Ransomware, one of the most troublesome forms of cyber attacks, is in the crosshairs of a leading cybersecurity research outfit.
Ransomware, one of the most troublesome forms of cyber attacks, is in the crosshairs of a leading cybersecurity research outfit. The researchers at the MITRE Corporation’s Engenuity program recently called for industry to help find out the effectiveness of cybersecurity products designed to help stop. For the answers, the Federal Drive with Tom Temin spoke with William Booth, the general manager of MITRE’s evaluations program.
Interview Transcript:
Tom Temin And just a brief word on the engenuity program, which is one of the major channels of MITRE’s work. And then tell us a little bit about the program that you specifically run for evaluating software.
William Booth Yeah. So I run ATT&CK Evaluations, which is born out of and based on MITRE ATT&CK framework, which is really a way of describing cybersecurity tactics and techniques used in the real world. And we take that knowledge base and we apply it through evaluations to all the leading cohort of cybersecurity products.
Tom Temin In other words, you try to make sure that the products out there actually match and can take on what you know to be the real threats.
William Booth Yes. And that people have insights and a reference for performance on how they’re doing, both on the detections and on the protection side.
Tom Temin All right. And now the latest call out for industry to join with you, you’re looking at specifically what problem and what types of software?
William Booth We’re mostly focused this time on ransomware continues to be a leading issue both for private and for government. And so we’re tackling that through slightly different than before where we chose a single adversary. Here we’re using an amalgamation of multiple very prevalent and relevant ransomware attacks. And in addition to that, we’re also for the first time, introducing Mac OS, which is going to be focused on the DPR case activity. Recently, there’s a lot of products out there that cover Windows and Linux and also have Mac, but that’s kind of unknown right now on performance and where the benchmark is. And so we’re hoping to set that.
Tom Temin So the North Korea then is going after Macs for ransomware. And are they generally going after individuals or organizations. Say a lot of the creative Hollywood types have big nests of Macs.
William Booth Yes. So they have a wide range of targets. And so we are focused on their implementations of multi-stage malware, which is particularly a large threat. So we’re focused on kind of implementing those.
Tom Temin Let me ask you this. The attack vector, is that separate from what it is that is used to create the encryption of the data that results in the request for ransomware? That is to say, does ransomware always come through a phishing email, or are there other ways of injecting that into someone’s system?
William Booth There are other ways. Phishing spear, phishing vector is the most prevalent, but there are certainly other ways that it can get in there. We’re focused on both, also, that chain of attacks once it’s in past post compromise as well. And we’re very focused on ok, so assuming they get in, now what damage can they do and how can we prevent and mitigate that.
Tom Temin Right. Because there’s no software program that can stop a knucklehead from clicking on a bad email.
William Booth That’s correct.
Tom Temin And so the software that then gets injected, let’s say, in fact that happened this morning. DHL check on how to get your package. That’s been going around, might erase that one in a hurry. But what happens if someone does click on that and therefore the launch happens? This is what you’re trying to examine.
William Booth That entire process and understanding what are the trigger points that do cause the detection to occur. So the way that the attack occurs can influence how visible it is. And so we’re trying multiple different ways of playing that out, post that clicks link. That way we can see which ones are most detected which ones aren’t. Now this is good for maybe a federal agency that’s looking to verify acquisitions from a trusted third party. But it also helps these companies as well do product development to help learn and say, where are my gaps? And so they’re using that to reinforce their product, which ultimately is going to make everyone better off.
Tom Temin Got it. We’re speaking with William Booth. He’s general manager of evaluations at MITRE Corporation’s Engenuity Program. And you mentioned the ATT&CK Evaluations program, which you’re doing. What does industry do with you? How do they participate?
William Booth There’s a few different points along that journey that we work with. We collaborate with them from the very beginning when we’re taking a look at what are the threats. We have one perspective and viewpoint. But it’s also there’s a lot of data that each of these participants in this research have. And so we leverage them to take a look at those trends that are affecting the most amount of people and that are rising. So we use them to work with their intelligence and gather that. Then we come up with a plan and we work with them to on the development of that. This time we’re adding in new metrics and insights. And so working with them on how to define those things. We have pieces on efficiency and false positive, which aren’t industry defined metrics yet. And so working with them to see what is a good way to measure this. So that way when a government is looking to acquire and implement software that they can get a sense of what’s the cost of implementing, the cost of running this.
Tom Temin And those that publish software from industry that will be participating. Does the software functionality only extend to detection and alerting of the existence, or is it also capable of executing in a way that stops the attack?
William Booth Yes. So we have two different evaluation parts. One is where we ask them to turn off those protections. And so we run just to see what can you see. And we have a philosophy that if you can see it, you can stop it. And so we start there and really understanding what that whole chain looks like. Then we get into the protection side. That’s a bit more difficult to test because if you stop the first action in a series, it’s harder to see past that. So it takes a much more design to get to each part and see where along that journey can it be stopped.
Tom Temin And you probably also evaluate whether it requires a particular product that is, requires the entire application or system to shut down while it does its work, which has implications in the real world of production enterprise systems.
William Booth Exactly. That’s what we’re really focused on this time, which is what is that efficiency and cost to implementation? And how is that affecting a normal user in the environment that’s benign or not malicious?
Tom Temin And how do you get all of these companies? Because they compete pretty fiercely. And they are always telling how we’re the expert on this and talk to us. They sort of have to open their kimonos a little bit and share information. And gosh, does that how you guys do that? And oh, I didn’t know you guys did that that way, that kind of environment.
William Booth They do. And there’s a very trusted relationship there ensuring that is between us and that we’re there to really help. And they understand that we’re giving good feedback to their product as well. So they’re very, it’s very open and collaborative there. But there is a lot of trust sharing those details and kind of the secret sauce sometimes.
Tom Temin Sure. And what is the output of the research? It must be some type of open source information.
William Booth Yeah. So there’s multiple things that we publish. One is what is those results to, and we don’t declare winners. One solution may be a good fit for one group versus another. And we’re not there to judge that. We want to give people inside information there, so you can see how each of the different participants performed. We also take all that research that we did and the tools that we built for the evaluation, and we publish those, that way when agencies or organizations want to do their own evaluation, that they have all those tools available for them and they have the intelligence and reports that it was based on.
Tom Temin But the companies can use this information in their participation to make their own products better.
William Booth That’s correct. Yes, and they do. They certainly do.
Tom Temin Is there any way that these tie back or map to the NIST controls that are required across government systems, and that a lot of industry uses as a reference for the controls they have in place?
William Booth We don’t map that back to the NIST controls, but that is certainly something that you can do. And we do provide lots of information in order to do that.
Tom Temin And what kind of environment do you have to be able to test things? You can’t go to a Boeing and say, hey, can we come into your systems and see how well ransomware works?
William Booth As much as we’d love to, we aren’t able to do that. We do have a synthetic environment, and there is a limitation to this evaluation. And we tried to make that clear. We do try to represent it as best as possible. And there are certain areas where there’s been a gap or a delta there. And this time for this next evaluation, adding in that background noise so we can test false positives, making that environment as realistic as possible, within a very condensed shortened evaluation. But we do aim to get to as realistic as we can.
Tom Temin But would it be possible for someone like an Amazon or a Microsoft to give you a cloud environment copy that is otherwise not connected to the internet, but nevertheless could let you see what kinds of signaling out a piece of malware might do and that sort of thing.
William Booth Yeah, so we work with them to understand how the different behaviors of the malware and of the group overall. So we do work with them there. And then we also publish what our infrastructure diagram looks like and different networks and subnets. And so that way it can be used and retested too in your own environment.
Tom Temin And finally, what’s it like to watch software. It’s not like watching rats behave in a maze where you say, let’s put smoke in here and see what they do.
William Booth Yes. It’s very interesting how the implementations between different participants is done. There’s a lot of commonalities, but what we hope to shed more light on is what those differences are. It’s a bit more dynamic than you would think, it’s really not just hit a button and see a result. There is sometimes much more of a conversation in dialog than you would expect to understand what’s going on, because we can see a result, but we really understand what got you to that result, which is more important to us in the end.
Tom Temin And how long does the whole cycle take for one of these evaluation cycles? I guess this is the six that you’ve done there.
William Booth Yes. So it usually takes between 12 and 18 months for the entire cycle of the evaluation. And it all comes down to this one week where we do the evaluation. And over four days we’re taking all of that research and development that we’ve done and put those tools to the test.
Copyright © 2024 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.
Tom Temin is host of the Federal Drive and has been providing insight on federal technology and management issues for more than 30 years.
Follow @tteminWFED