USING MITRE ATT&CK® to understand the techniques behind 2023's biggest breaches

Introduction

In the age of digital interconnectedness, the value and vulnerability of data has never been more apparent. Data breaches have become an all too familiar threat, posing significant risks to individuals, organizations, and the integrity of sensitive information.

Among the numerous data breaches that have shaken the digital landscape, the 2023 data breach of Reddit stood out as one of the most prominent and concerning incidents at the start of the year. Reddit, the popular social media platform with millions of users, fell victim to a sophisticated cyberattack that targeted its vast treasure trove of user information. The breach exposed "limited contact information for (currently hundreds of) company contacts and employees (current and former), as well as limited advertiser information," said Reddit in its statement.

About the breach

The breach was claimed by BlackCat ransomware gang (also known as ALPHV) who claim to have stolen 80GB of sensitive data and threatened to release the stolen information.

In addition to Reddit, another company that recently fell victim to BlackCat ransomware is healthcare giant Henry Schein. On October 15, 2023, Henry Schein disclosed that it had experienced a cybersecurity incident. The BlackCat group subsequently claimed responsibility for the attack, revealing that it had successfully breached the company's network and exfiltrated approximately 35TB of sensitive files. The BlackCat ransomware also targeted McLaren Health Care and Seiko, putting personal data at risk of exposure.

The aftermath of these data breaches serves as a stark reminder of the far-reaching implications of such security lapses. The breaches sparked concerns of identity theft, phishing attacks and potential compromise of other online accounts for affected users.

The data breaches also exemplify the urgency for individuals and organizations to prioritize data protection and adopt robust cybersecurity measures. As technology continues to advance, so do the tactics of cybercriminals. In this whitepaper, we will attempt to decode the attack techniques behind the BlackCat data breaches, and the best way to understand attack patterns is by mapping them to the MITRE ATT&CK Matrix.

What is the MITRE ATT&CK framework?

The MITRE ATT&CK framework is a comprehensive model of tactics and techniques used by attackers that helps security teams identify patterns in the attack methodology for quick threat detection and investigation. There may be many cyberthreats lurking at any given moment, but the techniques used by attackers are not as varied.

The MITRE ATT&CK threat modelling framework helps security teams develop a robust cybersecurity infrastructure, as it not only identifies the techniques and possible steps the attacker could take, but explains the ways in which these techniques can be detected and mitigated. Here are some ways that it can help your business:

Threat detection and prevention: Businesses can better understand how attackers operate by mapping real-world attacks to the MITRE ATT&CK framework. This knowledge is invaluable for detecting and preventing similar attacks in the future.

Incident response and forensics: In the case of an incident or data breach, it provides a framework for security teams to assess the situation quickly, identify the tactics and techniques used, and the type of data that may have been compromised. This allows for effective incident response.

Gap analysis and security posture improvement: Businesses can compare their security measures against the MITRE ATT&CK framework to identify the gaps in their defenses and identify the areas they need to prioritize.

Vendor evaluation and security tooling: Businesses can also use the framework when selecting cybersecurity tools and solutions. It allows you to asses how well the solution can tackle various attack techniques and make an informed decision on whether the vendor will help your business requirements.

Regulatory and compliance requirements: Many regulatory bodies and compliance standards require organizations to have robust cybersecurity measures in place. Mapping security controls and practices to the MITRE ATT&CK framework can help demonstrate compliance with these requirements.

This whitepaper maps the BlackCat ransomware attack pattern to MITRE ATT&CK's tactics, techniques, and procedures (TTP) to understand its attack pattern along with what you can do to mitigate such an attack.

Mapping the BlackCat ransomware attack pattern with MITRE ATT&CK threat modelling framework techniques

The BlackCat ransomware gang's attack usually starts with a sophisticated phishing attack. The malware is coded in the Rust programming language, which helps them evade malware detection systems. This is because solutions look for languages that are well-known and widely used. Rust, being a new language, helps the BlackCat ransomware evade detection mechanisms. This allows them to elevate privileges and gain unauthorized access to files, which the ransomware group then encrypts and threatens to leak.

Looking at BlackCat's modus operandi, let's map the way in which they would have executed the attack using the MITRE ATT&CK framework.

Lessons from the biggest data breaches of 2023 and how they can be used to step up our defenses

A multi-layered security approach is required to detect and defend against a cyberattack similar to the BlackCat ransomware. Below are some detection techniques and best practices that can help mitigate the risk of such an attack:

How to prevent attacks similar to the BlackCat ransomware attack

Mitigating an attack by the BlackCat ransomware group or similar ransomware threats involves implementing a combination of technical measures and best practices to enhance your organization's security posture. Here are some key steps to mitigate the risk of such an attack:

• User awareness training: Educate your employees on ransomware threats, phishing techniques, and safe computing practices to make them more aware of the cyberthreats that are prevalent. Encourage them to be cautious with email links and attachments, to avoid the risk of phishing, or other social engineering attacks.
• Zero Trust implementation: Enforce the principle of least privilege, ensuring that users and processes only have the minimum necessary permissions to perform their tasks. It is recommended to follow the Zero Trust security model, which promotes continuous verification, least privilege, end-to-end encryption, and the use of analytics to minimize the impact of a breach.
• User account management: Manage the creation, modification, and permissions of user accounts based on need to reduce the risk of lateral movement and to keep your resources secure.
• Network segmentation: Segment your network to separate critical assets and resources, to limit the impact of lateral movement in the event of a breach.
• Multi-factor authentication (MFA): Enable MFA wherever possible to add an extra layer of security to user accounts.
• Regular security assessments and audits: Conduct regular security assessments of systems, insecure software and configurations, and permissions, and conduct penetration testing to identify and address any vulnerabilities.
• Monitor for anomalies: Monitor network and endpoint activities for unusual behavior or signs of compromise. Use intrusion detection systems to block any threats to the network before they gain initial foothold.
• Data backup: Take and store regular backups from critical servers and ensure that they're secure. It is recommended to harden the security of this backup, and store it separately from the corporate network to limit the chances of compromise.
• Data loss prevention (DLP): Implement a data loss prevention strategy to categorize your data, identify sensitive information, and prevent the exfiltration of data.
• Security information and event management (SIEM): Implement a SIEM solution to centralize and analyze security event logs for early detection of suspicious activities.

Conclusion:

The BlackCat data breaches highlighted the importance of having a robust security posture and incident management system in place, as an attack can happen at any given time. Any malicious link or accidental download can have severe consequences and heavily cost the organization–either financially or in terms of their reputation.

The breaches emphasized the need for companies to invest in their security infrastructure, conduct regular security assessments, and stay vigilant against emerging threats. However, continuously monitoring for threats and suspicious events can be hard to do, which is what attackers rely on. This difficulty can be overcome by investing in a security tool that monitors, detects, and flags potential threats instantly to prevent the attack from escalating.

About Log360

Log360 is a unified SIEM solution with integrated DLP and CASB capabilities that detects, prioritizes, investigates, and responds to security threats. It combines threat intelligence, machine learning-based anomaly detection, and rule-based attack detection techniques to detect sophisticated attacks, and offers an incident management console for effectively remediating detected threats. Log360 provides holistic security visibility across on-premises, cloud, and hybrid networks with its intuitive and advanced security analytics and monitoring capabilities.