Most companies secure their enterprise against cyber adversaries by using perimeter defenses and blocking known indicators of compromise (IOC). However, relying heavily on blacklisting using IOCs (e.g., IP addresses, domains, malware hashes) to detect and block attackers provides only limited protection. Cyber attackers always try to find the quickest path to breaching your defenses and might fly below the radar. As a result, a robust security plan should not begin or end at the perimeter, but instead it should leverage an understanding of a cyber-attack lifecycle.

Adversary preparatory activities are largely executed outside the enterprise perimeter, making them more difficult to detect. Cyber attackers target their victims using the wealth of information available on the internet and take advantage of an enterprise’s third-party relationships to gain access to a target’s infrastructure. It is therefore important and critical for the defenders to expand their ability to monitor and understand the attackers’ actions before they even reach the corporate boundaries. This is where the PRE-ATT&CK framework comes in handy.

Building on the MITRE ATT&CK framework, PRE-ATT&CK provides organizations with the knowledge to prevent an attack based on certain indicators of attack. The framework analyzes the tactics, techniques, and procedures (TTPs) adversaries use to select a target, obtain information, and launch a campaign. The biggest benefit of the PRE-ATT&CK framework is that it arms organizations with a broader understanding of how cybercriminals act. This understanding can then be used to develop and implement technical or policy-based mitigations and evaluate the quality of cyber threat intelligence data sources.

The objective of PRE-ATT&CK is to answer these three questions:

  • What are the signs that an adversary might be targeting an organization?
  • What are the common techniques adversaries use?
  • How should organizations prioritize cyber threat intelligence to gain valuable early warning insights?

PRE-ATT&CK adopts the same approach as ATT&CK, focusing on pre-attack actions. However, these two frameworks have several fundamental differences, including:

  • ATT&CK is focused on a specific enterprise network while PRE-ATT&CK is network agnostic because the attacker can operate across any environment for their preparation activities.
  • The mitigations in ATT&CK can be very specific and effective. Alternately, PRE-ATT&CK mitigations might not be as precise or comprehensive considering the inability to fully discover all adversary activities.
  • While many of the ATT&CK mitigations require increased end-point monitoring, PRE-ATT&CK largely requires additional data sources to obtain actionable intelligence about adversarial objectives and activities.

The actions adversaries perform prior to launching their attacks are described in the 15 PRE-ATT&CK tactics.

  1. Priority Definition Planning: based on defined key strategic, operational, and tactical goals.
  2. Priority Definition Direction: requirements for meeting Key Intelligence Topics (KIT) and Key Intelligence Questions (KIQ).
  3. Target Selection: targets are determined by first beginning at the strategic level and then narrowing down operationally and tactically until a specific target is chosen.
  4. Technical Information Gathering: Identify critical technical elements an adversary will need about a target to best attack.  Technical intelligence gathering includes understanding the target’s network architecture, IP space, network services, email format, and security procedures.
  5. People Information Gathering: focuses on identifying key individuals with critical accesses to best approach a target for attack. It may involve social engineering, elicitation, and mining social media sources.
  6. Organizational Information Gathering: Organizational intelligence-gathering focuses on understanding the operational tempo of an organization and gathering a deep understanding of the organization and how it operates to best develop a strategy to target it.
  7. Technical Weakness Identification: Identify and analyze weaknesses and vulnerabilities collected during the intelligence phase to determine the best approach based on technical complexity and adversary priorities.
  8. People Weakness Identification: Identify and analyze weaknesses and vulnerabilities from the respective intelligence phase which can be leveraged to gain access to the target.
  9. Organizational Weakness Identification: Identify and analyze weaknesses and vulnerabilities from the intelligence gathering phases which can be leveraged to gain access to the target.
  10. Adversary OPSEC: Involves the use of various technologies to obfuscate, hide, or blend in with legitimate network traffic or system behavior. The adversary may use these techniques to evade defenses, reduce attribution, and minimize discovery.
  11. Establish & Maintain Infrastructure: This phase involves building and maintaining systems and services used to conduct cyber operations.
  12. Persona Development: Develop presence and appropriate affiliations to be applied to social media, website, or other publicly available information that could be referenced and scrutinized for legitimacy over the course of an operation using that persona.
  13. Build Capabilities: Identify requirements and implement solutions such as malware, delivery mechanisms, and cryptographic protections.
  14. Test Capabilities: Refine goals and criteria to ensure success during an operation.
  15. Stage Capabilities: Prepare operational environment required to conduct the operation. This includes activities such as deploying software, uploading data, enabling command and control infrastructure.

PRE-ATT&CK frameworks consists of 174 techniques spread throughout the 15 tactics that are used to execute an attack successfully.

As the Verizon DBIR 2020 report has highlighted, the majority of cyber incidents are launched quickly. Knowing the actions attackers take before breaching your defenses gives organizations an advantage because they can choose where to intercept them. With a more granular understanding of adversary activities, defenders can make more informed decisions about the potential technical and policy-based mitigations they can adopt to reduce adversary success. PRE-ATT&CK provides the structure and breadth required for defenders to track adversary behaviors and assess data sets that will increase their insight into adversary activity.

Cybersecurity risk is real. What organizations need is cybersecurity programs and technology investments informed by security and vulnerability assessments. ITEGRITI can help you identify not only indications of compromise but indicators of attacks and apply the security controls required to minimize adversary success. Learn how on our website.