PRIMER ON MITRE ATT&CK 101

PRIMER ON MITRE ATT&CK 101

I am here with a blog on the MITRE ATT&CK because it has gained a lot of attention and popularity in recent years.

ATT&CK is a framework developed by MITRE. It is globally accessible knowledge base of adversary tactics and techniques based on real-world observations.

ATT&CK stands for Adversarial Tactics, Techniques, and Common Knowledge.

It is a way of telling a story, a story about how an attacker is going to progress through their mission, what steps they are going to take or what steps are possible for them to take in order to execute a successful attack.

It does 2 things:

  1. It narrow downs your search by giving you all the possibilities of different techniques.
  2. They have been collecting the data on well-known attackers and mapping that to their framework constantly, which makes them unique.

Because, it is based on real-world observations of past attacks, it gives us detailed insights on what adversaries have done in past to conduct attack, and on what adversaries are likely doing pre and post attack.

 

Why ATT&CK was created:

It is like an encyclopedia which has all the information’s about different activities of attackers.

ATT&CK is open and available to any person or organization for use at no charge.

The main reason why ATT&CK was created and it became so popular in short time in the industry is that it provides same language for all the teams of an organization. It’s also a great starting point to get multiple people and teams on the same page, using the same terminology for security testing and mitigation as it provides specific name and numbers for different attack techniques.

 

MITRE ATT&CK can help us achieve Difficult task of detecting TTPs:

ATT&CK focuses on TTPs: Tactics, Techniques, and procedures

Let’s understand why it focuses on TTPs using pyramid of pain shown below:

The point of detecting this indicator is to respond to them by analyzing it and stopping adversaries at that level. It depends on how quickly we can deny adversaries using one of those indicators when they are trying to attack us.

It shows 6 different indicators. The point of detecting this indicator is to respond to them by analyzing it and stopping adversaries at that level. It depends on how quickly we can deny adversaries using one of those indicators when they are trying to attack us.

This pyramid shows what is easy for adversaries to do and what is most difficult for adversaries to do. So here at the apex we can see

TTPs : Tactics, Techniques and procedures

 When we detect and respond at this level, we are operating directly on adversary behaviors. It is the most difficult thing for an adversary to change in their behaviors and pattern of carrying an attack. So instead of figuring out which tool they are using, first if we can get to know their TTPs, we can secure our systems far better and if we are already under attack, we can detect it in early stage and mitigate those.

MITRE ATT&CK Framework can help us figure out those TTPs very quickly and with that,

If we can respond to adversary TTPs quickly enough, we force them to do the most difficult and time-consuming thing to do which is learning new behaviors.

 

MITRE ATT&CK Matrices:

It is Free, Open, globally accessed tool. You can access it on: https://attack.mitre.org/

It contains 3 Matrix:

  1. Enterprise
  2. Mobile
  3. ICS (Industrial Control Systems)

Enterprise it the most popular one. The Matrix contains information for the following platforms: Windows, macOS, Linux, PRE, Azure AD, Office 365, Google Workspace, SaaS, IaaS, Network, Containers.

They are displayed in matrices that are arranged by attack stages, from Reconnaissance and initial system access to Privilege escalation, Command and Control to the Impact of the attack.

It is constantly being updated but at the time of writing this blog it has:

Enterprise Tactics: 14

Enterprise Techniques: 185

Enterprise Sub-techniques: 367

Tactics and techniques is a way of analyzing real-world cyberattacks.

Top Row is Tactics                           : Adversaries Technical goals
Under each of those Techniques : How the adversary achieve their goal

Here the techniques are most important because it is a specific single step taken by attacker to exploit any system. And if we can detect it early enough, we can prevent future attacks or stop the one which is currently happening. For that ATT&CK provides many details about each technique including a description, examples, references, and suggestions for mitigation and detection.

 

MITRE ATT&CK VS Lockheed Martin’s Cyber Kill Chain:

After looking at the Matrix, some of us might remember Lockheed Martin’s Cyber Kill Chain. They both resemble each other because they define the steps an attacker uses to achieve their goal. So let’s compare them:

As we can see, both follow the same pattern, but ATT&CK provides us with more detailed techniques and sub-techniques.

We can say that they are complementary. ATT&CK sits at a lower level of definition to describe adversary behavior than the Cyber Kill Chain. ATT&CK Tactics may not be followed by adversary in the same order, because the goal of an adversary changes throughout an operation and also based on type of attack, whereas the Cyber Kill Chain have all the phases are in ordered manner to describe high-level adversary objectives.

But the Cyber Kill Chain does not go deep into what to do after an attacker has broken into your network successfully, and all those different techniques which ATT&CK Matrix has.

So, we can say that Cyber kill chain has several security gaps because it has not been modified since its created, but MITRE ATT&CK Framework has filled in all of those gapes and the main advantage is, it’s constantly being updated and expanded by the community.

 

Different Enterprise ATT&CK Tactics:

  1. Reconnaissance: Techniques an adversary uses to do active or passive information gathering. Which can be used to plan out the roadmap of an attack. Such information may include details of the victim organization, infrastructure, or staff/personnel. This information can be leveraged by the adversary to aid in other phases of the adversary lifecycle.
  2. Recourse development: Techniques an adversary uses when he is trying to establish resources which they can use to later to support different stages of their operations. These resources can be leveraged by the adversary to use in other phases of the adversary lifecycle, such as using purchased domains to support Command and Control, email accounts for phishing as a part of Initial Access, or stealing code signing certificates to help with Defense Evasion.
  3. Initial access: Techniques an adversary uses when he is trying to get into your network to establish that initial foothold within the network. Footholds gained through initial access may allow for continued access, like valid accounts and use of external remote services, or may be limited-use due to changing passwords. It can be gained by Exploiting public facing application, Phishing/Spear phishing etc.
  4. Execution: Techniques where an adversary is trying to run an adversary-controlled malicious code on a local or remote system. An adversary might use a remote access tool to run a PowerShell script that does Remote System Discovery, or it can abuse windows command shell, python scripts or java scripts.
  5. Persistence: Techniques used by an adversary to maintain persistent access of a compromised system. They make sure that restarts, changed credentials, and other interruptions that could cut off their access. It can be achieved by Adding Office 365 Global Administrator Role, Boot or Logon AutoStart Execution
  6. Privilege escalation: Techniques used by an adversary to gain higher-level privileges on a system or network. Adversaries start with entering and exploring a network with unprivileged access, but it requires elevated permissions to gain sensitive information and complete the attack. It is achieved by taking an advantage of system weaknesses, misconfigurations, and vulnerabilities.
  7. Defense evasion: Techniques where the adversary is trying to avoid being detected through the whole attack. Adversaries also leverage and abuse trusted processes to hide and masquerade their malware. He may Bypass User Account Control (UAC) mechanisms to elevate process privileges on system.
  8. Credential access: Techniques for stealing credentials such as account names and passwords. He can use Techniques like keylogging or credential dumping, brute force attack, Forced Authentication, etc.
  9. Discovery: Techniques where the adversary is trying to figure out your environment and gain knowledge about the system and internal network. So, he can observe the environment and prepare himself before deciding how to act.
  10. Lateral movement: Techniques used by adversary when he is trying to move through our environment after compromising it. Adversary typically have to pivot through multiple systems and accounts to find the weakest link in the chain of machines, to ultimately reach their end objective. They might install their own remote access tools to do this. He can also use techniques like Remote service session hijacking, pass the hash etc.
  11. Collection: Techniques used by adversary when he is trying to gather relevant data which will help them with their end goal. They can use Input capture, Audio capture, Man-in-the-Middle etc.
  12. Command & Control:Techniques used by adversary to communicate with compromised systems to control them. This type of the channel provides attackers with direct remote access to the compromised system in the target environment. There are many ways an adversary can establish command and control with various levels of stealth depending on the victim’s network structure and defenses.
  13. Exfiltration: Techniques used by adversary to steal data from our network. Most of the times adversaries package collected data to avoid detection while removing it. Compression and encryption can be used for that. For getting data out of a victim’s network, adversary typically transfers it over their command-and-control channel or an alternate channel. It can be also done over physical medium or through web services.
  14. Impact: Techniques used by adversary to disrupt availability or compromise integrity by manipulating, interrupting, or destroying victim’s system and data or using Denial of Service. Techniques used for impact can include Account access removal, destroying or tampering with data or Endpoint Denial of Service. In some cases, business processes can look fine, but it may have been altered by adversaries to achieve their goals.

Now that we’ve covered the basics of ATT&CK framework you can look forward to future blog post where I will write about how you can start using ATT&CK for Cyber Threat Intelligence (CTI).

Thanks for reading.

Copyright © 2023 Clear Infosec. All Rights Reserved.