MITRE Breach: A Case for Zero Trust Architecture

As creators of the well-known ATT&CK framework, the MITRE name is synonymous with cybersecurity. On April 19, 2024, MITRE issued a news release stating that in January 2024, their Network Experimentation and Research Environment (NERVE) had been breached by a nation-state threat actor, ending a 15-year stretch without a major cybersecurity incident.

The attackers used zero-day vulnerabilities in a VPN device to gain access to and establish a persistent foothold on MITRE’s NERVE environment. MITRE patched the vulnerabilities quickly but through detection of suspicious activity they later realized NERVE had been breached. According to MITRE’s news release, they believe the breach was limited to NERVE and that neither their core enterprise network nor their partners’ systems were impacted by the breach.

Zero-days are the stuff of CISO’s nightmares. Timely patching is best practice, but with testing requirements and the need to prioritize amongst large lists of patchable vulnerabilities, this can be easier said than done. Worse, zero-days can be exploited in the wild before a patch is available. Even fast and effective patch management practices are useless if the vulnerable system was attacked before the patch was even released. Mitigating zero-days is only possible through well-implemented Zero Trust.

Zero Trust Principles

Never Trust, Always Verify

A Zero Trust architecture does not involve implicit trust but requires subjects to authenticate to and receive access authorizations for each organizational resource they want to use, regardless of location. Under Zero Trust, being “inside the network” or “logged in to the network” remotely does not automatically imply access to organizational resources on that network.

Assume Breach

Zero trust architecture assumes that attackers are already on the network. Under this assumption, we want to prevent damage that can be done from the inside by employing Zero Trust concepts, including:

Micro-Segmentation: Ensure organizational resources are logically isolated from each other. An attacker who breaches the CRM, for example, should have no path to access the accounting system. Further, in an optimized zero trust environment, users authenticate to organizational resources and not “the network.” Micro-segmentation does not prevent security breaches but limits the resource breach’s “blast radius” by limiting an attacker’s ability to move laterally and threaten other organizational resources.

Least Privilege: Organizational accounts should have no more privileges than users need to perform their jobs. This is often called just-enough. In an optimized Zero Trust environment, the organization would also ensure organizational account privileges are authorized just-in-time for users to do their jobs. For example, user Jane occasionally needs to be able to modify antimalware settings. Under an optimized Zero Trust architecture, Jane’s account would not have standing “modify” privileges to do so. Instead, Jane’s account would need to be authorized temporarily to access these privileges at the time she needs to perform the task and only for the time she needs to complete the task.

Encrypting Communications: Many systems encrypt remote access sessions to organizational resources. Zero Trust requires all session communications to be encrypted under the assumption that attackers are already on the network. Once an attacker breaches a network, they will want to sniff network communications for information that could expand and deepen their resource access. For example, they might monitor the session communications of an accountant who’s working with the payroll system. If this traffic is unencrypted, the attacker may be able to glean account credentials and other confidential information or steal the session cookie to maliciously establish a privileged connection to the payroll system.

Attack Detail

According to Mitre Shares Lessons Learned from Breach | MSSP Alert, the breach was carried out as follows:

  1. The attackers used session hijacking to access an open SSL VPN session.
  2. From this open VPN session, attackers exploited Ivanti VPN zero-day vulnerabilities CVE-2023-46805 and CVE-2024-21887 to bypass authentication and avoid MFA.
  3. Once on the network, the attackers were able to move laterally using a compromised administrator account and install backdoors to allow continued access, even after MITRE mitigated the exploited Ivanti CVEs.

Potential Benefits of Zero Trust in the MITRE Breach

In Attack Detail above, we see how the attackers could leverage zero-day vulnerabilities to breach a MITRE system. Now, we will examine how Zero Trust principles might have prevented the breach—or at least might have limited the damage from it.

Session Hijacking

It is unclear how the session hijack in the MITRE breach was carried out, but stealing a session cookie is a common starting point. One way to steal a session cookie is for an attacker to trick the targeted user into clicking a malicious link that installs cookie-harvesting malware on the user’s computer. This can be mitigated by ensuring:

  1. organizational users don’t have privileges to install software (the least privilege principle);
  2. organization computers have only the ports and services running necessary for users to do their jobs; and
  3. organization computers use EDR software that can block cookie-harvesting and other malware, as well as identify and block malicious communications resulting from malware.

Exploit Zero-Day Vulnerabilities

These zero-day vulnerabilities were mitigated promptly by MITRE, but since they had already been exploited prior to mitigation, the attackers had already established a foothold. Zero Trust micro-segmentation isolates resources such that breaching one organizational resource is not a springboard for lateral movement to other resources. MITRE may have had in place some system segregation given Mitre Shares Lessons Learned from Breach | MSSP Alert implies the breach was isolated to their Networked Experimentation, Research, and Virtualization Environment (NERVE) and did not impact other MITRE systems.

Leveraging Compromised Administrator Account

Mitre Shares Lessons Learned from Breach | MSSP Alert indicates that once on the NERVE system, the MITRE attackers used a compromised administrator account to move laterally through its VMWare infrastructure. Zero Trust requires us to assume attackers are already on the network and that we need to limit the damage they can cause. Under the Zero Trust least privilege principle, accounts would not have standing administrator privileges, and they would only be approved and authorized for such privileges on a just-in-time, just-enough basis. This can be achieved using a Privileged Access Management System (PAM) or a Privileged Identity Management System (PIM).

Conclusion

Zero Trust is not a panacea. Even if more widely adopted, system breaches will continue to occur. However, combined with standard cybersecurity defense-in-depth, Zero Trust’s never trust, always verify principle and its assumption of breach make attackers’ jobs more difficult and can limit the damage if they do eventually breach your systems.


References

Mitre Shares Lessons Learned from Breach | MSSP Alert

CVE-2023-46805 (Authentication Bypass) & CVE-2024-21887 (Command Injection) for Ivanti Connect Secure and Ivanti Policy Secure Gateways

Author