Every week the AT&T Chief Security Office produces a series called ThreatTraq with helpful information and news commentary for InfoSec practitioners and researchers. I really enjoy them; you can subscribe to the Youtube channel to stay updated. This is a transcript of a recent feature on ThreatTraq. The video features Jaime Blasco, VP and Chief Scientist, AT&T Cybersecurity, Joe Harten, Director Technology Security, AT&T and Ganesh Kasina, Principal Technology Security.
Ganesh: Hi, Jaime. How are you doing? I heard you have a good story about cloud-related telemetry and attack techniques. Could you elaborate a little bit about that?
Jaime: Absolutely. The MITRE ATT&CK, for those of you that are not aware of the framework, is an open framework - more specifically, it's a knowledge base of adversary tactics and techniques that the MITRE team has collected working with private and public industry based on real-world scenarios and observations. It has become very popular in the cybersecurity community for the last few years, and they even have their own annual conference.
The MITRE ATT&CK details the tools and techniques used by threat actors, but until now, it has been very focused on Linux and Windows, with some coverage for mobile environments such as Android. In early October, MITRE announced that they have extended the framework to cover both infrastructure as a service and software as a service platforms. New techniques that have been added to the framework cover Amazon AWS, Google Cloud Platform, Microsoft Azure, and Office 365.
Joe: Everything used to be tailored to the enterprise and data center-based platforms, but now, with the shift to the public cloud, even our attack framework has to really acknowledge that more of these attacks are going to be based in the cloud and we need to have that same rigidity, structure and focus to handle security incidents that happen in AWS (that maybe used to occur on an in-house Linux server).
Jaime: At AT&T Alien Labs, we use the framework to make sure that we have visibility and also detection mechanisms and content in our product lines and our internal systems to detect the techniques described in the framework. It even helps our product roadmap. When we look at new techniques and find we may have a detection gap of some sort, we will look at the framework and understand if it's important enough to like modify our roadmap and add support to some of the detection abilities that we may be missing.
Joe: Do you see that this ATT&CK framework will help in our ability to detect and to perform analysis in the public cloud? Or how do you see that shift in general?
Jaime: Yes. I think it is going to be really helpful, because you don't have to start from scratch. They are sharing that knowledge with you, and you can understand what the different data points are and different techniques or maybe things that you have missed if you've transitioned from a traditional enterprise environment. Because many things are different in cloud environments, especially when it comes to credentials, it's a completely different story. We are seeing our customers having more trouble when it comes to managing credentials and understanding how credentials are used in each one of those environments.
Joe: And each one of these public clouds has their own native tools, right? They have their own way that they think you should be protecting yourself, whether it's GuardDuty or Azure, Security Center. But this is something that at least is standard across all the different flavors of public clouds. So, you don't have to know the Microsoft tools, the Google Cloud tools, you can use your framework and say, "Okay, how does this map from all those different areas?" So that's cool. I think that's helpful.
Ganesh: I think it's really welcoming to actually have a framework. Like you said, Joe, I think it gives all the companies, not only AT&T, benefit. We may be looking at some of the tactics more; maybe we have never seen this tactic being used. The ATT&CK framework gives us a broader idea to look beyond what we are already seeing. I think this is a welcoming step.
