The US CISA (Cybersecurity and Infrastructure Security Agency), an agency of the United States Department of Homeland Security that is responsible for strengthening cybersecurity and infrastructure protection, issued an advisory alert recently that urges US firms to make use of Security Control Validation tools to regularly verify the effectiveness of security controls.

In a Ransomware advisory alert (AA22-257A) published in September 2022, CISA advises for the first time, that organisations regularly test the effectiveness of their security controls by simulating attacker behaviours that have been mapped out and documented in MITRE’s ATT&CK framework.

VALIDATE SECURITY CONTROLS

In addition to applying mitigations, the authoring agencies recommend exercising, testing, and validating your organization’s security program against the threat behaviors mapped to the MITRE ATT&CK for Enterprise framework in this advisory. The authoring agencies recommend testing your existing security controls inventory to assess how they perform against the ATT&CK techniques described in this advisory.

To get started:

  1. Select an ATT&CK technique described in this advisory (see Appendix B).
  2. Align your security technologies against the technique.
  3. Test your technologies against the technique.
  4. Analyze your detection and prevention technologies performance.
  5. Repeat the process for all security technologies to obtain a set of comprehensive performance data.
  6. Tune your security program, including people, processes, and technologies, based on the data generated by this process.

The authoring agencies recommend continually testing your security program, at scale, in a production environment to ensure optimal performance against the MITRE ATT&CK techniques identified in this advisory.

CISA advisory alert A22-257A

Why is this important?

This is important to the global information security community because until now, most advice relating to offensive security testing involved the use of manual professional services-based penetration testing and/or Red Team testing services.  This is a recognition by the CISA that a new generation of continuous security controls validation technology platforms, that are able to safely simulate MITRE ATT&CK techniques and behaviours, like Validato, are ready to be used within the enterprise to scrutinise and challenge the trust that we have in the effectiveness of security controls within a rapidly changing threat landscape.

How to use Validato to simulate CISO Advisory Alert A22-257A

Validato has been designed and built specifically to be able to run pre-packaged MITRE ATT&CK threat scenarios (based on MITRE’s threat classifications of ‘Groups, Software and campaigns’).  These are freely available from https://attack.mitre.org/software/ however, until recently the only realistic way to test the threat scenarios mapped out by MITRE with their associated tactics, techniques and procedures (TTPs) was to have engaged the services of manual offensive security testing services.

MITRE ATT&CK threat scenarios

MITRE ATT&CK threat scenarios

 

In the Validato console, all you need to do is to select the pre-packed threat scenario (or one of the recommended scenarios that bundles several sub-scenarios together – like Top MITRE ATT&CK Techniques or Top Ransomware Techniques), select the zone or area of the network that you wish to run the test against and that’s it.

Validato - Security Controls Validation platform for simulating MITRE ATT&CK techniques

Validato security controls validation platform for simulating MITRE ATT&CK techniques

Within 5 minutes, with little or not technical knowledge of complex MITRE ATT&CK techniques, any IT or Information Security professional can obtain clear and impartial data on the effectiveness of enterprise security controls and SIEM detection capabilities.

Want to see this for yourself?

We are happy to put our money where our mouth is and provide free access to the Validato platform for a short period of time at no cost.  (Note that to qualify for our free trial, you do need to be human (you would not believe!) with a corporate email address). If you would like to register for a free trial of Validato, or to book a live demonstration with our team, click on the Request Demo or Try for free buttons on our homepage at https://validato.io/.