Wave Systems Corp. (fka WAVXQ)

[Genz2]

MITRE ask vendors to do more to detect stealthy hacks

https://www.cyberscoop.com/mitre-asks-vendors-detect-stealthy-hacks/

As hackers continue to use native programming tools to blend into target networks, Mitre Corp. is beginning to test vendors’ ability to detect those techniques.

The federally-funded, not-for-profit organization announced Wednesday it would throw the stealthy tactics of an infamous hacking group, the Russian-government-linked APT29, at several threat-detection products.

But the evaluation is about more than one set of adversaries. The “living off the land” techniques, such as hiding in PowerShell scripts, that will be tested are increasingly popular with a variety of hacking groups.

“A lot of these techniques are going to be implemented in similar ways from different adversaries,” said Frank Duff, Mitre’s lead for evaluations that use the organization’s ATT&CK framework.

“PowerShell monitoring is that next thing that everyone recognizes is absolutely necessary,” he added.

Mitre’s last round of testing focused on advanced persistent threats, mimicking the tactics of APT3, a China-based group known for using internet-browser exploits. But the techniques of APT29, best known for being one of two Russian outfits to breach the Democratic National Committee before the 2016 U.S. election, will be a stiffer test, according to Duff.

“Because it’s a more sophisticated adversary, they do a lot more in terms of scripting, a lot more in terms of using built-in Windows [application programming interfaces],” he told CyberScoop. “Unless you have the right sensoring and the right ways of whittling ways through large amounts of noise, it’s going to be a harder thing for these vendors to succeed at.”

The first round of APT3 evaluations tested products made by vendors such as Carbon Black, CrowdStrike, Endgame, and Microsoft. Mitre is hoping for similarly-robust participation this go-round.

Duff said the APT29 test will incorporate a range of data from the group’s activity. After a relative lull in activity, APT29 appeared to rear its head last fall in a spearphishing campaign against U.S. military and defense contractors

Don’t expect the Mitre team to simulate tactics used by every APT group. Instead, evaluators are testing tactics employed by groups that offer valuable defensive lessons to the broader cybersecurity industry, according to Duff.

The inclusion of APT29 techniques in the testing, which will begin this summer, is meant to “really push the boundaries forward” for vendors, he said.
=================================================================
It looks like Wave was already ahead of its time back in 2014. Wave solutions/products should be selling rapidly given the enormous benefits in using them!! Better security at less than half the cost!!! https://www.wavesys.com/
=================================================================
Wave Integrating MITRE’s Attestation Technique into its Endpoint Monitor for Remediating Advanced Malware

MITRE Details Technique at Black Hat 2013

https://www.wavesys.com/buzz/pr/wave-integrating-mitre%E2%80%99s-attestation-technique-its-endpoint-monitor-remediating-advanced-mal

Lee, MA -

July 31, 2013 -

Wave Systems Corp. (NASDAQ:WAVX), the Trusted Computing Company, announced plans to integrate The MITRE Corporation’s new timing-based attestation technique into Wave Endpoint Monitor (WEM), the industry’s first solution to leverage industry standard hardware to detect and remediate malware that can surreptitiously mount attacks before the operating system loads. MITRE is a not-for-profit organization that provides systems engineering, research and development, and information technology support to the government.

With this enhancement, Wave will integrate MITRE’s technique that doubly verifies that the core BIOS hasn’t been corrupted. The BIOS is the first software run by the PC when powered-on and is responsible for initializing hardware and getting the operating system running. It also contains the “core root of trust measurement” (CRTM) software, the first software in the boot trust chain that ends in the assurance that the computer booted safely.

“MITRE has made a significant contribution to the body of research by identifying a scenario in which malicious code could be introduced to the BIOS that would cause it to provide a false reading and allow the malicious BIOS to indicate the system had not been corrupted,” said Dr. Robert Thibadeau, Wave’s Chief Scientist. “MITRE’s technique offers a second control for determining the CRTM does not lie about itself and any of the rest of the trust chain.”

Dr. Thibadeau added, “While BIOS attacks are still fairly rare today—less than one percent by many accounts—they represent a new and dangerous attack vector, and we’re bound to see more in future years as the more popular preboot targets are secured by our existing WEM technology.”

The management of CRTM detection will be incorporated in a module for WEM, which Wave expects will be production-ready in early 2014 to meet the expected increase of these attacks. Wave Endpoint Monitor captures verifiable PC health and security by utilizing information stored within the TPM. If anomalies are detected, the attack is controlled, and IT is alerted immediately with real-time analytics.

MITRE research presented at Black Hat 2013

MITRE researchers John Butterworth, Corey Kallenberg, and Xeno Kovah presented their research on this vulnerability and technique, “BIOS Chronomancy: Fixing the Core Root of Trust for Measurement,” at Black Hat 2013.

The team’s research highlights a vulnerability in which a firmware rootkit tricks an endpoint’s Trusted Platform Module (TPM) chip into reporting a clean BIOS firmware, when in fact it has been compromised. MITRE’s research shows the importance of using timing-based attestation systems, which can defend against attackers who obtain the same privilege levels as the defender. John Butterworth, a Senior Infosec Engineer at MITRE, adds, “additional complexities are imposed on an attacker who tries to conceal a rootkit in the presence of timing-based attestation; even concealing the modification of a single byte will trigger a measurable change.”

The team’s findings come as vendors work to implement BIOS protection specifications as outlined by the National Institute of Standards and Technology (NIST) special publication 800-155, published in 2011.