Mitre’s ATT&CK Security Framework

Mitre’s ATT&CK security framework was mentioned often at the Techno Security and Digital Forensics Conference. I admit that I’m not well-versed on it, yet. However, its purpose makes sense. It’s a knowledge base for Adversarial Tactics, Techniques, and Common Knowledge, which is what the acronym ATT&CK stands for. Mitre created a short video to explain about ATT&CK and why it was created:

An example of how ATT&CK is a common body of knowledge which folks are striving to keep up-to-date is with respect to identified threat groups. As of this post there is information available about 86 groups, mainly nation state actors.

One of the things I try to do in my security presentations is help folks stop thinking in just what they’re good at. For instance, in my How I Would Hack SQL Server, I point out that as an attacker, going directly against SQL Server is an option of last resort. It’s much easier to find the data I care about on a file share, an Excel spreadsheet, or some other less secure spot. Compromising accounts and then using those accounts is the easier and safer road to success. What ATT&CK details is what attackers do. Therefore, if you’re in charge of security systems or applications, looking over the ATT&CK framework will help you look at your systems more as an attacker would.

Why Security Through Obscurity Is Bad (Alone)

Security through (by) obscurity is where we try to protect an asset by hiding it. Anyone who has ever played the game Capture the Flag knows that a motivated opponent will eventually find the flag. If there were no other deterrents in place, the opponent will scour the playing area and find the flag. If hiding an asset (the flag) doesn’t work for that simple game, it doesn’t work for information security.

However, Capture the Flag doesn’t just involve hiding the flag. In all variations of the game, all teams have attackers. Therefore, part of the deterrent is acting quicker than your opposition. In a lot of variants, each side also has defenders who have some ability to discourage or thwart attackers. Even if the particular variant doesn’t have the concept of defenders, a team can be sneaky. It can overload one side, trying to trick the opposing forces that the flag is hidden over on that side. Or some of the attackers could mock act in dismay when an opposing team heads into the wrong area of the playing area, leading that team to think they are close to the flag when they aren’t. In other words, there are always additional countermeasures.

The problem in information security with a strategy of security through obscurity alone is we are making the assumption that we are smarter than any adversary with plenty of time and opportunity on his or her hands. We don’t. Therefore, we need to have the other appropriate countermeasures (controls) in order to protect our assets. There’s nothing wrong with making an asset harder to find (obscuring it). However, that can’t be our only mechanism of protection.

Security Controls: CISA vs. CISSP

When looking at the Certified Information Systems Auditor (CISA) exam, we focus on teaching 3 types of controls:

  • Preventative – keeps an incident from occurring
  • Detective – Identifies the occurrence of an event and possibly the actor
  • Corrective – Fixes things after the incident

However, the Certified Information System Security Professional (CISSP) indicates there are also 3 types of controls, but they are different than the ones listed as “types” by the CISA:

  • Administrative – These are management type of controls. They are also known as soft controls and sometimes folks call these manual procedures.
  • Technical – Also, logical. These are controls we attribute to software and hardware.
  • Physical – Controls that protect the physical environment such as guards, locks, fences, and cameras.

So what does the CISSP do with the 3 listed by the CISA? Those are called control functionalities. There are 6 of those:

  • Preventative
  • Detective
  • Corrective
  • Deterrent – A control intended to discourage an attacker.
  • Recovery – A control which returns the environment back to normal operations.
  • Compensating – A control that provides an alternative means when another control isn’t/can’t be used.

In the CISA we often talk about compensating controls but we don’t list them as a specific functionality. However, I like the CISSP breakdown a lot better. Basically, we get a matrix between the 3 types and the first 5 functionalities, with compensating controls being understood to protect an asset when the primary control is unavailable or too costly.

The key takeaway is to understand how our controls are implemented and why they work. Classification helps us better understand what we’ve got protection-wise and it will allow us to spot gaps.

Developing Presence

At SQL Saturday Nashville, I didn’t do a good job explaining the concept of presence. This is in reference to the Women in Technology presentation at lunch. Part of the discussion was around how height can influence being noticed. I agree that it does play a huge role. At 5’7″, I know that it’s easy to “fly under the radar.” However, I also know that folks are able to overcome that physical trait.

I was trying to explain how my mom, who is 4’8″ on a good day, and her sister (even shorter), have a presence that when they mean business, they command immediate respect. Not only are they very short by our American standards, but they are both very obviously Japanese. And, of course, they are female. So they both fit that 3 strikes against when it comes to being noticed, respected, and listened to. Yet I’ve seen both in the midst of a crowd of complete strangers and immediately command the group. They have presence.

If you think about it, you’ve likely come across folks who seem to be able to command the room, even a room where no one knows them. They come in and it’s as if everyone immediately takes notice. When I was at The Citadel and was part of the training cadre, I had to have that sort of presence from the moment matriculation began for the freshmen. It’s not natural for me but due to lessons I learned from my freshman and sophomore years at The Citadel, I was able to step into that role as a junior.

As a result, I know from experience that people can develop their presence. Some seem to come by presence naturally. For instance, my teen daughter, who is still under 5′, is someone who hasn’t needed much training. She takes after my mom, not me. She DMs Dungeons and Dragons regularly and most of the time there are only adults at her table. There’s no question who has command, like this picture from a convention where she was DMing (the one reaching over the screen).

Her brothers, who are both at or about 6′ and in college, don’t naturally and instinctively command the same presence. They have to think about doing so. My oldest son, who is the tallest and most physically imposing member of our immediate family, is more often than not overlooked or missed if he isn’t thinking about his presence. He has to rely on lessons learned from martial arts, The Citadel, and military training to do so. When he consciously does, he can command a room, as he has had some great, great teachers. However, he has to expend intentional effort to do so. His brother, who has had martial arts training as well, has to do the same thing.

You don’t have to go into the military to learn how to have presence. I’ve cited my sons and lessons learned from the martial arts. Solid martial arts instructors and schools do teach presence. After all, as you progress towards black belt, you will likely be given increased responsibility in teaching less experienced students. Both of my sons have earned black belts and are now expected to be able to teach in their respective schools. That requires presence.

If martial arts aren’t your thing, there are also organizations like Toastmasters who work on the same concept and provide training to help you develop presence and the appearance of comfort in a public setting. I say appearance because if you’re like me, a solid introvert, there’s always discomfort. However, those organizations’ training help you deal with that discomfort, increase your ability to reach others, and be accessible. You may have to consciously focus on doing so, but it’s possible.

Now, will there still be times when you’ll be dismissed or ignored? Absolutely. There’s plenty of folks with strong, illogical bias against you, whether it’s the fact you’re short, you’re female, you’re obviously of foreign descent, or something else. There are also people who can’t see past themselves. And then there are folks who are dealing with life situations that make them less attuned to what’s going on around them. The best parable I have heard is the guy who gets on the subway with his small kids and the young ones begin terrorizing the car but the man doesn’t intervene. Finally, one person intercedes and asks the man if he can do something about his children. Then the punchline hits: he has come from the hospital where his wife has just passed away from cancer and none of them are dealing with it well.

Those specific and unusual cases aside, if we work on developing our presence, for a large number of people, we can overcome factors that would normally exclude us from notice or push us out of the conversation. It’s definitely a soft skill to develop, regardless of your industry or profession.

Webinar: Identify and Eliminate SQL Server Performance Issues

I’m giving a webinar tomorrow, March 22, 2018, at 3 PM Eastern.

Free Registration Link

Here’s what I’ll be covering:

Are you struggling with pesky SQL Server performance issues that are impacting your business? Are you not sure where to turn next to focus your efforts to resolve the issue?

In this session we’ll look at what built-in tools are available through SQL Server and the OS. We’ll consider both performance and security auditing. We’ll also investigate built-in options to manage multiple servers to ease the workload. Finally, we’ll discuss how to report on the metrics and information we have gathered. We’ll conclude on alerting and notifications to keep you in the loop when something goes outside of your desired thresholds.

In this session you will learn about:

  • How to start monitoring SQL Server
  • Key scripts for SQL Server Performance Monitoring
  • Best Practices to address both SQL Server and Windows issues
  • Proactive alerting to minimize the issues to the business

MSSQLTips Webcast on Security

On February 11, 2016, at 3 PM EST, I’ll be giving a security webinar for MSSQLTips. It’s titled Performing a SQL Server Security Risk Assessment. Here’s the abstract:

You have one or more SQL Servers and you want to assess the security of each. What’s a priority? What puts your organization at the greatest risk? What should you attack first?

In this presentation, we’ll look at how to do a security risk assessment of SQL Server. We’ll cover all the common big ticket items, the ones that could lead to a server breach, data loss, or a system becoming unavailable due to mismanagement. Also, we’ll discuss how to assess other items which you may find and how to rank and prioritize them. Armed with this information, you’ll be better equipped to provide a to do list to your management with justifications and relative impact for each proposed change.

If you’re interested in attending the webinar, it’s free but you’ll need to register.

Midlands PASS February 2016 Meeting

Midlands PASS has changed its meetings from the 2nd Thursday to the 2nd Tuesday of each month. This takes effect with this month’s meeting. We are still meeting at the same location in West Columbia, SC. However, the name of the organization has changed: Microstaff IT has become We Know IT!

For this month’s meeting on February 9th we are looking at improving queries. Here’s the abstract:

We want queries to run fast. The faster queries run, the less likely they are to get in the way of other queries (blocking). The faster queries run, the less likely they are to collide where one will have to be rolled back (deadlocking). And the faster queries run, the more queries we can pump through the system, thereby improving performance. In this presentation we’ll look at how the SQL Server query engine works: how it breaks down a query, how it uses indexes, and how it puts all this together to produce an execution plan. By understanding how the engine works, we’ll understand how to improve our queries.

If you can make it out, please RSVP so we’ll know how many refreshments to bring.

Previous Older Entries