Effective and comprehensive threat detection requires understanding common adversary techniques that may pose a threat to your organization, and how to detect and mitigate these threats. However, the increasing volume and breadth of attack tactics make it nearly impossible for any organization to monitor every single type of attack. Therefore organizations need tools to help understand their security readiness and uncover vulnerabilities in their defenses according to the attacker’s models and methodologies.
For these reasons, MITRE developed the ATT&CK framework. MITRE ATT&CK (Adversarial Tactics, Techniques, and Common Knowledge) is a knowledge base of adversary tactics and techniques. These tactics and techniques are based on real-world observations. They are indexed, and they detail the exact models and methods that hackers use. This makes it easy for security teams to understand the actions they can use against a particular platform.
MITRE ATT&CK aims to provide a common language for describing adversary behavior and serve as a foundation for developing specific threat models and methodologies. Read on for more about this important security tool.
What is the MITRE ATT&CK Framework
MITRE (Adversarial Tactics, Techniques, and Common Knowledge) ATT&CK framework is a curated knowledge base that tracks cyber adversarial behavior used by threat actors across the attack lifecycle and the platforms they normally target. This framework is not only a collection of data but is also intended to be used to strengthen an organization’s security posture.
The framework is designed for threat hunters at all organizational levels, from analysts to executives. Threat hunters can use MITRE ATT&CK to inform decisions about detection, prevention, and response strategies. Additionally, the ATT&CK framework can be used to benchmark an organization’s security posture against specific adversaries, assess gaps in defenses and measure the effectiveness of security controls.
History of MITRE ATT&CK Framework
MITRE is a nonprofit organization created to provide engineering and technical guidance to the federal government. The organization developed a framework for use as part of a research project in 2013 and named it for the data it collects ATT&CK (Adversarial Tactics, Techniques, and Common Knowledge). The framework was created to document the tactics, techniques, and procedures that threat actors use against enterprise businesses
In 2015, MITRE ATT&CK was released to the public for free, and today it’s helping security teams in all sectors secure their organizations against known and emerging threats. Also, MITRE ATT&CK originally focused on threats against Windows enterprise systems, but today it also covers mobile, Linux, macOS, cloud, network, and Industrial Control Systems (ICS).
The MITRE ATT&CK Framework Matrix
Specific adversaries use specific techniques. Therefore, the MITRE ATT&CK Framework catalogs information correlating adversary groups to matrices. This enables security teams to understand better the adversaries they are dealing with, evaluate their defenses, and strengthen security where it’s needed most.
In the ATT&CK matrix, the column headers outline the phase in the attack chain, from Initial Access to Impact, and the rows below detail specific techniques. Users can further explore any techniques to learn more about the tactics, platforms exploited, procedures, detections, and mitigation.
MITRE ATT&CK Tactics
The tactics are the modern way of looking at cyberattacks. Instead of looking at the results of an attack, ATT&CK identifies tactics that indicate an attack is in progress. Tactics are the “why” of an attack technique. They represent the attacker’s reason for performing an action.
There are 14 adversary tactics cataloged in the Enterprise ATT&CK Matrix:
1. Reconnaissance: gathering information about the target organization to plan future adversary operations.
2. Resource Development: establishing resources they can use to support operations.
3. Initial Access: getting into your network, that is spear phishing
4. Execution: running malicious code, for example, running a remote access tool
5. Persistence: maintaining their foothold by changing configurations
6. Privilege Escalation: trying to gain higher-level permissions, that is, leveraging a vulnerability to elevate access
7. Defense Evasion: avoiding being detected by using trusted processes to hide malware
8. Credential Access: stealing accounts passwords and names
9. Discovery: figuring out your environment and exploring what they can control
10. Lateral Movement: moving through your environment by using legitimate credentials to pivot through several systems
11. Collection: gathering data of interest to their goal by accessing data in cloud storage
12. Command and Control: communicating with compromised network systems to control them by imitating normal web traffic to communicate with a victim network
13. Exfiltration: stealing data and transferring it to a cloud account
14. Impact: manipulating, interrupting, or destroying your systems and data.
MITRE ATT&CK Techniques
A technique describes how an adversary can achieve a tactical objective. Each tactic includes a multitude of techniques that threat actors and malware have used. This is because adversaries can use different techniques depending on factors like the target’s system configuration, their skill sets, and the availability of suitable tools.
Each technique includes information on how the threat actors operate such as the systems and platforms the technology pertains to, privileges required, which adversary groups use it, ways to mitigate the activity, and references to its use in the real world.
MITRE ATT&CK Common Knowledge or Procedures
CK is the documented use of tactics and techniques by adversaries. Basically, common knowledge is the documentation of procedures an adversary uses to achieve their objective.
Types of MITRE ATT&CK Matrices
There are currently three matrices in the ATT&CK framework:
1. Enterprise ATT&CK
This is an adversary model that explains actions an attacker can take to operate inside an enterprise network. It mainly focuses on post-compromise behavior. This matrix helps organisations prioritize their network defense to focus on those presenting the greatest risks to the specific enterprise. It also explains the tactics, techniques, and procedures (TTPs) attackers use once they access the network.
This ATT&CK matrix focuses on activities performed before a network is compromised, and it is normally done outside the organization’s view. It helps security teams understand how attackers perform reconnaissance and select their point of entry, making it possible to effectively monitor and identify attacker activities outside the corporate network’s boundaries
3. Mobile ATT&CK
The mobile ATT&CK matrix describes tactics and techniques attackers can use to compromise both iOS and Android mobile devices. It is based on NIST’s Mobile Threat Catalogue, and it describes tactics and techniques bad actors can use to infiltrate mobile devices. This includes network-based effects – tactics and techniques that can be used without direct access to the device.
Uses of MITRE ATT&CK Framework
The ATT&CK Framework is widely acknowledged as an authority on understanding the tactics and techniques that attackers use against organizations. It provides a common vocabulary for industry professionals to discuss and collaborate on fighting adversary methods, and it also has practical applications for security teams.
ATT&CK can be used in various ways to help threat intelligence, security operations, and security architecture. Some of the primary use cases are
i) Adversary Emulation
ATT&CK assesses security by applying knowledge about an adversary and how they operate to emulate a threat. It can be used to create adversary emulation scenarios to test and verify defenses against common adversary techniques.
ii) Red Teaming
MITRE ATT&CK can be used to create red team plans and organize operations to avoid certain defensive measures that may be in place within a network. It acts as an adversary to demonstrate the impact of a breach.
iii) Behavioral Analytics Development
MITRE ATT&CK can be used to construct and test behavioral analytics to detect malicious activity within an environment.
iv) Defensive Gap Assessment
MITRE ATT&CK can be used as a common behavior-focused adversary model to assess existing tools or test new tools to determine security coverage and prioritize investment. It determines what parts of the organization’s enterprise lack defenses and visibility.
v) SOC Maturity Assessment
MITRE ATT&CK can be used as one measurement to determine how effective a SOC (Security Operations Center) is at detecting, analyzing, and responding to intrusions.
vi) Cyber Threat Intelligence Enrichment
ATT&CK enables understanding of threats and threat actors. It allows the security team to assess whether they are able to protect against specific ATP (Advanced Persistent Threats) and common behaviors across several threat actors.
Benefits of Using MITRE ATT&CK
The primary benefit of the ATT&CK framework is that it enables organizations to understand how adversaries operate and the steps they plan to take to gain initial access, discover, move laterally, and infiltrate data. This lets security teams view activities from the attacker’s perspective leading to a richer understanding of incentives and tactics.
Eventually, organizations can leverage that knowledge and understanding to identify gaps in their security posture and improve threat detection and response by allowing teams to predict attackers’ next moves so remediation can occur quickly. In cybersecurity, understanding what the attacker is deploying can greatly assist the defense of the devices, network, and users.
Additionally, in a work environment with a severe cybersecurity skills shortage, the frameworks can help newly hired security staff by giving them the knowledge and research tools needed to come up to speed on any threat quickly. They can leverage the collective knowledge of the senior security experts who have contributed to the MITRE ATT&CK framework matrices.
Conclusion on MITRE ATT&CK
MITRE ATT&CK provides a common taxonomy of individual adversary actions understood by cybersecurity’s defensive and offensive sides. It includes a comprehensive matrix of techniques and tactics used by attackers and the corresponding detections and mitigations. By using MITRE ATT&CK, your organization’s IT and security teams can develop threat models, prioritize security investments, develop detection strategies, and evaluate security tool efficacy. Also, you can use it to share threat and defense information between companies.
Featured Image Source: unsplash.com