MITRE, a not-for-profit that does important tech research for the U.S. federal government, has disclosed a breach involving the exploitation of two recent zero-day flaws in Ivanti devices. Their disclosure is worth reading.
https://www.mitre.org/news-insights/news-release/mitre-response-cyber-attack-one-its-rd-networks
From the recommendations:
-Anomaly Detection: Monitor VPN traffic for unusual patterns, such as spikes in connections (DS0029) or unusual geographic locations.
-Behavior Analysis: Look for deviations in user behavior, such as unusual login times (DS0002 or DS0028) or accessing unfamiliar resources.
-Network Segmentation: Segmenting networks can limit lateral movement (DS0029), making anomalous activities more apparent.
-Threat Intelligence Feeds: Stay updated with threat intelligence feeds to identify known malicious IP addresses (DS0029), domains, or file hashes (DS0022).
-Adversary Engagement: Deploy adversary engagement resources in your environment, such as deception environments and honey tokens that not only trigger detection but provide deeper insights into adversary TTPs.
h/t [@simontsui](https://infosec.exchange/@simontsui)
BrianKrebs /
npub1vc…0axsh
2024-04-19 21:47:48
Author Public Key
npub1vc39pnjdqd77zzdxff4qyv8h3x0ey2mkx33c3vl8egr0a9ysxkxsk0axshPublished at
2024-04-19 21:47:48Event JSON
{
"id": "4fdaac5fa2a85d4eff84b24ff4e181e529ec048518576e4313d5bddd17b59ccf",
"pubkey": "662250ce4d037de109a64a6a0230f7899f922b76346388b3e7ca06fe9490358d",
"created_at": 1713563268,
"kind": 1,
"tags": [
[
"p",
"e0e1ee3e20bea1229011c368dce412cf98f37d38b36555235c385b8552240e8e"
],
[
"proxy",
"https://infosec.exchange/users/briankrebs/statuses/112300082396326619",
"activitypub"
],
[
"L",
"pink.momostr"
],
[
"l",
"pink.momostr.activitypub:https://infosec.exchange/users/briankrebs/statuses/112300082396326619",
"pink.momostr"
]
],
"content": "MITRE, a not-for-profit that does important tech research for the U.S. federal government, has disclosed a breach involving the exploitation of two recent zero-day flaws in Ivanti devices. Their disclosure is worth reading. \n\nhttps://www.mitre.org/news-insights/news-release/mitre-response-cyber-attack-one-its-rd-networks\n\nFrom the recommendations:\n\n -Anomaly Detection: Monitor VPN traffic for unusual patterns, such as spikes in connections (DS0029) or unusual geographic locations.\n -Behavior Analysis: Look for deviations in user behavior, such as unusual login times (DS0002 or DS0028) or accessing unfamiliar resources.\n -Network Segmentation: Segmenting networks can limit lateral movement (DS0029), making anomalous activities more apparent.\n -Threat Intelligence Feeds: Stay updated with threat intelligence feeds to identify known malicious IP addresses (DS0029), domains, or file hashes (DS0022).\n -Adversary Engagement: Deploy adversary engagement resources in your environment, such as deception environments and honey tokens that not only trigger detection but provide deeper insights into adversary TTPs. \n\nh/t [@simontsui](https://infosec.exchange/@simontsui)",
"sig": "9747137c314aa24f250f8109cbcd3633389e7dc13debdbde155fc03837f3737304b272a2929b46c03bf69f8cb04ab2861eaf2a2274cef32b0c86a9ad3ec89870"
}