In the next series of blogs, we are going to discuss and analyze the famous MITRE ATT&CK Framework, which is used extensively in threat intelligence. We will begin by providing an overview of the framework and as we progress, we will elaborate on the framework’s matrices.

The best definition of what the framework is can be found on their homepage (where else?): “MITRE ATT&CK is a globally-accessible knowledge base of adversary tactics and techniques based on real-world observations. The ATT&CK knowledge base is used as a foundation for the development of specific threat models and methodologies in the private sector, in government, and in the cybersecurity product and service community.”

The tactics and techniques are displayed in matrices that are arranged by attack stages, from initial system access to data theft or machine control. There are matrices for common desktop platforms—Linux, macOS and Windows— cloud platforms, like AWS, Google Cloud Platform, Office 365, Microsoft Azure as well as mobile platforms, IOs and Android.

ATT&CK is an acronym and stands for Adversarial Tactics, Techniques, and Common Knowledge.

Tactics and Techniques are a modern way of looking at cyberattacks. Rather than examining the results of an attack, focusing on known indicators of compromise, security analysts prefer to identify indicators of attacks, tactics and techniques that indicate an attack is in progress. While tactics are the objectives, the “why” behind an attack, techniques represent “how” an adversary operationalize tactical objectives.

Common knowledge are the documented procedures used by adversaries to implement their tactics and techniques. Another term used widely in cybersecurity to describe an adversaires approach is “tactics, techniques, and procedures,” or TTP.

The ATT&CK framework was created back in 2013 by MITRE, a government-funded research organization, which is an offshoot of MIT University and has been involved in numerous top-secret projects for various agencies. These included the development of the FAA air traffic control system and the AWACS airborne radar system. MITRE has a substantial cybersecurity practice funded by the National Institute of Standards and Technology (NIST).

ATT&CK was created out of a necessity to systematically categorize adversary behavior as part of
conducting structured adversary emulation exercises within MITRE’s Fort Meade Experiment research environment. The goal is to create a comprehensive list of known adversary tactics and techniques used during a cyberattack. MITRE ATT&CK is intended to create a standard taxonomy to make communications between organizations more specific.

There are three implementations, or matrices, of the ATT&CK framework.

Enterprise ATT&CK: ATT&CK for Enterprise is an adversary model and framework for describing the actions an adversary may take to compromise and operate within an enterprise network. The model can be used to better characterize and describe post-compromise adversary behavior. It both expands the knowledge of network defenders and assists in prioritizing network defense by detailing the tactics, techniques, and procedures (TTPs) cyber adversaries use to gain access and execute their objectives while operating inside a network.

PRE-ATT&CK: Adversary pre-compromise activities are largely executed outside the enterprise’s field of view, making them more difficult to detect. Cyber adversaries target their victims using information available on the internet and take advantage of an enterprise’s third-party relationships to gain access to a target’s infrastructure. PRE-ATT&CK allows defenders to expand their ability to monitor and understand adversary actions outside the boundaries of their enterprise.

Mobile ATT&CK: This is a profile of ATT&CK for the mobile environment. ATT&CK for Mobile builds upon NIST’s Mobile Threat Catalogue, providing a model of adversarial tactics and techniques used to gain access to mobile devices as well as tactics and techniques to further take advantage of that access to accomplish adversarial objectives. ATT&CK for Mobile also depicts network-based effects, which are adversarial tactics and techniques that an adversary can employ without access to the mobile device itself. Each adversarial technique includes a technical description along with applicable mitigation/countermeasure approaches, applicable detection analytics, and examples of use.

Finally, in March 2020, MITRE released the ATT&CK for Industrial Control Systems (ICS) matrices, which is a curated knowledgebase for cyber adversary behavior in the ICS technology domain. It reflects the various phases of an adversary’s attack life cycle and the assets and systems they are known to target. ATT&CK for ICS originated from MITRE internal research focused on applying the ATT&CK methodology to the ICS technology domain.

The MITRE ATT&CK matrix visually arranges all known tactics and techniques into an easy to understand format. Attack tactics are shown across the top, and individual techniques are listed down each column.

Figure 1: ATT&CK for Enterprise matrix.

An attack sequence would involve at least one technique per tactic, and a completed attack sequence would be built by moving from left (Initial Access) to right (Impact). It is possible for multiple techniques to be used per tactic. On the other hand, an attacker doesn’t need to use all twelve tactics. As various cybersecurity reports have indicated (such as the Version DBIR), the attacker will use the minimum number of tactics to achieve their objective, as it is more efficient and provides less chance of discovery.

For example, let’s assume that an attacker is after the corporate sensitive data stored in a SaaS platform. If he chooses to launch a spear-phishing attack to steal privileged credentials, the Initial Access tactic is implemented via a spear-phishing link technique.

Figure 2: Example of using MITRE ATT&CK. Source.

Using the compromised credentials, the adversary can search for remote systems where corporate data is stored. Once they discover and gain access to the SaaS platform, the attacker can collect the data and save them on his machine.

This simplified attack is described in the figure above, using tactics and techniques of the ATT&CK framework.

Organizations can benefit in various ways from using the MITRE ATT&CK framework. ATT&CK can be used to create adversary emulation scenarios to test and verify in-place cybersecurity controls against common adversary techniques. Campaigns based around ATT&CK can make it easier to track attacks, decipher patterns, and rate the effectiveness of defense tools already in place.

ATT&CK can also be used to construct and test behavioral analytics to detect insiders’ adversarial behavior and to assess tools, monitoring, and mitigations of existing defenses within an organization’s enterprise. The framework can be used as one measurement to determine how effective a SOC is at detecting, analyzing, and responding to intrusions. Finally, ATT&CK is useful for understanding and documenting adversary group profiles from a behavioral perspective that is agnostic of the tools the group may use.

ITEGRITI is a firm believer that cybersecurity programs must be based on informed decisions and assessments. If you want to learn how we leverage MITRE ATT&CK, you can visit us at itegriti.com.