Book a demo

Mapping Talon’s Enterpriser Browser Capabilities To the MITRE ATT&CK Framework

What is MITRE ATT&CK?

MITRE ATT&CK® is a comprehensive, open framework for consistently identifying, classifying, and deconstructing cyberattacks. It includes a vast knowledge base of common adversarial tactics, techniques, and procedures (TTPs) based on real-world observations. Organizations can use ATT&CK to assess risks, strengthen security, and improve threat detection and mitigation efforts.

The ATT&CK framework provides a common taxonomy that lets security professionals (SOC staff, threat hunters, red and blue teams, pen testers, security vendors, threat intelligence providers, etc.) easily exchange information and collaborate using the same language. It helps information security teams identify security gaps, reduce vulnerabilities, and shore up defenses.

ATT&CK organizes adversarial techniques into a collection of tactics to help security professionals efficiently detect, track, and mitigate threats. The tactics describe what the adversary is trying to accomplish, e.g., gain initial access to a system. The techniques (and sub-techniques) describe the actions the adversary takes to achieve their goals, e.g., via a phishing attack.

The current matrix, ATT&CK v13, includes three distinct collections of tactics:

  • Enterprise tactics for Windows, macOS, Linux, cloud, and network systems
  • Mobile tactics for Apple iOS and Android devices
  • Industrial Control Systems (ICS) tactics for Supervisory Control and Data Acquisition (SCADA) systems and other industrial control systems

The Talon Enterprise Browser is a hardened, Chromium-based browser with advanced security functionality, specifically designed to protect modern web applications and hybrid workforces.

Talon browser transforms the usual web browser into a full-fledged enterprise security monitoring and policy enforcement engine, giving corporate IT and security teams deep visibility and tight control over web services and user actions.

This matrix describes how Talon’s Enterprise Browser addresses certain MITRE ATT&CK enterprise tactics, techniques, and sub-techniques.

Array
(
    [0] => WP_Term Object
        (
            [term_id] => 17
            [name] => Talon's Coverage of MITRE ATT&CK
            [slug] => talons-coverage-of-mitre-attack
            [term_group] => 0
            [term_taxonomy_id] => 17
            [taxonomy] => mitre-type
            [description] => 
            [parent] => 0
            [count] => 0
            [filter] => raw
            [term_order] => 36
        )

)

Talon’s Coverage of Mitre Att&Ck

Talon’s Coverage of MITRE ATT&CK (1 – 2)
Collection

TalonWork prevents malicious keyloggers from intercepting keystrokes. In addition, TalonWork allows read-only mode for web services, so users would not be able to post any content to the website.

TalonWork lets you suppress video recordings of webpages and files. In addition, TalonWork can disable an endpoint’s camera throughout a web session.

TalonWork lets you suppress screen captures or screen-sharing of webpages.

TalonWork lets you suppress video and audio recordings of webpages and files.

TalonWork protects against infostealers, man-in-the-browser (MitB) attacks, and pre-existing malware used to steal access tokens and cookies from disk or browser memory. TalonWork stores access token and cookie encrypted to defend against theft if a device is compromised.

You can use TalonWork’s data loss prevention features to suppress clipboard cut, copy, paste and drag and drop functions and prevent data exfiltration.

Command and Control

TalonWork logs all HTTP/HTTPS traffic with various verbosity levels. It analyzes traffic, automatically detecting and blocking malicious command and control communications.

TalonWork logs all web traffic with various verbosity levels. It analyzes traffic, automatically detecting and blocking illegitimate command sequences.

TalonWork logs all web service traffic with various verbosity levels. It analyzes traffic, automatically detecting and blocking illegitimate command sequences.

TalonWork logs all HTTP/HTTPS traffic with various verbosity levels. It analyzes traffic, automatically detecting and blocking malicious behavior, such as activity symptomatic of dead-drop resolver exploit.

Command and Control (3 – 4)
Credential Access

Talon can detect credentials transferred via chat messages (Slack, Jira, or other tools) and block their transmission to other users.

TalonWork supports MFA to defend against password cracking. Even if a threat actor cracks a password they must provide another form of identification (authentication factor) to gain access to the browser. In addition, TalonWork alerts and optionally locks the browser when multiple login attempts are detected.

TalonWork encrypts saved credentials to defend against credential theft if a device is compromised.

TalonWork provides a cloud-based credential vault that centralizes, isolates and encrypts passwords, eliminating the credential theft risks commonly associated with third-party password managers.  

TalonWork protects against infostealers, man-in-the-browser (MitB) attacks, and pre-existing malware used to identify and harvest unsecured credentials. TalonWork saves credentials encrypted to defend against credential theft if a device is compromised.

TalonWork protects against infostealers, man-in-the-browser (MitB) attacks, and pre-existing malware used to steal application access tokens TalonWork saves credentials encrypted.

TalonWork prevents malicious keyloggers from intercepting keystrokes. In addition, TalonWork allows read-only mode for web services, so users would not be able to post any content to the website.

TalonWork supports granular, policy-based MFA to secure access to specific user actions such as accessing the web. MFA defends against forged web cookies by requiring multiple forms of authentication to gain access to web applications or services.

TalonWork protects against MitM attacks by allowing only trusted TLS CAs, by preventing users from disabling the option to ignore SSL errors, and by using DNS-over-HTTPS. In addition, with TalonWork you can block pages within unsecured content (coming from HTTP and presented on HTTPS websites) Moreover, TalonWork can block basic authentication attempts over HTTP websites.

Defense Evasion

TalonWork prevents malicious HTML or JS code from being executed in the browser.

TalonWork encrypts session cookies. If an attacker gains illicit access to a device, they are unable to decrypt the cookie and hijack the session.

TalonWork admins can ensure that access can be only granted to users with the appropriate device posture. TalonWork can lock itself if an adversary attempts to modify or disable security tools.

TalonWork’s device posture assessment feature automatically validates an endpoint’s security posture before granting users browser access. For example, it can automatically identify the underlying operating system, patch version, installed security software installed on the device. Once a session is established, TalonWork continuously monitors devices and revokes access upon policy violations to defend against downgrade attacks and other threats and vulnerabilities.

Defense Evasion (5 – 6)
Discovery

The Talon Browser protects against infostealers, man-in-the-browser (MitB) attacks, and pre-existing malware used to steal browser information

Execution

TalonWork’s malicious domain and URL protection feature blocks access to domains and URLs that are known to be malicious.

TalonWork optionally integrates with CrowdStrike Falcon X™ to deliver advanced malware protection. The joint solution prevents TalonWork users from uploading or downloading potentially harmful files. When a user attempts to upload or download a file, TalonWork automatically forwards the file to Falcon X for analysis. In addition, TalonWork also has native file scanning capabilities for malicious file identification. TalonWork can prevent users from opening specific file types such as .exe., based on policy.

With TalonWork you can dramatically reduce attack surfaces by disabling vulnerable browser components including JavaScript JIT and WebRTC.

Execution (7 – 8)
Exfiltration

TalonWork lets you optionally encrypt files downloaded to an endpoint so users can only open the encrypted files using TalonWork. An attacker will not be able to read the files on the disk if they are stolen, due to the encryption applied to them. Additionally, TalonWork can disable the WebBluetooth API component to block web applications from pairing with nearby devices and accessing their services.

TalonWork lets you optionally encrypt files downloaded to an endpoint so users can only open the encrypted files using TalonWork. An attacker will not be able to read the files on the disk if they are stolen, due to the encryption applied to them. Additionally, TalonWork can disable the WebUSB API component to block web applications from connecting physical devices and accessing their services.

You can use TalonWork to prevent users from copying data to an unauthorized cloud storage service. TalonWork’s application login restrictions feature lets you tightly control access to applications and services based on a user’s login credentials. For example, you could allow a user to access a given cloud storage service only using their corporate login credentials to prevent them from copying data to their personal cloud storage account.      

With TalonWork you can defend against alternative protocol exfiltration exploits by controlling which specific protocols can be used in the browser.

You can use TalonWork to prevent users from copying data to an unauthorized cloud storage service. TalonWork’s application login restrictions feature lets you tightly control access to applications and services based on a user’s login credentials. For example, you could allow a user to access a given cloud storage service only using their corporate login credentials to prevent them from copying data to their personal cloud storage account.

The Talon Browser can prevent adversaries from copying data to third-party sites like text storage sites. Talon can also block access to specific websites and services, such as text storage sites.

TalonWork can prevent adversaries from copying data to third-party sites like code repositories. TalonWork can also block access to specific website and services such as code repositories.

Impact
Impact (9 – 10)
Initial Access

TalonWork’s native file-scanning capabilities automatically detect and block downloads from spearphishing links. In addition, TalonWork’s malicious domain and URL protection feature blocks access to domains and URLs that are known to be malicious. It also detects and blocks access to suspicious URLs embedded in webpages.

TalonWork integrates with popular Identity Providers (IdPs) to support policy-based conditional access controls. Conditional access lets you tightly control which specific users can access which specific applications from TalonWork. You can also use conditional access to prevent users from accessing certain applications from browsers other than TalonWork.

TalonWork has native file scanning capabilities for malicious file identification. It prevents TalonWork users from uploading or downloading malicious file. TalonWork optionally integrates with CrowdStrike Falcon Intelligence™ to scan files in an additional scanning engine.

TalonWork has native file scanning capabilities for malicious file identification. It prevents TalonWork users from uploading or downloading malicious file. TalonWork optionally integrates with CrowdStrike Falcon Intelligence™ to scan files in an additional scanning engine.  

TalonWork’s malicious domain and URL protection feature blocks access to domains and URLs that are known to be malicious. It also detects and blocks access to suspicious URLs embedded in webpages. In addition, with TalonWork you can dramatically reduce attack surfaces by disabling a wide range of vulnerable browser components like JavaScript JIT and WebRTC.

Lateral Movement

TalonWork integrates with popular Identity Providers (IdPs) to support policy-based conditional access controls. Conditional access lets you tightly control which specific users can access which specific applications using TalonWork. You can also use conditional access to prevent users from accessing certain applications from browsers other than TalonWork.

Lateral Movement (11 – 12)
Persistence

TalonWork integrates with popular Identity Providers (IdPs) to support policy-based conditional access controls. Conditional access lets you tightly control which specific users can access which specific applications from TalonWork. You can also use conditional access to prevent users from accessing certain applications from browsers other than TalonWork.

You can configure TalonWork to allow users to install only specific extensions, or to prevent users from installing any or only specific extensions. You can also prevent extensions from accessing specific websites, and prevent extensions from accessing cookies and other authentication tokens from web requests. In addition, you can use TalonWork to identify and prevent the installation of malicious extensions that may steal data, tokens, or credentials; or may surreptitiously perform illicit actions on behalf of users in either enterprise applications (e.g., deleting records from an internal app) or external applications (e.g., posting to Facebook).

Privilege Escalation

TalonWork protects against infostealers, man-in-the-browser (MitB) attacks, and malware already installed on a given device. Infostealers, MitB attacks, and malware can interact with browsers to steal access tokens, cookies, or credentials – either from disk, or directly from the browser memory.

TalonWork secures access to corporate apps and continuously authorizes users in accordance with zero-trust principles to prevent unauthorized privileged access.Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.

TalonWork protects against infostealers, man-in-the-browser (MitB) attacks, and malware already installed on a given device. Infostealers, MitB attacks, and malware can interact with browsers to steal access tokens, cookies, or credentials – either from disk, or directly from the browser memory.Adversaries may duplicate then impersonate another user’s token to escalate privileges and bypass access controls.

Privilege Escalation (13 – 14)
Reconnaissance
Resource Development

Learn how Talon’s Enterprise Browser maps to the MITRE ATT&CK framework.

Download Whitepaper

Talon has joined forces with Palo Alto Networks to secure all users and devices

Learn more