MITRE ATT&CK: The Magic of Application Mitigations

“The eyes are the window to your soul.” Hmmm. How about a new twist? Applications are the window to your business.

Like windows, applications tempt thieves and prying eyes. Securing them can be paneful (ugh, sorry). But we’ve got some great advice on protecting applications in the modern era.

The evolution of today’s applications

Let’s get this out of the way right now: Modern applications are incredibly complex.

Rapid digitization and business agility changed everything. Gone are the days of inefficient application-OS-hardware models, and we’ve sped past basic virtual machines and their insatiable resource appetites. “Monolith” applications take forever to update, QA, and deploy, and they just don’t cut it anymore. They were simpler, sure, but so are horse-drawn carriages. Just watch out on the freeway!

Today’s application architectures support fast, continuous innovation. They deploy instantly, perform reliably, and scale to the moon. Back end architectures use small, independent code modules called microservices. DevOps teams can write and test them faster than you can say “pandemic-accelerated digital transformation.” And if someone else has already written the part you need, just slot it in. Done.

Then containers come along and package these microservices, essentially creating small executable chunks. You can use as many as you need. APIs glue everything into a single application, and you manage everything through container orchestration.

Clearly today’s application architectures use a lot of components, making them more complex, but the benefits run deep.

Complexity breeds security risk

This happens all the time: A rise in complexity also raises the cybersecurity stakes.

“The quantity and frequency of hacker attacks,” says Cisco VP Al Huger, “coupled with the typical time to identify and contain a breach, then multiplied by the various applications running on-prem, multi-cloud and cloud-native microservices, security risk remains a major challenge.”

That’s a mouthful, but he’s spot on. Consider:

  • Application attacks that span multiple containers and microservices are hard to identify, and even harder to isolate
  • Vulnerabilities might be embedded in one or more microservices, or caused by misconfiguration
  • Microservices might have unnecessary or elevated privileges that are ripe for exploit
  • Third-party code reuse can invite untrusted, weak, or malicious software into yours
  • Unexplained or unusual application behavior can be caused by an underlying security problem, not an operational problem

No wonder why application security is so important today.

The magic of application mitigations

Back to ATT&CK and Magic of Mitigations. Recall that Mitigations are MITRE’s specific recommendations on how to thwart adversary behavior. While there are several application-related Mitigations, let’s focus on four of them:

1. Application Isolation and Sandboxing (M1048)

MITRE’s description: “Restrict execution of code to a virtual environment on or in transit to an endpoint system.”

Consider how attackers exploit internet-facing applications. MITRE tracked more than a dozen examples of specific attack groups who exploit application vulnerabilities or leverage SQL injection. “Application isolation will limit what other processes and system features the exploited target can access,” MITRE writes.

And that’s why Cisco Secure Workload (formerly Tetration) is so powerful. You get advanced micro segmentation, behavior baselining, anomaly and vulnerability detection. Perhaps most important: you can proactively quarantine containerized workloads to contain detected threats. In other words, you can quickly identify and isolate application attacks in any workload, anywhere, at scale.

No wonder why Secure Workload is central to our comprehensive Zero Trust solution!

2. Execution Prevention (M1038)

MITRE’s description: “Block execution of code on a system through application control, and/or script blocking.”

Microsoft recently reported on a sophisticated attacker group they call Hafnium, which unfortunately exploited on-premises Exchange Server software. This attack was so serious that the US Department of Homeland Security issued an emergency directive for immediate action.

Hafnium hackers used stolen credentials and zero-day vulnerabilities, and then created a web shell for remote command execution. When Microsoft later released critical security updates but, for many, the damage was already done. By some reports, tens of thousands of organizations and government agencies were affected.

We’ll get to vulnerabilities in a second, but let’s look first at MITRE’s warnings about Command and Scripting Interpreters (T1059). “Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries,” they write and list over 20 procedure examples of that sort of behavior. They recommend Execution Prevention and other Mitigations to head off this activity.

Secure Workload, which we discussed above, can also detect Hafnium exploits through its forensic event indicators, and it conveniently maps them to ATT&CK Tactics and Techniques. See a new command being run that’s not from a valid process? Secure Workload’s “Anomalous Unseen Command” alerts you for quick action.

Secure Workload is critical for modern application security, and I’m only scratching the surface. One quick glance at this list, and you’ll see what I mean:

3. Vulnerability Scanning (M1016)

MITRE’s description: “Find potentially exploitable software vulnerabilities to remediate them.”

Vulnerability management has been around forever, and today’s application complexity means the challenge is eternal. See how MITRE’s description includes two important actions, find and remediate? Finding them is hard. It’s why Cisco Talos continually seeks and investigates them, sharing findings with affected vendors before the attackers arrive. But remediating them can be harder, especially if patching a running application means operational downtime of any kind.

This makes Cisco Secure Application critical in today’s world. It’s the true Runtime Application Self-Protection (RASP) solution for modern applications that:

  • Prevents vulnerabilities from being exploited while applications are running
  • Blocks threats in real-time, automatically
  • Protects application communications without additional firewalls or proxies
  • Simplifies the life cycle of vulnerability fixes

“Cisco Secure Application is the only solution purpose-built to protect business-critical applications, no matter where they run, from the inside out, to maintain speed and uptime,” says Al Huger in his blog, “A New Approach to Application Security.”

4. Code Signing (M1045)

MITRE’s description: “Enforce binary and application integrity with digital signature verification to prevent untrusted code from executing.”

Untrusted code is a big deal, and breaches can still occur even when authorized application developers write and digitally sign it. Plus there’s potential risk introduced by third-party software that practically everyone reuses. How can you be certain it’s safe?

At Cisco, the security of the software we deliver is paramount. We adopted an Agile and DevSecOps culture to support innovation, recognizing the importance of continuous security throughout our software development lifecycle.

Want to learn how we do it? Check out this great blog by Sujata Ramamoorthy, Senior Director of Security Engineering in our Security & Trust Organization. She talks about our Continuous Security Buddy program that makes our secure application development transparent and friction-free. And in this blog, she talks about how we discover and scan the third-party software we use in our solutions. Corona is what we call our internal service “to perform a holistic analysis of the software and associated risks,” so that Cisco software is safe and verified, no matter where the code originates.

Trustworthy. Transparent. Accountable. It’s our mission at Cisco to be your trusted partner, so please visit our Trust Center to learn how we’re working every day to earn and keep your trust.

Learn more about what we can do

We focused today on application security mitigations, but our comprehensive security portfolio does so much more than what’s described here. Check out our detailed whitepaper that maps all of our Cisco Secure solutions to MITRE ATT&CK Enterprise on our Cyber Frameworks page.

Oh, and do you want to map your own cyber defenses and evaluate their efficacy against MITRE ATT&CK? Check out this upcoming Cisco Live 2021 session led by Mike McPhee: BRKSEC-2021: Evaluate Defenses with MITRE ATT&CK

Until next time, I’d love to hear from you! What thoughts do you have?

Please leave a comment below and let’s talk.

Missed any of our earlier blogs? Check them out: