In FY 2022, the NIST Information Technology Laboratory’s (ITL) Cybersecurity and Privacy Program successfully responded to numerous challenges and opportunities in the world of cybersecurity and privacy. This Annual Report highlights key research activities for the ITL Cybersecurity and Privacy Program, including: the ongoing participation and development of international standards, research and practical applications in several key priority areas, accomplishments in improving software and supply chain cybersecurity, IoT cybersecurity guidelines work, National Cybersecurity Center of Excellence (NCCoE) projects, and Risk Management Framework projects. NIST also celebrated 50 years of work in the cybersecurity space and the NCCoE celebrated a 10-year anniversary since inception.
With the widespread adoption of the public cloud, more organizations are pivoting from a perimeter-based security model to a Zero Trust model. Under a Zero Trust model, all network connections are treated as threats that must be vetted, resulting in a proactive, boundaryless approach to security. Transitioning to Zero Trust security can take years of time, money, and effort—which is why it’s important to set yourself up for success. Read the e-book, 10 Tips for Enabling Zero Trust Security, to learn how to: Realign your access requests around identity.Use controls that grant access based on identity, access rights, device health, and a variety of other conditions.Plan for a strategy that includes both existing network protections and newer, identity-based controls.Aggregate your data using a security information and event management (SIEM) system.Empower your users to carry out self-service tasks, such as password resets.
Advances in cloud performance is paving the way for the acceleration of AI innovations across simulations, science, and industry. And as the complexity of AI models grows exponentially, Microsoft is leveraging a decade of experience in supercomputing and supporting the largest AI training workloads, to develop purpose built and optimized AI infrastructure for any scale. Join this webinar and learn about: Azure’s proven performance for generative AI advancements across both Microsoft and customers. Purpose built AI infrastructure design and optimization. Azure’s AI Infrastructure, combined with our overall AI solution stack, addresses these challenges for customers of all sizes.
Azure webinar series Power AI Innovations with Purpose-Built AI Infrastructure Thursday, June 15, 2023 10:00 AM–11:00 AM Pacific Time
Azure VMware Solution can help you lower infrastructure costs while increasing business agility and resilience. Learn how to get started with your VMware cloud migration journey.
In this session, we will take you under the hood of Azure VMware Solution with hands-on demonstrations and best practices. Our experts will share: Network planning for your VMware migration demonstration. Executing your migration with HCX and vMotion demonstration. Connecting additional Azure services with Azure VMware Solution demonstration. Day-two operations and how to optimize Azure VMware Solution. Options to use existing licenses to lower your cloud costs. Join the live session for Q&A and walk-throughs of key features. We’ll leave you with tools and actionable tips to kickstart your VMware cloud migration.
Azure webinar series Get Started with Azure VMware Solution: A Look Inside Tuesday, June 6, 2023 10:00 AM–11:00 AM Pacific Time
As manufacturers are increasingly targeted in cyberattacks, any gaps in cybersecurity leave small manufacturers vulnerable to attacks. Small manufacturers tend to operate facilities with limited staff and resources, often causing cybersecurity to fall by the wayside as something that costs too much time and money. Additionally, bringing together various cybersecurity standards, frameworks, and guides to derive a coherent action plan is a challenge even for those experienced in cybersecurity. Security segmentation is a cost effective and efficient security design approach for protecting cyber assets by grouping them based on their communication and security requirements.
Join us on June 28, 2023 from 2:00-2:45 p.m. ET to discuss the NCCoE’s most recent manufacturing publication, NIST Cybersecurity White Paper: Security Segmentation in a Small Manufacturing Environment. The paper outlines a practical six-step approach that manufacturers can follow to implement security segmentation and mitigate cyber vulnerabilities in their manufacturing environments.
Join us on June 28 for a discussion where you’ll be able to:
Meet the publication authors.
Receive an overview of the new white paper.
Ask the publication authors questions.
Learn how to stay involved in the NCCoE’s manufacturing-related efforts.
Today, CISA, Federal Bureau of Investigation (FBI), the National Security Agency (NSA), Multi-State Information Sharing and Analysis Center (MS-ISAC), and the Israel National Cyber Directorate (INCD) released the Guide to Securing Remote Access Software. This new joint guide is the result of a collaborative effort to provide an overview of legitimate uses of remote access software, as well as common exploitations and associated tactics, techniques, and procedures (TTPs), and how to detect and defend against malicious actors abusing this software.
Remote access software provides organizations with a broad array of capabilities to maintain and improve information technology (IT), operational technology (OT), and industrial control system (ICS) services; however, malicious actors often exploit this software for easy and broad access to victim systems.
SIP is a security technology in macOS that restricts a root user from performing operations that may compromise system integrity. Bypassing SIP could lead to serious consequences, such as increasing the potential for attackers and malware authors to successfully install rootkits, create persistent malware, and expand the attack surface for additional techniques and exploits. The technique uncovered in this blog post was discovered during routine malware hunting and is similar to the one used in the Shrootless vulnerability (CVE-2021-30892) that we published in 2021. By focusing on system processes that are signed by Apple and have the com.apple.rootless.install.heritableentitlement, we found two child processes that could be tampered with to gain arbitrary code execution in a security context that bypasses SIP checks.
Cyber-security is consistently one of the top concerns for business leaders across every industry and when you consider that the average cost of a breach is upwards of USD4.35 million[1], its no surprise why. While this focus has often led to investment and the implementation of robust security practices, it’s also forced cyber-criminals to rethink their attack strategies. Some of the most rapidly growing threat areas are identity-based attacks where malicious actors look to exploit identities, or the underlying infrastructure and policies that govern them. Identity Threat Detection and Response (ITDR) is an emerging security category designed to counter these types of attacks and help businesses streamline their identity protection.
At Microsoft, we see ITDR as the point where Identity and Access Management (IAM) meets Extended Detection and Response (XDR). The critical challenge organizations are faced with however, is in extending the necessary posture and protections across the entirety of their identity landscape. Modern Identity environments consist of multiple, often fragmented, components spanning on-premises infrastructure and the cloud. Leveraging our leadership and expertise in both Identity and Security, our goal has been to help our customers prevent, detect, and remediate identity-based attacks across their entire identity environment.
Detecting advanced attacks with threat level intelligence.
Through the years, we have seen identity attacks become more and more advanced with multifaceted strategies designed to exploit increasingly tiny gaps and establish a foothold from where attackers can move laterally. For instance, an initial compromise may begin with spear-phishing emails aimed at employees, tricking a few into unwittingly divulging their credentials. Armed with these stolen identities, they can exploit misconfigurations in the connections between on-premises and cloud identities to stealthily expand their reach into the connected cloud environments and applications. Other more sophisticated attacks focus on compromising identity infrastructure to mint their own certificates and navigate through the network, escalating their privileges and gaining deeper access as they go.
Analyzing 65 trillion signals daily from across Microsoft’s ecosystem of B2B and consumer offerings including Microsoft Azure, LinkedIn, Microsoft 365, and XBOX we are uniquely positioned to quickly spot emerging attack strategies and build detections for our customers. Some more recent examples you have may have heard of include: DnsHostName Spoofing, DFSCoerce, and KrbRelayUp tactics to name a few. Our ITDR strategy doesn’t stop there though, we further augment these powerful identity detections with correlated data from across security domains to deliver XDR-level insights and enhanced visibility across the kill-chain.
Powerful identity detections:
Let’s take a common tactic in identity attacks, lateral movement. While this may sound like a relatively simple use case, it requires robust monitoring and analysis of user activities across on-premises and cloud environments. Domain Controllers (DC) serve as the central authentication and authorization hub for on-premises networks and play a crucial role in managing who is given access to those resources. With the Microsoft Defender for Identity sensor installed on a Domain Controller, security leaders can see valuable information into user authentication events, account activities, and access permissions. Monitoring these logs can help identify suspicious activities like unauthorized account logins, privilege escalation attempts, or abnormal resource access.
Similarly, in cloud environments, Azure Active Directory (Azure AD) serves as a central identity and access management platform, sending valuable data to Microsoft Defender for Identity and the Security Operations Center teams. Leveraging Azure AD’s comprehensive auditing and monitoring capabilities as well as Azure Active Directory Identity Protection, organizations can track user sign-ins, access attempts, and other security-related events. By enabling Azure Active Directory Conditional Access policies, organizations can proactively detect and respond to anomalous activities or attack attempts, whether done in the cloud or on-premises. Some examples include simultaneous sign-ins from different locations, unusual access patterns, token replay attacks, or attacks aiming to take control of the identity infrastructure which may indicate unauthorized lateral movement between cloud and on-premises resources. See our documentation for more details on our identity detections.
Threat level intelligence:
To detect the sophisticated attack strategies we discussed earlier, identity detections alone are not enough. Microsoft Defender for Identity, the cornerstone of our identity security capabilities, is natively integrated within our XDR platform, Microsoft 365 Defender.
Microsoft 365 Defender offers unified visibility, investigation, and response across the cyber-attack kill chain. Leveraging AI and automation, it correlates alerts from different sources to provide a single incident view with rich contextual information. It also enables teams to quickly and efficiently investigate emerging threats. By corelating all the available information, including signals from endpoints, identity providers, identity infrastructure, collaboration tools and cloud applications, we can give a greater view into the entire end to end life cycle of the identity.
Figure 1: Advanced hunting tables[3] allow users to hunt for emerging threats across your identity data and activities within a single view, regardless of environment or provider. Create custom detections and enhance existing investigations with identity signals.
Respond and remediate attacks at machine speed.
When it comes to identity-based attacks, the ability to swiftly and effectively remediate the compromised systems and disrupt the attacker’s operations becomes crucial. For example, the median time for an attacker to access your private data after you fall victim to a phishing email is 1 hour, 12 minutes[4]. In a situation like this you need to be able to detect, investigate, and respond to the breach in under 72 minutes. Working across teams and tools this can be especially challenging, so we have focused on two critical areas to help our customers respond and remediate attacks at machine speed:
Enabling intelligent automation:
AI and automation are reshaping almost every facet of business today and security is no exception. A recent study in fact found organizations incurred 80% higher costs where security AI and automation weren’t fully deployed[1]. Capitalizing again on the native integration between our Identity protection capabilities and XDR platform, we leverage XDR-level intelligence and AI to automatically disrupt even the most advanced attacks.
Automatic attack disruption is designed to contain attacks in progress by automatically disabling or restricting compromised devices and user accounts—stopping progression and limiting the impact to organizations. This is a big innovation; today most security teams can’t respond fast enough to sophisticated attacks and are forced to reactively handle the fallout from a breach. With attack disruption, attacks are contained to a small number of assets, dramatically minimizing the impact and improving business continuity.
In an Identity attack, Microsoft Defender for Identity can take immediate action to disable the user, trigger multi-factor authentication, disable unauthorized accounts authentication using or even isolate affected systems using Microsoft Defender for Endpoint. These automated tactics not only limit the attacker’s ability to move laterally and access critical resources but also prevent further damage and data exfiltration.
Figure 2: Incident view showing the yellow bar where automatic attack disruption took action
Maximizing user experience and efficiency.
ITDR is a team sport and while collaboration between SOC and Identity teams is crucial, each personas unique needs require distinctly different information and capabilities to do their job. At Microsoft we can help maximize your team’s effectiveness with integrated, persona-based experiences designed to surface and prioritize information and alerts.
SOC analysts gain greater visibility across their identity landscape with a unified Identity Inventory, showing all corporate identities in one, easy to search view. Going a layer deeper, Identity Pages offer more detailed information on each unique identity including recent behavior via the Identity Timeline. On top of all the Identity specific views and benefits, SOC teams can also capitalize on Microsoft’s Secure Score which correlates signals from across workloads to curate identity related recommendations and reduce your security posture risk.
Figure 3: Identity Inventory delivers a comprehensive inventory of all your identities regardless of type, environment or vendor.
Figure 4: Identity page and Identity Activity Timeline view aggregate relevant data from multiple workloads to provides security teams will additional insight and detail into individual identities and recent behavior.
Figure 5: Microsoft Secure Score correlate signals from across workloads to curate and prioritize identity related recommendations and reduce your security posture risk.
Identity Admins and IT practitioners also benefit from their own unique portal and prioritized view where they can quickly sory by risk level and prevent potential account compromise.
Figure 6: Azure Active Directory Identity Protection
Learn more about Microsoft’s ITDR strategy and find out how you can maximize your investments to save up to 60% with Microsoft 365 E5 Security and Microsoft 365 E5 Compliance[5].
A Vulnerability has been discovered in Progress Moveit Transfer, which could allow for potential unauthorized access to the environment, escalated privileges, and remote code execution. MOVEit Transfer is a managed file transfer software that allows the enterprise to securely transfer files between business partners and customers using SFTP, SCP, and HTTP-based uploads. Depending on the privileges associated with the user, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.
Threat IntelligenceThere is threat intelligence of this vulnerability being exploited in the wild.
Systems Affected
MOVEit Transfer prior to 2023.0.1 MOVEit Transfer prior to 2022.1.5 MOVEit Transfer prior to 2022.0.4 MOVEit Transfer prior to 2021.1.4 MOVEit Transfer prior to 2021.0.6
Risk Government: – Large and medium government entities: High – Small government entities: Medium
Businesses: – Large and medium business entities: High – Small business entities: Medium
Home Users: Low
Technical Summary A vulnerability in MOVEit Transfer that could lead to escalated privileges and potential unauthorized access to the environment. Successful exploitation allows attackers to download and steal sensitive information such as list of stored files, usernames who uploaded the files, file paths, configured Azure Blob Storage accounts, data from Azure Blob Storage containers, data from servers, and so on. The attackers can also insert and delete a new random named MOVEit Transfer user with the login name ‘Health Check Service’ and create new MySQL sessions. Progress Software is advising MOVEit customers to check for indicators of unauthorized access over “at least the past 30 days”, as well as other remediation recommendations.
Recommendations In addition to Progress remediation recommendations, the following actions are recommend to be taken:
Ensure your MOVEit application is receiving and applying updates, definitions, and security patches and mitigations recommended by Progress. Apply the Principle of Least Privilege to all systems and services. Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack. Restrict use of certain websites, block downloads/attachments, block Javascript, restrict browser extensions, etc. Block execution of code on a system through application control, and/or script blocking. Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries. Enforce binary and application integrity with digital signature verification to prevent untrusted code from executing. Use signatures or heuristics to detect malicious software.
The Federal Bureau of Investigation (FBI), the US Department of State, and the National Security Agency (NSA), together with the Republic of Korea’s National Intelligence Service (NIS), National Police Agency (NPA), and Ministry of Foreign Affairs (MOFA), have issued a Joint Cybersecurity Advisory to highlight the use of social engineering by Democratic People’s Republic of Korea (DPRK a.k.a. North Korea) state-sponsored cyber actors to enable computer network exploitation (CNE) globally against individuals employed by research centers and think tanks, academic institutions, and news media organizations. These North Korean cyber actors are known to conduct spearphishing campaigns posing as real journalists, academics, or other individuals with credible links to North Korean policy circles. The DPRK employs social engineering to collect intelligence on geopolitical events, foreign policy strategies, and diplomatic efforts affecting its interests by gaining illicit access to the private documents, research, and communications of their targets.
North Korea’s cyber program provides the regime with broad intelligence collection and espionage capabilities. The Governments of the United States and the Republic of Korea (ROK a.k.a. South Korea) have observed sustained information-gathering efforts originating from these North Korean cyber actors. North Korea’s primary military intelligence organization, the Reconnaissance General Bureau (RGB), which has been sanctioned by the United Nations Security Council, is primarily responsible for this network of actors and activities.
We assess the primary goals of the DPRK regime’s cyber program include maintaining consistent access to current intelligence about the United States, South Korea, and other countries of interest to impede any political, military, or economic threat to the regime’s security and stability.
Currently, the US and ROK Governments, and private sector cyber security companies, track a specific set of DPRK cyber actors conducting these large-scale social engineering campaigns as Kimsuky, Thallium, APT43, Velvet Chollima, and Black Banshee. Kimsuky is administratively subordinate to an element within North Korea’s RGB and has conducted broad cyber campaigns in support of RGB objectives since at least 2012. Kimsuky actors’ primary mission is to provide stolen data and valuable geopolitical insight to the North Korean regime.
Some targeted entities may discount the threat posed by these social engineering campaigns, either because they do not perceive their research and communications as sensitive in nature, or because they are not aware of how these efforts fuel the regime’s broader cyber espionage efforts. However, as outlined in this advisory, North Korea relies heavily on intelligence gained by compromising policy analysts. Further, successful compromises enable Kimsuky actors to craft more credible and effective spearphishing emails that can be leveraged against more sensitive, higher-value targets. The authoring agencies believe that raising awareness of some of these campaigns and employing basic cyber security practices may frustrate the effectiveness of Kimsuky spearphishing operations.
This Joint Cybersecurity Advisory provides detailed information on how Kimsuky actors operate; red flags to consider as you encounter common themes and campaigns; and general mitigation measures for entities worldwide to implement to better protect against Kimsuky’s CNE operations.