MITRE ATT&CK Framework: Everything You Need To KnowMay 27, 2020 | By Comodo
How prepared are you for security incidents?
Does your cyber defense system work effectively?
Do you have a well-crafted comprehensive incident response plan?
If you are shaking your head “no,” you need a proactive analysis of attacks and threats. And when our talk turns to the rigorous analysis of cyber theft and defense, we cannot fail to mention the MITRE ATT&CK model that is trusted by security professionals for organizing various sorts of threats or adversarial behaviors and testing the efficiency of your security defense system.
Apparently, MITRE ATT&CK is not just a red hot and trending ampersand-infused acronym because it holds the attention of cybersecurity pros. So what is it all about?
We shine a light on using the MITRE ATT&CK framework to identify and gather more information about critical gaps in visibility, augment threat detection, and test the accuracy of detection rules in your security strategy defense.
Originally developed to support MITRE’s cyber defense system, ATT&CK is a knowledge base of cyberattack technology and tactics used by threat hunters, red teamers, and defenders in assessing the risk of attacks and identification of holes in the defencing.
Therefore, this comprehensive matrix of tactics and techniques improves post-compromise detection of attacks in enterprises by detailing out the actions of the attacker, approach to get in, and move around the system. It also aims to contribute to the awareness of the organization’s security and incident response plan at the perimeter and beyond.
We know that all of this can be overwhelming for you, so we pioneer to solve the most critical problems of cybersecurity for you with the better classification of attacks and assessment of an organization’s risk. We lead the way with capabilities to keep pace with this rapidly changing world.
So adjust your reading glasses and learn everything about this MITRE ATT&CK Framework and its use in classifying adversarial behaviors and assessing risks.
What Is MITRE ATT&CK
MITRE, a government-funded organization, spun out of MIT, has worked to strengthen cyber defenses for the past forty years. It is associated with a lot of commercial and top-secret projects for many agencies.
It advocates for a threat-based defense solution with a balanced security posture and leveraging cyber threat intelligence for quick adoption of a cyber-attack responsive plan.
Cyber-attacks can pose a threat to your organization, and hence comprehensive threat detection is important, which has three key elements:
- Understanding common adversary techniques
- Detecting actual threats to your organization
- Mitigating the attacks.
That said, it is unlikely for an organization to analyze every single attack owing to the volume and breadth of attack tactics. This is why MITRE developed the ATT&CK framework as a knowledge base that is acronymic for Adversarial Tactics, Techniques, and Common Knowledge.
We will take up the details of each word later in the following sections.
How Organizations can Use MITRE ATT&CK?
Red teaming: ATT&CK can be utilized for planning, reporting, and execution of the red group to maintain a strategic distance from certain cautious measures that might be set up inside a network.
SOC Maturity Assessment: The Security Operations Center (SOC) and occurrence reaction group can reference ATT&CK strategies that have been distinguished or revealed. It helps as one measurement to establish how effective a SOC is at analyzing, detecting, and responding to intrusions.
Assessing Defensive controls: Organizations can use ATT&CK to assess tools, supervising, and mitigations of current defenses in the enterprise.
Cyber Security Strategy: Organizations can use ATT&CK to plan their strategy for cybersecurity. It can help you build your defense to counter the known strategies and prepare your monitoring to recognize proof of ATT&CK procedures in your network. By assessing the overall strategy of cybersecurity, ATT&CK help you fill any gaps that you might find.
Nature of threats: Using ATT&CK, your team can determine the nature of threats you are facing. It also helps in mitigating the threats. It can also be used as a reference for the latest cybersecurity threats.
Understanding ATT&CK Matrices
MITRE ATT&CK is a matrix of hacking techniques sorted by tactics. It has three flavors or popular matrices that we will highlight herein:
Enterprise ATT&CK Matrix: There are four display platforms for desktop and mobile— Windows, Mac OS, Linux, and mobile — each have their specific matrix.
The first three or desktop platform matrices resonate horizontally with the enterprise matrix. Hence, Enterprise ATT&CK matrix is a superset for desktop platforms, which are as follows:
- Windows matrix: this includes tools and techniques that are used to hack the Windows platform
- Linux: likewise, it includes techniques used to attack Linux flavors.
- macOS: includes the same for hacking macOS.
PRE-ATT&CK: It covers tactics and techniques that attackers use before exploiting a target network. These are implemented for reconnaissance, identification of the target, and attacking plan.
Mobile ATT&CK matrix: It is a model of adversarial tactics and techniques used to gain access over mobile devices by hackers and security researchers.
The Nuts and Bolts of ATT&CK: Tactics and Techniques
- Initial Access: The cyber attacker is trying to enter your network.
- Execution: The attacker is trying to execute malicious code.
- Persistence: The attacker is attempting to keep up their foothold.
- Privilege Escalation: The cyber attacker is attempting to increase more significant level authorizations.
- Defense Evasion: The attacker is attempting to abstain from being identified.
- Credential Access: The attacker is attempting to steal names and passwords of accounts.
- Discovery: The cyber attacker is attempting to make sense of your environment.
- Lateral Movement: The attacker is attempting to travel through your environment.
- Collection: The attacker is attempting to assemble information important to their objective.
- Command And Control: The cyber attacker is attempting to communicate with compromised frameworks to control them.
- Exfiltration: The attacker is attempting to steal information.
- Impact: The cyber attacker is attempting to control, intrude, or obliterate your frameworks and information.
Adversarial techniques answer “how” an adversary attains a tactical objective, and the course of action they take to get what they seek.
Many techniques contain contextual information. It includes the required permissions, the platform, the method commonly seen, and how to detect the commands and the processes used in it.
When aligning a defensive program on ATT&CK, this can be somewhat overwhelming as more than 291 techniques are identified until today. And enlisting all of these is beyond the scope of the article. Though, organizations can then leverage this information from other hubs to ensure that their security programs cover the most common techniques used to target the peer organizations.
And while a security program that deals only with these techniques will be feeble, a robust security program, like MITRE security will make sure that these techniques are addressed as a broader and more comprehensive approach to securing organizational assets.
To detail out a few of the techniques and its associated tactics in all industries for a brief exposure.
TACTIC-Execution: Command-line interfaces provide a means of interacting with computer systems and are a common feature of many types of operating system platforms. For this execution, command-line interfaces can interact locally or remotely via a remote desktop application, reverse shell session, etc.
TACTIC- Discovery: Cyber hackers can attempt to obtain information about the execution of processes on a system. The information obtained could be used to gain an understanding of common software running on network systems. Opponents can use information from process discovery during automated discovery to shape follow-up behaviors, including if the adversary completely hacks the target and/or attempts specific actions.
The Differences between PRE-ATT&CK and ATT&CK Enterprise
PRE-ATT&CK and ATT&CK Enterprise consolidate to shape the full rundown of strategies that happen to generally line up with the Cyber Kill Chain. PRE-ATT&CK, for the most part, lines up with the initial three phases of the kill chain. It primarily includes reconnaissance, weaponization, and delivery.
ATT&CK Enterprise adjusts well to the last four periods of the kill chain. It mainly includes exploitation, installation, command & control, and actions on objectives.
The tactics of PRE-ATT&CK are Priority Definition, Target Selection, Information Gathering, Weakness Identification, Adversary OpSec, Establish & Maintain Infrastructure, Persona Development, Build Capabilities, Test Capabilities, and Stage Capabilities.
On the other hand, ATT&CK Enterprise Tactics are Initial Access, Execution, Persistence, Privilege Escalation, Defense Evasion, Credential Access, Discovery, Lateral Movement, Collection, Exfiltration, Command, and Control.
What is the MITRE ATT&CK Framework?
MITRE ATT&CK framework is a globally accessible model to document and track, index, and breaks down into details of each stage that attackers use to infiltrate network and exfiltration of data. These adversary techniques are based on real-world observations of methods used by hackers in cyberattacks.
Hence, this framework is a matrix of cyberattack techniques with sorted tactics based on attack stages, from initial system access to data theft. There are different matrices display for desktop platforms like Windows, Linux, Mac, and mobile platforms.
Furthermore, we breakdown the elements of ATT&CK:
Adversarial tactics and techniques: It is a modern approach to understanding cyberattacks. While assessing the methodology used by hackers, cybersecurity analyst identifies the whys or the tactics of attack and also the hows or the adversary techniques used to attain the tactical aim.
Common knowledge: It is the knowledge base or documented use of tactics and techniques that serve as a foundation to develop various threat models and methodologies. TTP is often used in cybersecurity products, which means tactics, techniques, and procedures.
These “procedures” of TTP are documented form of a common knowledge base.
When Was The ATT&CK Framework Created?
The non-profit corporation, MITRE, collaborated with the federal government to create ATT&CK to fulfill its mission to solve problems of cyber attacking and develop more efficacious cybersecurity solutions. The MITRE ATT&CK Framework is available to any person at no-charge and was created by MITRE in 2013 but was officially released in May 2015.
Since its inception, it is continuously evolving and updates quarterly (usually). It is the most respected knowledge base and model that documents tactics and techniques used by the attacker and, at the same time, to defend the organization from cybersecurity threats that build better security.
How Does ATT&CK Help In Sharing Threat Intelligence?
The ATT&CK framework helps all technical and corporate organizations, end-users, and governing institutions by sharing threat intelligence. Apart from books that share threat intelligence, ATT&CK provides a common language that is standardized and globally accessible.
It is possible for analysts and defenders to work together with data to compare and contrast cyber threat groups. It gives a structured description of adversary tactics, techniques, and procedures and the real-time behavior of hackers. And hence we can draw significant comparisons amongst the adversary groups.
Security analysts and defender both can structure their information through ATT&CK matrices. The former can create and share intelligence about the behavior of cyber attackers, while the latter can structure gen for behavior used in detection and mitigation by prioritizing risk.
Together, they create and share a threat-based awareness by filling in the information voids or gaps that attackers were exploiting. So the MITRE ATT&CK framework is beneficial in rapid decision making and incident responsive plans for all organizations.
Who does the ATT&CK Framework benefit?
ATT&CK can help both red teams and blue teams in the same way. Red teams can pursue emulation plans of MITRE’s adversaries to test their systems and defenses by demonstrating off adversary conduct characterized by ATT&CK. Campaigns that are based around ATT&CK can make it simpler and easier to interpret patterns, track attacks, and rate the adequacy of tools for a defense that is already in place.
Blue teams can use the ATT&CK system to show signs of improvement, keeping an eye on what enemies are doing, and organizing threats by prioritizing them.
Understand, Deploy, and Hunt cyber-attacks with MITRE ATT&CK Framework
There is no silver bullet that can stop or dodge rapidly evolving cyber-attacks. However, being prepared to respond to such security incidents will limit damage and reduce recovery time and costs
MITRE ATT&CK evaluation is one of the most comprehensive and conclusive resources of hacker tactics and techniques available until date. Cyber professionals and security analysts are increasingly concerned about cyberattack techniques in the ATT&CK matrix, and they are building defense solutions and software based on the MITRE ATT&CK navigator.
There is a demand for this fast-changing world to get more gen about the use of the elements in penetrating targets’ defense. The MITRE security model satisfies the needs as it can apply technical and corporate organizations to leverage cyber threat intelligence, which responds and adapts quickly to a cyber-attack. To accomplish this, we need to encourage the promotion of sharing cyber threat information and its effective tools. This strategy thrives on a foundation of unrelenting innovation and operational databases.