A number of security-related news items came my way during the past couple of weeks. The Biden administration memo brought a surge of comments. I’ve included one from Marty Edwards. Several companies research vulnerabilities and discover interesting and useful threats and vulnerabilities.
- MITRE Engenuity ATT&CK Evaluations
- Google on Measuring Risk in Open Source
- Open Source Security Foundation Adds Members
- Claroty Research Team82 Finds ICS Vulnerabilities
- Industry Veteran Marty Edwards Shares Thoughts on Biden’s Security Memo
Engenuity ATT&CK Evaluations
MITRE Engenuity released results from its first round of independent ATT&CK Evaluations for Industrial Control Systems (ICS). The evaluations examined how cybersecurity products from five ICS vendors detected the threat of Russian-linked Triton malware.
The malware targets safety systems, preventing officials from responding to failures, hazards and other unsafe conditions, potentially causing physical destruction.
The evaluations use ATT&CK for ICS, a MITRE-curated knowledge base of adversary tactics, techniques, and procedures based on known threats to industrial control systems.
The evaluations, which were paid for by the participating vendors, included products from Armis; Claroty; Microsoft (via CyberX acquisition); Dragos; and the Institute for Information Industry.
“MITRE Engenuity’s ATT&CK Evaluations program is built on the backbone of MITRE’s integrity and commitment to making the world a safer, more secure place,” said Frank Duff, general manager of the ATT&CK Evaluations program. “Vendors trust us to improve their offerings, and the community trusts that we’ll provide transparency into the technology that is necessary to make the best decisions for their unique environment. Unlike closed door assessments, we use a purple teaming approach with the vendor to optimize the evaluation process. MITRE experts provide the red team while the vendor provides the blue team to ensure complete visibility, while allowing the vendor to learn directly from ATT&CK experts.”
Google Measuring Risk in Open Source
by Kim Lewandowski, Azeem Shaikh, Laurent Simon, Google Open Source Security Team
Contributors to the Scorecards project, an automated security tool that produces a “risk score” for open source projects, have accomplished a lot since our launch last fall. Today, in collaboration with the Open Source Security Foundation community, we are announcing Scorecards v2. We have added new security checks, scaled up the number of projects being scored, and made this data easily accessible for analysis.
Since last fall, Scorecards’ coverage has grown; we’ve added several new checks, following the Know, Prevent, Fix framework proposed by Google earlier this year, to prioritize our additions.
Contributors with malicious intent or compromised accounts can introduce potential backdoors into code. Code reviews help mitigate against such attacks. With the new Branch-Protection check, developers can verify that the project enforces mandatory code review from another developer before code is committed.
Despite best efforts by developers and peer reviews, vulnerable code can enter source control and remain undetected. We have added checks to detect if a project uses Fuzzing and SAST tools as part of their CI/CD system.
A common CI/CD solution used by GitHub projects is GitHub Actions. A danger with these action workflows is that they may handle untrusted user input. Meaning, an attacker can craft a malicious pull request to gain access to the privileged GitHub token, and with it the ability to push malicious code to the repo without review. To mitigate this risk, Scorecard’s Token-Permissions prevention check now verifies that the GitHub workflows follow the principle of least privilege by making GitHub tokens read-only by default.
To date, the Scorecards project has scaled up to evaluate security criteria for over 50,000 open source projects. In order to scale this project, we undertook a massive redesign of our architecture and used a PubSub model which achieved horizontal scalability and higher throughput. This fully automated tool periodically evaluates critical open source projects and exposes the Scorecards check information through a public BigQuery dataset which is refreshed weekly.
This data can be retrieved using the bq command line tool.
Scorecards data for available projects is now included in the recently announced Google Open Source Insights project and also showcased in OpenSSF Security Metrics project. The data on these sites shows that there are still important security gaps to fill, even in widely used packages like Kubernetes.
There are a couple of big enhancements we’re especially excited about:
• Scorecards Badges – GitHub badges to show off compliance
• Integration with CI/CD and GitHub Code Scanning Results
• Integration with Allstar project – GitHub App for enforcing security policies
Open Source Security Foundation Adds 10 Members
OpenSSF, a cross-industry collaboration to secure the open source ecosystem, announced new membership commitments to advance open source security education and best practices. New members include Accurics, Anchore, Bloomberg Finance, Cisco Systems, Codethink, Cybertrust Japan, OpenUK, ShiftLeft, Sonatype and Tidelift.
The new Scorecard 2.0 is also available now and includes new security checks, scaled up the number of projects being scored, and made this data easily accessible for analysis. The Scorecard is gaining adoption for automating analysis and trust decisions on the security posture of open source projects.
Its working groups include Securing Critical Projects, Security Tooling, Identifying Security Threats, Vulnerability Disclosures, Digital Identity Attestation, and Best Practices.
Claroty Finds Critical Vulnerabilities
Claroty, the industrial cybersecurity company, launched Team82, its new research arm that provides indispensable vulnerability and threat research to Claroty customers and defenders of industrial networks worldwide. Additionally, Team82 released a new report on critical vulnerabilities found in cloud-based management platforms for industrial control systems (ICS), highlighting the rise of ICS in the cloud and the growing need to secure cloud implementations in industrial environments.
In its latest report, “Top-Down and Bottom-Up: Exploiting Vulnerabilities in the OT Cloud Era,” Team82 researched the exploitability of cloud-based management platforms responsible for monitoring ICS, and developed techniques to exploit vulnerabilities in automation vendor CODESYS’ Automation Server and vulnerabilities in the WAGO PLC platform. Team82’s research mimics the top-down and bottom-up paths an attacker would take to either control a Level 1 device in order to eventually compromise the cloud-based management console, or the reverse, commandeer the cloud in order to manipulate all networked field devices.
The new Team82 Research Hub includes the team’s latest research reports, a vulnerability dashboard for tracking the latest disclosures, its coordinated disclosure policy for working with affected vendors, its public PGP Key for securely and safely exchanging vulnerability and research information, and other resources.
To access the Team82 Research Hub, visit claroty.com/team82.
Read the report, “Top-Down and Bottom-Up: Exploiting Vulnerabilities In the OT Cloud Era.”
Marty Edwards, Tenable, on Biden Memo
You can find Edwards’ thoughts at this blog site. Below are some excerpts.
Recent activity from the Biden Administration represents a watershed moment in the establishment of baseline standards for preparing, mitigating and responding to attacks that impact the critical infrastructure we all rely on.
The most substantive thrust of these government actions is recognizing and acting on the accelerated trend of reconnaissance and attack by establishing the Industrial Control Systems (ICS) Cybersecurity Initiative. The ICS Initiative is a voluntary, collaborative effort between the federal government and the critical infrastructure community to protect U.S. critical infrastructure “by encouraging and facilitating deployment of technologies and systems that provide threat visibility, indications, detection, and warnings, and that facilitate response capabilities for cybersecurity in essential control system and operational technology networks,” with a primary goal of “greatly expand[ing] deployment of these technologies across priority critical infrastructure.”
Tenable encourages CISA and the U.S. government to take an open, technology-neutral, standards-based approach in the development of these goals. Core elements for consideration as the most appropriate and successful methods of disrupting attack paths and securing critical infrastructure and OT environments revolve around three key pillars:
Visibility: Gain full visibility and deep situational awareness across your converged IT/OT environment.
Security: Protect your industrial infrastructure from advanced cyberthreats and risks posed by hackers and malicious insiders.
Control: Take full control of your operations network by continuously tracking ALL changes to any ICS device.
