Security Management, Risk Assessments/Management, Security Program Controls/Technologies

MITRE Shares Lessons Learned from Breach

Credit: Adobe Stock Images

MITRE recently disclosed that a nation-state cyber crew breached its Networked Experimentation, Research, and Virtualization Environment (NERVE) collaborative network in January 2024 by chaining two Ivanti VPN zero-day vulnerabilities.

The incident was detected through “suspicious activity” on the NERVE research and development and prototyping platform. It provides a stark example of the growing threat of zero-day exploits and illustrates how even one of the top cybersecurity organizations is not immune from cyberattacks.

MITRE said it had not been hit by a major cyber incident in 15 years.

The zero-days — an authentication bypass (CVE-2023-46805) and a command injection vulnerability (CVE-2024-21887) — enabled the hackers to skirt multi-factor authentication (MFA) using session hijacking. The attackers managed to move laterally through the breached network's VMware infrastructure using a compromised administrator account, deploying webshells and backdoors to maintain persistent and harvest credentials.

MITRE confirmed the breach in April, 2024.

MITRE's Response Detailed

Following detection of the incident, MITRE said that its first move was to take the NERVE environment offline. In addition, it brought in third-party digital forensics incident response teams to perform their own independent analysis along with MITRE's in-house team. Its investigation is ongoing, MITRE said.

The NERVE network provides storage, computing and networking resources. MITRE said that based on its appraisal to this point, its core enterprise network or partners’ systems were not affected by this incident.

“No organization is immune from this type of cyberattack, not even one that strives to maintain the highest cybersecurity possible,” said Jason Providakes, MITRE president and chief executive. “We are disclosing this incident in a timely manner because of our commitment to operate in the public interest and to advocate for best practices that enhance enterprise security as well as necessary measures to improve the industry’s current cyber defense posture.

The threats and cyberattacks are becoming more sophisticated and require increased vigilance and defense approaches. As we have previously, we will share our learnings from this experience to help others and evolve our own practices,” he said.

Evolving Attack Tactics

In a blog post, Charles Clancy, MITRE’s chief technology officer and Lex Crumpton, MITRE’s principal cybersecurity engineer, Lex Crumpton, said that attackers are “evolving to get around the industry’s most sophisticated defenses. Last year was exploitation of routers, and this year’s theme has been compromise of edge protection devices.”

MITRE said that while it followed best practices, vendor instructions and the government’s advice to upgrade, replace and harden its Ivanti system, it did not “detect the lateral movement into our VMware infrastructure.” The company said that it believed it took all the “necessary actions to mitigate the vulnerability, but these actions were clearly insufficient.”

In the blog post, MITRE provided an initial account of the incident, outlining the tactics, techniques and procedures employed by the hackers, along with some of its ongoing incident response efforts and recommendations for future steps to fortify defenses.

MITRE: Lessons Learned

Along those lines, MITRE offered the industry lessons learned from its approach to the breach. (Lightly edited).

Incident Response Efforts

  • Containment. Changing edge firewall rules was insufficient as this network had connectivity to labs across the enterprise. Effective containment required shutting down access infrastructure and isolating edge systems in a diverse set of laboratories.
  • Governance. MITRE’s board of trustees chartered an ad-hoc committee to provide governance and oversight. CTO balanced and coordinated across the CIO and CISO on incident response; business unit leadership on customer engagement, project recovery and continuity; and enterprise communications and general counsel teams.
  • Analysis. Launched multiple streams of forensic analysis to identify the extent of the compromise, the techniques employed by the adversaries and whether the attack was limited to the research and prototyping network or had spread further.
  • Remediation. Needed new compute, storage and networking resources for projects to use instead of the compromised system. Identified alternative platforms, conducted a thorough security audit of each, and established a procedure for projects to migrate to new systems.
  • Communication. Chose to inform the public because we work in the public interest, "and the more we collectively understand and can combat this threat the better we will all be."
  • Enhanced Monitoring: The forensic investigation necessitated rapid deployment of new sensor suites to collect information from affected systems, many of which can help improve our monitoring in an enduring way.

Best Practice Tips for Detection

  • Anomaly Detection. Monitor VPN traffic for unusual patterns, such as spikes in connections (DS0029) or unusual geographic locations.
  • Behavior Analysis. Look for deviations in user behavior, such as unusual login times (DS0002 or DS0028) or accessing unfamiliar resources.
  • Network Segmentation. Segmenting networks can limit lateral movement (DS0029), making anomalous activities more apparent.
  • Threat Intelligence Feeds. Stay updated with threat intelligence feeds to identify known malicious IP addresses (DS0029), domains, or file hashes (DS0022).
  • Adversary Engagement. Deploy adversary engagement resources in the environment, such as deception environments and honey tokens that not only trigger detection but provide deeper insights into adversary TTPs.

Best Practice Tips on Hardening Your Networks

  • Strong Authentication (M1032). Implement robust access controls, including strong multi-factor authentication mechanisms and least privilege principles.
  • Regular Patch Management (M1051). Keep systems and software up to date to mitigate known vulnerabilities.
  • Least Privilege Access (M1026). Restrict user privileges to limit the impact of compromised credentials.
  • Network Segmentation (M1030). Employ network segmentation to limit the impact of a potential breach and contain malicious activity.
  • Vulnerability Assessments (M1016). Conduct regular security assessments and penetration testing to identify and address weaknesses proactivity.
  • Threat Intelligence Program (M1019). Read and act on published reporting from trusted sources such as CISA’s cybersecurity advisories, which include detection and mitigation techniques.

Next Steps and Call to Action

MITRE pledged to do the following:

  • Incident Review. Conduct a comprehensive review of its cybersecurity posture, including vulnerability assessments and penetration testing, to identify and address potential weaknesses.
  • Enhanced Training. Enhance employee training and awareness programs to reinforce the importance of cybersecurity best practices and threat awareness.
  • Strengthen Defenses. Implement additional security measures based on lessons learned from the incident.

MITRE said it is “committed to its public interest mission to strengthen cybersecurity for the entire industry. Zero-day vulnerabilities in the devices used to protect our networks are unacceptable. We further commit to working across our stakeholders in the U.S. government, industry, and the public to:

  • Advance the National Cybersecurity Strategy and CISA’s Secure by Design philosophy to make software and hardware products more secure out of the box.
  • Operationalize Software Bill of Materials to improve software supply chain integrity and the speed with which we can respond to upstream software vulnerabilities in products.
  • Broadly deploy zero trust architectures with robust multifactor authentication and micro-segmentation.
  • Expand multi-factor authentication beyond simply two-factor systems to include continuous authentication and remote attestation of endpoints.
  • Broaden industry adoption of adversary engagement as a routine tool for not only detecting compromise but also deterring them.

MITRE also said it will provide an update that will “delve deeper into the technical details of the attack, providing insights into the adversary’s tactics and our efforts to counter them.”

D. Howard Kass

D. Howard Kass is a contributing editor to MSSP Alert. He brings a career in journalism and market research to the role. He has served as CRN News Editor, Dataquest Channel Analyst, and West Coast Senior Contributing Editor at Channelnomics. As the CEO of The Viewpoint Group, he led groundbreaking market research.