus, plural strategoi, (Greek: στρατηγός, pl. στρατηγοί; Doric Greek: στραταγός, stratagos; meaning "army leader"). 

That said, I would be surprised to see the word tactics used as "goals" anywhere else. For example, none of these examples from the non-military world involve tactics as goals:

This Harvard Business Review article defines tactics as "the day-to-day and month-to-month decisions required to manage a business." 

This guide for ice hockey coaches mentions tactics like "give and go’s, crossing attacks, cycling the puck, chipping the puck to space and overlapping."

The guide for small business marketing lists tactics like advertising, grass-roots efforts, trade shows, website optimization, and email and social marketing.

In the civilian world, tactics are how leaders achieve goals or objectives.

Conclusion


In the big picture, it doesn't matter that much to ATT&CK content that MITRE uses the term "tactics" when it really means "goals." 

However, I wrote this article because the ATT&CK design and philosophy emphasizes a common language, e.g., ATT&CK "succinctly organizes adversary tactics and techniques along with providing a common language used across security disciplines."

If we want to share a common language, it's important that we recognize that the ATT&CK use of the term "tactics" is an anomaly. Perhaps a future edition will change the terminology, but I doubt it given how entrenched it is at this point.

Update: This Tweet from Matt Brady made this point:

"Agreed - for example, supply chain compromise is a tactic used for initial access, whereas software supply chain compromise (ShadowHammer) is a specific technique."

This Week in Security News: Watering Hole Campaign Operation Earth Kitsune Spying on Users’ Systems and Fancy Bear Imposters Are on a Hacking Extortion Spree

week in security

Welcome to our weekly roundup, where we share what you need to know about the cybersecurity news and events that happened over the past few days. This week, learn about a watering hole campaign Trend Micro dubbed ‘Operation Earth Kitsune’ that is spying on users’ systems through compromised websites. Also, read about how APT groups are threatening DDoS attacks against victims if they don’t send them bitcoin.

Read on:

Fancy Bear Imposters Are on a Hacking Extortion Spree

Radware recently published extortion notes that were sent to a variety of companies globally. The senders purport to be from the North Korean government hackers Lazarus Group, or APT38, and Russian state-backed hackers Fancy Bear, or APT28. The notes threaten that if the target doesn’t send bitcoin, powerful distributed denial of service (DDoS) attacks will be launched against the victim. Robert McArdle, Trend Micro’s director of our Forward-Looking Threat Research (FTR) team, comments on DDoS as an extortion method.

A Ride on Taiwan’s Self-Driving Bus

The self-driving bus is now being tested on the streets of downtown Taipei and more autonomous buses are being deployed in other places, including Germany, Japan and Canada. Since connected cars are still a relatively new technology, the dangers of these vehicles are unknown and mostly speculated. In this article, Trend Micro discusses potential security implications of these connected vehicles.

 U.S. Charges Russian Intelligence Officers in Major Cyberattacks

This week, the Justice Department unsealed charges accusing six Russian military intelligence officers of an aggressive worldwide hacking campaign that caused mass disruption and cost billions of dollars by attacking targets like a French presidential election, the electricity grid in Ukraine and the opening ceremony of the 2018 Winter Olympics.

 Operation Earth Kitsune: Tracking SLUB’s Current Operations

A watering hole campaign that Trend Micro has dubbed as Operation Earth Kitsune is spying on users’ systems through compromised websites. Using SLUB and two new malware variants, the attacks exploit vulnerabilities including those of Google Chrome and Internet Explorer.

Cybersecurity Company Finds Hacker Selling Info on 186 Million U.S. Voters

Trustwave says it found a hacker selling personally identifying information of more than 200 million Americans, including the voter registration data of 186 million. The revelation underscored how vulnerable Americans are to email targeting by criminals and foreign adversaries, even as U.S. officials announced that Iran and Russia had obtained voter registration data and email addresses with an eye toward interfering in the 2020 election.

Future Imperfect

In 2012, Trend Micro, the International Cyber Security Protection Alliance (ICSPA) and Europol’s European Cyber Crime Centre (EC3) collaborated on a white paper that imagined the technological advances of the coming 8 years, the societal and behavioral changes they may bring and the opportunities for malfeasance they could present. As we enter the 2020s, we now have the opportunity to objectively review the project against a number of success factors.

WordPress Deploys Forced Security Update for Dangerous Bug in Popular Plugin

WordPress sites running Loginizer, one of today’s most popular WordPress plugins with an install base of over one million sites, were forcibly updated this week to Loginizer version 1.6.4. This version contained a security fix for a dangerous SQL injection bug that could have allowed hackers to take over WordPress sites running older versions of the Loginizer plugin.

Just Leave That Docker API on the Front Porch, No One Will Steal It

Recently, a new type of Linux malware named “DOKI” has been discovered exploiting publicly accessible Docker API’s hosted in all major cloud providers. The manner in which threat actors are gaining access to container environments is a previously discovered technique, but the DOKI malware is something that has not been documented until now.

Adobe Fixes 16 Critical Code-Execution Bugs Across Portfolio

Adobe has released 18 out-of-band security patches in 10 different software packages, including fixes for critical vulnerabilities that stretch across its product suite. Two of the issues are out-of-bounds read flaws, (CVE-2020-24409, CVE-2020-24410); one is an out-of-bounds write bug (CVE-2020-24411). Tran Van Khang, working with Trend Micro Zero Day Initiative, is credited for the discoveries.

US Treasury Department Ban on Ransomware Payments Puts Victims in Tough Position

This month, the US Treasury Department’s Office of Foreign Assets Control (OFAC) warned organizations making ransomware payments that they risk violating economic sanctions imposed by the government against cybercriminal groups or state-sponsored hackers. The advisory has the potential to disrupt the ransomware monetization model, but also puts victims, their insurers and incident response providers in a tough situation.

What are your thoughts on the sanctions imposed by the government against cybercriminal groups or state-sponsored hackers?  Share your thoughts in the comments below or follow me on Twitter to continue the conversation: @JonLClay.

The post This Week in Security News: Watering Hole Campaign Operation Earth Kitsune Spying on Users’ Systems and Fancy Bear Imposters Are on a Hacking Extortion Spree appeared first on .

Safeguarding Critical Infrastructure: NIST Releases Draft Cybersecurity Guidance, Develops GPS-Free Backup for Timing Systems

Taking another step toward strengthening the nation’s critical infrastructure, the National Institute of Standards and Technology (NIST) has drafted guidelines for applying its Cybersecurity Framework to critical technologies such as the Global Positioning System (GPS) that use positioning, navigation and timing (PNT) data. Part of a larger NIST effort to implement a recent Executive Order to safeguard systems that rely on PNT data, these cybersecurity guidelines accompany recent NIST efforts to provide and test a resilient timekeeping signal that is independent of GPS. Formally titled the