RANSOMWARE KILL CHAIN, MITRE ATTA&CK and ZERO TRUST DATA RESILIENCE: YOUR NEXT ULTRA-SECURE VEEAM SOLUTION

There's a famous quote used in the videogaming industry: "Kept you waiting, huh". Well, I tried to write a white paper to improve everyone's knowledge of cyber resilience and be ready for 2024, combining the three pillars: cyber kill chain, mitre attack framework, and the new zero trust data resilience. Sort of an introduction to go deeper into these resources.

I hope this can be useful for the community, and hoping to get some feedback to make a better one.

Let's say this is a 1.0 version. 😀

Introduction

The year 2024 will be a challenging one for businesses. Cyber risks are becoming more sophisticated, targeted and widespread. In this context, it is crucial to have an effective data protection strategy. It is time to abandon the old strategies that have served us well and rediscover the next generation of frameworks and tactics. This white paper will guide you through the implementation of a more secure and reliable data protection structure. More cyber resilient. To do this, we are going to rely on the Veeam Data Platform.
In the past, cyber defense strategies focused on the network perimeter. Best practices and widely-used standards were followed in an attempt to fortify the defense by deploying threat detection and prevention, fixing misconfigurations and applying patches on the day of release, and mitigating breaches when indicators of compromise were found. However, this "fortress defense" approach is no longer sufficient. There is a need to move to a defense-in-depth approach that is based on knowledge of the threats and the techniques and technologies being used by today's threat actors. 
For this reason, it is important to combine the knowledge of the ransomware kill chain, the mastery of the MITRE ATTA&CK framework, and the implementation of the new Zero Trust Data Resilience Model.

Ransomware Kill chain

Let's start with an analysis of the kill chain, a model borrowed from the military and developed by Martin Lockheed in 2011 to track and break down the steps an attacker uses in order to understand and defend against attacks from advanced persistent threats (APT). To provide a brief background on APTs, they represent a type of advanced persistent threat that is typically orchestrated by one or more highly skilled attackers, cybercriminal groups, or government entities with substantial financial and technological resources. They are capable of conducting sustained attacks silently over time. Their names reflect their characteristics:

• Advanced, using high-level techniques, including both zero-day and original malware.
• Persistent, able to remain in a system for an extended period of time.
• Targeted, with a focus on specific targets or organizations.

The goal of these attacks is to exfiltrate sensitive data, disable critical systems or infrastructure, infiltrate and install targeted malware for further action, gather strategic information, and in some cases, perform destructive or sabotaging actions. As you can imagine, comprehensively analyzing these types of attacks is a complex challenge that is made possible by the kill chain, which breaks down the attacker's steps into the following:

• Reconnaissance
• Weaponization
• Delivery
• Exploitation
• Deployment
• Command and Control
• Actions

Image credits to: https://f3rm1.cloud/learning/

Let's analyze it point by point.

• Reconnaissance: In this initial phase, the threat actor analyzes and enumerates the target's systems and vulnerabilities, including IP addresses, domains, email addresses, and social media profiles. This can be done either passively, without direct interaction with the target (e.g., through Google searches), or actively, through direct interaction with the target (e.g., enumerating active services on a target IP).
• Weaponization: This is where the threat actor creates the attack vector, which can be either malware or legitimate third-party software, to exploit vulnerabilities identified in the previous phase or to create backdoors for future unauthorized access. This is where the payload is created.
• Delivery: As the name implies, this phase involves the delivery of the attack by the threat actor, which can be done by sending emails with malicious attachments or links, or by directly executing malicious code on the identified vulnerabilities.
• Exploitation: The payload acts on the target and initializes the exploitation of the vulnerability, allowing the threat actor to gain access to target systems.
• Installation: Additional software or malware is installed on target systems to maintain or extend access through privilege escalation within the network.
• Command and Control: The threat actor takes remote control of target systems or other devices on the target's network using lateral movement techniques. 
• Actions: The final stage of the kill chain involves the execution of attack objectives, which may include data exfiltration, system manipulation, or other planned malicious actions.

Before proceeding, we simplify by combining the Reconnaissance, Delivery, and Exploitation phases into Access, while we will later address Weaponization using the MITRE ATTA&CK Framework. The phases then become:

• Access
• Installation
• Command and Control
• Actions

In the initial access phase, the first interaction with the target occurs, where the entire attack surface is examined. This may involve the use of credentials already present in previous data leaks or phishing-type attacks, the use of compromised or vulnerable RDP or VPN credentials, or the exploitation of more complex vulnerabilities such as those associated to ProxyLogon in Microsoft Exchange servers. The possibility of hardware-based attacks by compromising WiFi networks or using bad USB with malicious code cannot be excluded. The next phase, installation, varies greatly depending on the threat actor. In general, highly sophisticated custom malware and RATs (Remote Access Trojans) are used to gain full access to target systems. This is followed by Command and Control, where most public information confirms the use of Cobalt Strike, a popular Ret Team-type security tool. At the end, there is the Actions phase, during which the actions of the attack are executed, which may include exfiltrating the data and then initiating the encryption process to make it inaccessible.

By understanding the ransomware kill chain, organizations can tailor their defense strategies and countermeasures at each stage of the process.

MITRE ATTA&CK Framework

The MITRE Corporation is a nonprofit organization founded in 1958 dedicated to technology research and development. It is known for its ATTA&CK framework, which stands for Adversarial Tactics, Techniques and Common Knowledge. It provides a detailed map of the tactics, techniques and procedures used by threat actors during the phases of an attack, grouping them into categories and updating them regularly to provide a comprehensive and evolving picture of cybersecurity threats.
In fact, using this framework makes it possible to study and understand the threat actors that may be targeting an organization's target sector. By analyzing the tactics and techniques typically used, it is possible to assess the impact of these threats on defenses and plan appropriate countermeasures that cover all the gaps that have been identified.

Before starting to use the framework, the roles of

• Red Team: simulates attackers, both external and internal to the organization. Their job is to identify vulnerabilities in systems and security procedures.
• Blue Team: represents the defense and actively monitors and protects systems. Its goal is to counter the Red Team's simulated attacks and mitigate security risks.
• Purple Team: combines the expertise of the Red and Blue Teams. Focuses on collaboration and coordination between the two groups to improve the overall effectiveness of the security strategy.

Image credits to: https://letsdefend.io/blog/purple-team-vs-blue-team-whats-the-difference-and-which-is-right-for-your-career/

It is then essential to identify possible threat actors in the target domain to focus attention on the targets most likely to be affected. Next, a technique is selected from the framework and tested through manual activities or the use of automated tools and procedures, analyzing the relative detection and response of the defenses.  It is important to emphasize that when we talk about defenses, we are not limited to the blue team activities mentioned earlier, but also include all services and technologies that protect the network from external or internal intrusions. Process monitoring, integrated with the use of Security Information and Event Management (SIEM), is therefore a key pillar in detecting and responding to threats in a timely manner. With this approach, it is possible to focus on the most vulnerable security systems, optimize analysis and strengthen defenses, and mitigate any gaps that emerge. However, let's not forget that in a real-world context, threat actors will not follow pre-defined theoretical patterns, but will try to evade defenses by adapting to the situation, so it is critical to include the Defense Evasion category within the framework and adopt a dynamic and flexible approach to incident management and remediation.

Adversarial tactics and techniques have been mentioned in the definition. In fact, when each procedure is associated with a unique identifier, usually characterized by an initial capital letter followed by numbers, the distinction between tactics and techniques is more clearly defined. Tactics represent the motive or purpose of a particular action, while techniques illustrate the method by which the goal is achieved through that action. For example, tactics explain why the attacker wants to obtain credentials, while techniques describe the various ways in which those credentials can be obtained.

I mentioned Defense Evasion, whose purpose is clear and expressed by the name itself, but the framework also includes:

• Reconnaissance
• Resource Development
• Initial Access
• Execution
• Command and Control

Which correlate in the Kill Chain with:

• Recoinnaissance
• Weaponization
• Delivery
• Exploitation
• Command and Control

And then again:

• Persistence, to maintain access to systems through reboots or service interruptions by installing backdoors, rootkits, or other persistence techniques.
• Privilege escalation, to gain higher privileges on a system or network.
• Credential Access, to acquire and steal valid credentials through methods such as phishing, keylogging, or brute force.
• Discovery, to enumerate the target's internal network and expand knowledge of the attack surface.
• Lateral movement, to gain access and control of additional systems or devices on the network.
• Collection, to gather the relevant information or sensitive data that led to the attack.
• Exfiltration, to exfiltrate the data itself.
• Impact, to manipulate, disrupt, or destroy the target's systems or data to compromise the integrity of the information.

As you may have noticed, reconnaissance, command and control, and resource development have already been mentioned in the kill chain. By visiting attack.mitre.org it’s possible to access a list of attackers and related techniques used, while the engage.mitre.org platform aims to help and engage the entire community by providing a set of tools always related to MITRE.

After collecting and mapping both internal and external data, including incident response data, open source information, intelligence service subscriptions, real-time alerts, indicators of compromise, and general enterprise information, this information can be integrated and evaluated to determine which areas should be prioritized to effectively address identified vulnerabilities. It is this proactive approach through the MITRE ATT&CK framework that can provide a significant advantage in defending against cyber threats, helping to protect the enterprise from malicious intrusions and attacks before they occur in the real-world environment.

In conclusion, the result that is obtained consists of

• Understand threat actors, identifying those most likely to attack the target sector and analyzing their usual tactics and techniques.
• Analyze defenses and improve security strategy by directing resources to defend against the most likely threats.

ZERO TRUST DATA RESILIENCE

The new Zero Trust Data Resilience model, and the third key chapter of this paper, stands as a critical response to the cybersecurity challenges of 2024, fully embracing the assumptions of the Cyber Kill Chain and MITRE ATTA&CK, and demonstrating greater effectiveness than the traditional perimeter security model. Before proceeding, it is necessary to recall the Zero Trust approach in two words: assume a breach. That is, whatever deployment and security decisions you make, assume that a threat actor has successfully exploited the network. Thus, an updated answer to the obligatory triad must be found:

• Confidentiality
• Integrity
• Availability

It is also imperative to refine the concept of Zero Trust and to evolve the concept of teams dedicated to the maintenance and management of backup and storage systems, forcing them towards a cybersecurity-oriented model, given that data backup and recovery systems are increasingly one of the main targets of attacks that lead to the exfiltration and subsequent execution of ransomware. Indeed, if the main Zero Trust concept is based on key principles:

• Least Privilege Access, which limits access privileges to the minimum necessary for operations and only to specific users and services, reducing the attack surface.
• Immutability, making data unchangeable until the configured expiration date after it is written, ensuring integrity over time.
• System Resilience, keeping systems operational and reliable.
• Proactive validation, constantly monitoring the environment to detect and respond to anomalies or threats.
• Operational Simplicity, implementing systems and procedures that are easy for people to use.

It is also necessary to assess the maturity of the implementation of the following functions

• Access to production systems
• Access to backup infrastructure
• System resiliency
• Access monitoring and validation

through a system of Policy Enforcement Points and Policy Decisions Points, and by segmenting the backup network from the storage backup network, not only from the standpoint of a separate network, but also by ensuring that only an authenticated system can access the requested resources, not just based on credentials. In this way, the following assumptions can be validated:

• Least privilege access to production systems, limiting access by time and context through MFA and IAM solutions.
• Segregation of the backup appliance from the backup storage, assuming a breach of the backup systems and denying administrative access to the storage.
• Resilience of systems by implementing data immutability in storage backup.

Image credits to: https://numberlinesecurity.com/2023/12/04/the-zero-trust-data-resilience-architecture/

Leveraging this Zero Trust Data Resilience strategy and actively involving backup and cybersecurity teams in all phases of backup infrastructure implementation results in immutable, available, and secure final backup data.

VEEAM DATA PLATFORM 23H2

And we come to the final chapter, how to combine these three pillars in the Veeam platform. Certainly, the key and the king's role is the training of the teams involved in the management of the resources related to the backup infrastructure, but also the adoption of the most advanced 23H2 Cyber Secure solution, which includes the following features:

Early threat detection, through the use of an AI-based malware detection engine during backup, its presence can be immediately detected.

Proactive Threat Hunting, for an immediate reporting of backup inconsistencies to ServiceNow and SIEMs, and Veeam Incident API and YARA, an integration of cyber threat systems for complete malware recovery point integrity management.

Clean Recovery, that provides recovery analysis based on the I/O Anomaly Visualizer to help reduce the risk of data loss due to malware and infection.

These are the three basic pillars to be ready for 2024 about cyber resilience, and I think they need to be known.

Thanks to all sources (posted below), I recommend give a look. And I posted credits for all images, I hope it’s enough.

If you haven't already done so, I recommend downloading the latest version of Veeam Platform: https://www.veeam.com/downloads.html

Thank you for reading this far.

Sources:

https://www.crowdstrike.com/cybersecurity-101/cyber-kill-chain/

https://www.truesec.com/hub/blog/using-killchain-analysis-in-ransomware-attacks

https://attack.mitre.org/matrices/enterprise/

https://numberlinesecurity.com/wp-content/uploads/2023/11/2023-11-30-Zero-Trust-Data-Resilience-Research-Whitepaper.pdf

https://www.youtube.com/watch?v=Kqei_qK_AME

https://www.veeam.com/whats-new-backup-replication.html