Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label MITRE ATT&CK. Show all posts

MITRE’s Latest ATT&CK Evaluations Reveal Critical Insights into Cybersecurity Solutions

 

MITRE Corporation has published its findings from the latest round of ATT&CK evaluations, offering important insights into the effectiveness of enterprise cybersecurity solutions. This sixth evaluation assessed 19 vendors against two major ransomware strains, Cl0p and LockBit, as well as North Korean-linked malware targeting macOS systems. The advanced malware simulations used during the evaluation highlighted sophisticated tactics, such as exploiting macOS utilities and covert data exfiltration, emphasizing the dynamic nature of modern cyber threats.

The Findings and Their Significance

According to MITRE’s general manager, William Booth, the evaluation revealed notable disparities in vendors’ abilities to detect and distinguish between malicious activities. Some solutions achieved high detection rates but also suffered from alarmingly high false-positive rates, indicating a need for better precision in threat identification. MITRE’s methodology involved a two-phase approach: first, evaluating baseline detection capabilities and then assessing protection performance after vendors adjusted their configurations to improve detection accuracy. This approach highlights the adaptability of vendors in enhancing their solutions to counter emerging threats.

The Struggles with Post-Compromise Detection

A key takeaway from the evaluation was the struggle vendors faced with post-compromise threat detection. MITRE stressed the importance of detecting and mitigating ransomware activities after the initial breach, as ransomware often mimics legitimate system behaviors. Booth emphasized that relying solely on blocking initial infections is no longer sufficient—solutions must also account for activities occurring later in the attack chain. This represents a critical area where cybersecurity solutions need improvement to effectively neutralize threats at all stages of an attack.

Contrasting Detection Strategies

The evaluation also highlighted differences in detection strategies among vendors. Some vendors utilized machine learning and AI-based methods for threat detection, while others relied on more traditional heuristic approaches. These contrasting methodologies led to varying levels of effectiveness, particularly in the detection of false positives and distinguishing between benign and malicious activities. The use of AI-based methods showed promise, but some vendors struggled with accuracy, underscoring the challenges faced by the industry in keeping up with evolving threats.

MacOS Threats: A New Challenge

For the first time, MITRE included macOS threats in its evaluation. Addressing macOS malware posed unique challenges, as there is limited publicly available Cyber Threat Intelligence (CTI) on such threats. Despite these challenges, MITRE’s inclusion of macOS malware reflects its commitment to addressing the evolving threat landscape, particularly as more organizations adopt Apple devices in their enterprise environments. The move signals MITRE’s proactive approach to ensuring that cybersecurity solutions account for all major operating systems in use today.

Looking Ahead: Vendor Transparency and Improvement

Although MITRE refrains from ranking vendors, its evaluation provides transparency that can guide organizations in making informed decisions about their cybersecurity strategies. The findings underscore the importance of refining cybersecurity technologies to meet the demands of a rapidly evolving cyber environment. Booth highlighted that these evaluations encourage vendors to continuously improve their technologies to better counter the increasing sophistication of cyber threats.

By incorporating ransomware and macOS malware into its evaluations, MITRE continues to shed light on the complexities of modern cyberattacks. The insights gained from this evaluation are invaluable for organizations looking to enhance their defenses against increasingly sophisticated threats. As cyberattacks become more advanced, understanding the varying capabilities of enterprise security solutions is essential for building a robust cybersecurity posture.

Researchers Develop AI Cyber Defender to Tackle Cyber Actors


A recently developed deep reinforcement learning (DRL)-based artificial intelligence (AI) system can respond to attackers in a simulated environment and stop 95% of cyberattacks before they get more serious. 

The aforementioned findings were made by researchers from the Department of Energy’s Pacific Northwest National Laboratory based on an abstract simulation of the digital conflict between threat actors and defenders in a network and trained four different DRL neural networks in order to expand rewards based on minimizing compromises and network disruption. 

The simulated attackers transitions from the initial access and reconnaissance phase to other attack stages until they arrived at their objective, i.e. the impact and exfiltration phase. Apparently, these strategies were based on the classification of the MITRE ATT&CK architecture. 

Samrat Chatterjee, a data scientist who presented the team's work at the annual meeting of the Association for the Advancement of Artificial Intelligence in Washington, DC, on February 14, claims that the successful installation and training of the AI system on the simplified attack surfaces illustrates the defensive responses to cyberattacks that, in current times, could be conducted by an AI model. 

"You don't want to move into more complex architectures if you cannot even show the promise of these techniques[…]We wanted to first demonstrate that we can actually train a DRL successfully and show some good testing outcomes before moving forward," says Chatterjee. 

AI Emerging as a New Trend in Cybersecurity 

Machine learning (ML) and AI tactics have emerged as innovative trends to administer cybersecurity in a variety of fields. This development in cybersecurity has started from the early integration of ML in email security in the early 2010s to utilizing ChatGPT and numerous AI bots that we see today to analyze code or conduct forensic analysis. The majority of security products now incorporate a few features that are powered by machine learning algorithms that have been trained on massive datasets. 

Yet, developing an AI system that is capable of proactive protection is still more of an ideal than a realistic approach. The PNNL research suggests that an AI defender could be made possible in the future, despite the many obstacles that still need to be addressed by researchers. 

"Evaluating multiple DRL algorithms trained under diverse adversarial settings is an important step toward practical autonomous cyber defense solutions[…] Our experiments suggest that model-free DRL algorithms can be effectively trained under multistage attack profiles with different skill and persistence levels, yielding favorable defense outcomes in contested settings," according to a statement published by the PNNL researchers. 

How the System Uses MITRE ATT&CK 

The initial objective of the research team was to develop a custom simulation environment based on an open-source toolkit, Open AI Gym. Through this environment, the researchers created attacker entities with a range of skill and persistence levels that could employ a selection of seven tactics and fifteen techniques from the MITRE ATT&CK framework. 

The attacker agents' objectives are to go through the seven attack chain steps—from initial access to execution, from persistence to command and control, and from collection to impact—in the order listed. 

According to Chatterjee of PNNL, it can be challenging for the attacker to modify their strategies in response to the environment's current state and the defender's existing behavior. 

"The adversary has to navigate their way from an initial recon state all the way to some exfiltration or impact state[…] We're not trying to create a kind of model to stop an adversary before they get inside the environment — we assume that the system is already compromised," says Chatterjee. 

Not Ready for Prime Time 

In the experiments, it was revealed that a particular reinforcement learning technique called a Deep Q Network successfully solved the defensive problem by catching 97% of the intruders in the test data set. Yet the research is just the beginning. Yet, security professionals should not look for an AI assistant to assist them with incident response and forensics anytime soon.  

One of the many issues that are required to be resolved is getting RL and deep neural networks to explain the causes that affected their decision, an area of research called explainable reinforcement learning (XRL).  

Moreover, the rapid emergence of AI technology and finding the most effective tactics to train the neutral network are both a challenge that needs to be addressed, according to Chatterjee.