MITRE Attack T1554: Compromise Client Software Binary
The second most prevalent MITRE attack we cover in this series is T1554: Compromise Client Software Binary. For this attack, we must assume that the adversary has breached the outer layers of security with an initial attack and now has complete access to your machine. Once an individual machine is compromised, the next stage is to infiltrate other machines by modifying the binary of an application to insert malicious code. This approach of expanding laterally gave rise to the popular term “computer virus”, and is the most common technique used by attackers. You don’t have to look too far before you encounter a serious virus. Virus threats have been used to target every industry and every type of machine. A few notable examples include Stuxnet, CovidLock, UK National Health Service’s, and APT41 ‘Supply Chain’ Attack.
To remove the possibility of unauthorized modifications to client software binaries (T1554: Compromise Client Software Binary), the most commonly used approach is to employ a program to sign off on each and every code change. Unfortunately, this approach is not foolproof given that the program used to check and sign off on the code is also a piece of software, in turn, leaving it vulnerable to attackers who can modify it to allow malicious updates. In fact, it is well understood that attackers have evolved a whole stream of evasion techniques to either avoid or attack virus scanning software in order to accomplish this task.
How to Protect Against T1554: Compromise Client Software Binary
Anjuna Confidential Computing software offers the means to finally eliminate this attack technique through attestation - ensuring modified code does not run in your machine!
Accomplished leveraging Confidential Computing in secure enclaves, attestation is a code-signing mechanism that relies on the hardware as opposed to software to verify that the code you intend to run has not been modified. Attestation relies on an immutable hardware root of trust as the basis of code signing. Anjuna uses the hardware attestation process to connect to a key manager, and only releases keys to an application after it can cryptographically prove it is the correct, unmodified code. No code can run in a Confidential Computing environment without undergoing the attestation process and by this means, the integrity of the proper application binary is assured by default.
Learn More About Other Attacks!
If you missed our previous blog that dives into detail about how Anjuna provides a solution against MITRE attack T1059: Command and Scripting Interpreter, you can access that below.
Anjuna Protects Against T1059: Command and Scripting Interpreter
To learn more about the other 76 attacks that we protect against and how you can instantly adopt default protection across your entire environment, take a look at our MITRE white paper below!
Eliminate 77 MITRE Attacks With Anjuna
The next blog in our five-part series will focus on MITRE attack T1036: Masquerading. So be sure to stay tuned in!
Try free for 30 days on AWS, Azure or Google Cloud, and experience the power of intrinsic cloud security.
Start Free