Defending an enterprise against modern-day attacks remains an increasingly difficult challenge that requires, among other things, advanced technologies and innovative approaches for thwarting an adversary’s goals. To help address those challenges, MITRE Corporation developed ATT&CK (Adversarial Tactics, Techniques, and Common Knowledge) framework. This serves as a knowledge base of commonly observed adversarial behaviors to support the efforts of threat intelligence functions, with adversary emulation and defensive gap analysis.
In this article, you'll learn why Zscaler Cloud Browser, natively integrated within the Zscaler Zero Trust Exchange (ZTE), is needed as another critical layer of defense to strengthen your organization’s security posture as well to mitigate various TTPs as highlighted in the ATT&CK framework.
Zscaler Cloud Browser Isolation
Zscaler Cloud Browser Isolation, natively integrated within the ZTE platform, detonates the web content and isolates any associated zero day threats in an air-gapped cloud container. It also enforces clipboard, upload/download, read-only, and print controls along with turbo streaming safe graphical representation (no active content, scripts or code) to the user’s favorite browser for a near-native web experience.
The built-in document processing technology can allow the productivity related files (.docx, .pptx, .vsdx, .rtf etc.) to be safely viewed within isolation (via ‘protected storage’) or downloaded as sanitized files (CDR - Content Disarm and Reconstruction). Files are deconstructed in order to remove any potentially malicious components such as VBA macros, scripts, and active content. Moreover, any QR codes are disarmed as well, this effectively thwarting any steganography attacks.
Zscaler Cloud Browser Isolation also allows employees, contractors and third-parties to safely access SaaS and private web applications from any unmanaged device without the need for an agent (not requiring VDI or changing end-user browser) while enforcing comprehensive data protection controls. This architecture also provides application protection. Private web apps are hidden from the internet by the Zero Trust Exchange, reducing their attack surface. Moreover, Cloud Browser obfuscates the application headers and hides away the application’s anatomy, (protocol, OS versions, software components, etc.), further shrinking the attack surface by stopping attackers from using malware-infected, unmanaged devices to exploit these apps.
ATT&CK mapping to Cloud Browser controls
Tactics represent the "why" of an ATT&CK technique or sub-technique. It is the adversary's tactical goal: the reason for performing an action.
Techniques represent 'how' an adversary achieves a tactical goal by performing an action.
The tactics can as well be mapped to the Zscaler cyber kill chain taxonomy: Attack Surface, Compromise, Lateral Movement and Data Exfiltration.
Here are some of the prominent TTPs mitigated through Cloud Browser, natively integrated with ZTE, controls.
TacticTechnique(TTP name)TTP DescriptionZscalerKill ChainInitial AccessT1189Drive-by CompromiseA user's web browser is typically targeted for exploitation, but adversaries may also use compromised websites for non-exploitation behavior (acquiring Application Access Token)Attack SurfaceInitial AccessT1190Exploit Public-Facing ApplicationThe weakness in the system can be a bug, a glitch, or a design vulnerability. These applications are often websites, but can include services (like SSH), and others with Internet accessible open sockets, such as web servers Attack SurfaceInitial AccessT1566PhishingAdversaries may send phishing messages to gain access to victim systems. Attack SurfaceInitial AccessT1566.001Spearphishing AttachmentSpearphishing attachment is different in that it employs the use of malware attached to email. Attack SurfaceInitial AccessT1566.002Spearphishing LinkIt employs the use of links to download malware contained in email, to avoid defenses that may inspect email attachments. Attack SurfaceInitial AccessT1566.003Spearphishing via ServiceIt employs the use of third party services rather than directly via email channels.Attack SurfaceExecutionT1059.007JavaScript (JS)Adversaries may abuse various implementations of JS for execution. JS is commonly associated with scripts in webpages.Attack SurfaceExecutionT1203Exploitation for Client ExecutionVulnerabilities can exist in software due to unsecure coding practices. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and developmentAttack SurfaceExecutionT1204User ExecutionUsers may be subjected to social engineering to get them to execute malicious code by, for example, opening a malicious file or link. Attack SurfaceExecutionT1204.001Malicious LinkClicking on a link may lead to other execution techniques such as exploitation of a browser or application vulnerability via Exploitation for Client Execution.Attack SurfaceExecutionT1559Inter-Process Communication(IPC)Adversaries may abuse IPC mechanisms for local code or command execution. IPC is used to share data, or synchronize execution. Attack SurfaceExecutionT1559.001Component Object Model (COM)Adversaries may use the Windows COM for local code execution. Through COM, a client object can call methods of server objects, which are typically binary DLL or EXE. Attack SurfaceExecutionT1559.002Dynamic Data Exchange (DDE)DDE is a client-server protocol for one-time and/or continuous IPC between applications. Once a link is established, applications can autonomously exchange transactions consisting of strings, warm links (notifications when data changes), requests for command execution.Attack SurfacePrivilege EscalationT1068Exploitation for Privilege EscalationSecurity constructs such as permission levels will hinder access to information, so adversaries will likely need to perform privilege escalation to circumvent those restrictions.CompromiseDefense EvasionT1218.001Compiled HTML File (.CHM) Adversaries may abuse .CHM files to conceal malicious code. CHM files are commonly distributed as part of the Microsoft HTML Help.. CHM content is displayed using components of the IE browser loaded by the HTML Help exeCompromiseCredential AccessT1212Exploitation for Credential AccessOne example of this is MS14-068, which targets Kerberos and can be used to forge Kerberos tickets using domain user permissions. Exploitation for credential access may also result in Privilege Escalation.CompromiseLateral MovementT1210Exploitation of Remote ServicesExploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. A common goal for post-compromise exploitation of remote services is for lateral movement to enable access to a remote system.Lateral MovementExfiltrationT1567Exfiltration Over Web ServicePopular Web services acting as an exfiltration mechanism may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to compromise. Firewall rules may also already exist to permit traffic to these services.Data ExfiltrationExfiltrationT1567.001Exfiltration to Code RepositoryCode repositories are often accessible via an API (ex: https://api.github.com). Access to these APIs are often over HTTPS, which gives the adversary an additional level of protection.Data ExfiltrationExfiltrationT1567.002Exfiltration to Cloud StorageCloud storage services allow for the storage, edit, and retrieval of data from a remote cloud storage server over the Internet.Data ExfiltrationCommand and ControlT1102Web ServicePopular websites and social media (such as those offered by Google or Twitter) acting as a mechanism for C2 may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to a compromise. Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection.Data ExfiltrationCommand and ControlT1102.001Dead Drop ResolverAdversaries may post content, known as a dead drop resolver, on Web services with embedded (and often obfuscated/encoded) domains or IP addresses. Once infected, victims will reach out to and be redirected by these resolvers.Data ExfiltrationCommand and ControlT1102.002Bidirectional CommunicationThose infected systems can then send the output from those commands back over that Web service channel. For example, the return traffic may take the form of the compromised system posting a comment on a forum, issuing a pull request to a development project, updating a document, or by sending a Tweet.Data ExfiltrationCommand and ControlT1102.003 One-Way CommunicationThose infected systems may opt to send the output from those commands back over a different C2 channel, including to another distinct Web service. Alternatively, compromised systems may return no output at all in cases where adversaries want to send instructions to systems and do not want a response.Data Exfiltration
Next steps MITRE ATT&CK framework is already incorporated in the Zscaler Risk360 product to enhance risk analysis for your specific environment as well as get tailored recommendations for implementing various controls.
Please reach out to us for more details on the Cloud Browser and the aforementioned MITRE ATT&CK mapping.
↧