Applications are a common intrusion point, but the way attackers gain access, maneuver and create mayhem within and across applications doesn’t always neatly fit into MITRE’s ATT&CK framework.
The team at Oligo Security is releasing a new framework it calls Application Attack Matrix to complement areas of MITRE’s framework that it describes as too broad, filling gaps to help defenders and organizations better understand and define how attackers use applications and the actions they’re taking often under disguise.
“Most of the approaches that we know today are focused on the post-exploit technique, and on the infrastructure and endpoint,” Gal Elbaz, Oligo Security’s co-founder and CTO, told CyberScoop. This, he said, is akin to addressing the symptom of an attack without understanding the root cause of how attackers broke in.
The effort, which has grown and built on support from threat intelligence and enterprise security leaders — and from MITRE itself — addresses every tactic in the MITRE ATT&CK framework pertaining to the application attack lifecycle: pre-intrusion, intrusion, post-intrusion and impact. “Each and every layer of those tactics are being utilized by techniques that are happening on the app layer,” Elbaz said.
The Application Attack Matrix addresses what occurred at the app level, distinguishing between an exploited vulnerability, bypassed control, login without a credential, or a supply-chain compromise via software or software development tools.
It also distinguishes exactly how exploitation occurs, broadening the category of remote code execution to include specific tactics such as command injection of an arbitrary file, lightweight directory access protocol injection, XML injection or a SQL injection.
In the most equivalent MITRE technique, the containers matrix, “nothing talks about what’s happening inside the container, whether it was the application layer that was compromised by maybe a Python package, or Java, or Go, or node, or just the ability to understand the act of the intrusion,” Elbaz said.
In MITRE, the exploit of a public-facing application — a common technique for initial access — is broad, encompassing about 65 different types of attacks, he said.
Avi Lumelsky, AI security researcher at Oligo Security, said the Application Attack Matrix breaks down these dozens of attacks that are grouped under the exploitation of a public-facing application technique into real-world scenarios.
“MITRE also covers those, but we tried to break it down into more specific sub-techniques and techniques that are very, very specific to applications, no matter where they run,” Lumelsky said. “We are focusing on cloud applications, but we don’t care what is the cloud provider, whether it’s a container or not, whether it’s a regular machine or Kubernetes. To us, an application is an application.”
The knowledge base that Oligo Security plans to release as open source on GitHub includes a framework and taxonomy for categorizing and exchanging information about application-layer threats and steps for mitigation. Leaders of the Tel Aviv, Israel-based company, which was founded in 2022, assert this conjunctive framework is required to understand how attackers circumvent cybersecurity systems, exploit application vulnerabilities and security blind spots in web, mobile and microservice environments.
“Our new matrix, this new approach, focuses on the application level, which is exactly the kind of attacks that have been spotted in the wild,” Elbaz said. Some of the most devastating attacks, such as Log4Shell, MOVEit and SolarWinds, were carried out inside application contexts, he added.
“We cannot monitor what’s happening inside the application, and this became the biggest blind spot for attackers, and their ability to really stay invisible and undetected by other security tools,” Elbaz said. “The Application Attack Matrix is the first dedicated framework for real world application attacking techniques.”
The Application Attack Matrix is a community effort that Oligo Security envisions as an ongoing project with industrywide support. “It’s everybody’s problem,” Lumelsky said. “I think everybody understands it, and we welcome everybody to contribute.”
The post Oligo Security strives to fill application-layer gaps in MITRE ATT&CK framework appeared first on CyberScoop.