To thrive in today’s cybersecurity landscape, learning the art of defence is essential, and layering this approach with Att&ck framework techniques has become a necessity. It means your organization needs to have a cybersecurity team to ensure that every aspect of your infrastructure is secured through processes, technical controls, and people.
MITRE ATT&CK is helpful in more ways than just threat modelling or penetration testing exercises. MITRE ATT&CK framework is an indispensable and globally accessible tool for any defensive security professional that enables them to detect, prevent and protect their systems from adversaries.
In this article, we discuss what tactics and techniques-based mitigation the MITRE ATTACK framework provides in terms of different technological verticals.
We will also discuss how the framework can help incident response teams develop threat models that best work for their IT needs. Lastly, how att&ck techniques knowledge base can help your cybersecurity team prepare for zero-day vulnerability management.
What is MITRE ATT&CK?
It is an in-depth knowledge-based framework that offers security experts an analytical model ingrained methodologies that can be used to analyze and identify adversary activities within their systems. The framework discusses in detail what exactly are these “adversarial tactics & techniques”.
Launched in 2013, MITRE’s Advanced Threat & Attack Characterization (ATT&CK) project is an ongoing effort (updated bi-annually) to identify adversary behaviour during in-progress attacks by using data from real-world incident response investigations. The framework organizes both previously identified adversarial behaviours and patterns of attack techniques into “attack phases” that group related tactics together for analysis purposes.
What is the purpose of mitre att&ck?
The goal of the MITRE ATT&CK Project is to provide organizations with a better understanding of their adversaries’ capabilities, intentions, and potential points of weakness to develop more effective defensive postures.
This topic of MITRE ATT&CK framework explained around equipping the user with basics, importance and how it can be utilised within an organisation. This framework is based on real-world observations of cyber security threats, providing a great understanding of adversaries and their tactics, techniques and procedures.
MITRE ATT&CK performs best when combined with other security tools that assist defensive security teams in maintaining a detail-oriented perspective through the utilization of att&ck techniques presented in the framework.
Understanding ATT&CK matrices
MITRE ATT&CK has three different matrices or iterations:
- ATT&CK for Enterprise
- ATT&CK for Mobile
- Pre-ATT&CK
Each of the above contains tactics and techniques associated with their main matrix. Enterprise matrix has tactics and techniques mainly around Windows, Linux, macOS/*nix systems, Office 365, Azure AD, ETC. Mobile matrix revolves around tactics & techniques that apply to mobile devices. PRE-ATT&CK covers tactics and techniques related to what threat actors do before they compromise a system or network.
MITRE ATT&CK framework – Tactics and Techniques
MITRE approach is centred on the concept of adversary tactics and techniques. With this framework, security teams in your organisation can study att&ck techniques based on cyber events that can help them prepare for potential attacks or how to react in real-time situations. MITRE ATT&CK is a large knowledge base. However, the structure of the framework is an easy to consume matrix.
A tactic is ‘what‘ an attacker is trying to achieve. A technique is ‘how‘ an attacker is achieving unauthorised access to a system or a network. Let’s discuss this in little more detail here.
What are the tactics of the ATT&CK framework?
Tactics are goals that the adversary (malicious actor/s) is trying to achieve when attacking an organization and/or entity. In the MITRE ATT&CK framework, tactics are presented as columns.
mitre att&ck Tactics
There are a total number of 14 tactics and brief notes listed below:
Reconnaissance
Obtaining information on a target organization to plan future adversary activities, i.e., data about the target organization
Resource development
Creating operational resources is a necessary next step.
Initial Access
Trying to get access to your network in some way.
Execution
In this step, an adversary will be attempting to re-establish control over the victim.
Persistence
Persistence refers to adversaries’ techniques to retain access to systems in the face of system restarts, updated credentials, and other disturbances that might result in the system terminating its access.
Privilege escalation
Trying to gain approvals at a higher level of authority to access more critical data.
Defence evasion
Attempting to escape detection from security monitoring.
Credential access
Technically, credential access is a term that refers to methods for accessing credentials such as account names and passwords. Two approaches have been used to get credentials: keylogging and credential dumping.
Discovery
Attempting to comprehend your environment.
Lateral movement
Traversing your environment.
Collection
Collecting data that is relevant to the adversary’s objective.
Command and control
In command and control tactics, an adversary will be connecting with infected computers to exert influence over them.
Exfiltration
Data theft from victims’ system.
Impact
Manipulating, interfering with, or eradicating systems and data.
All of these tactics have different techniques used for them. MITRE’s framework can really help a red team build simulations to help you protect your environment.
What are the techniques of the ATT&CK framework?
A technique is an activity done to achieve the adversary’s tactic or goal. Techniques have further sub-techniques detailing low-level information.
Sub-techniques are more specific details of the behaviour used to achieve an objective. For example, a threat actor may dump credentials by accessing LSA secrets.
In the ATT&CK framework, a technique is the second most important component. Techniques appear as rows in the MITRE ATT&CK matrix; underneath each tactic, the number of techniques available for that particular tactic can be found.
mitre att&ck Techniques
There are 185 primary techniques and about 367 techniques, including sub-techniques under the Enterprise matrix.
An example of the ATT&CK technique
An example of ATT&CK techniques is the T1595 technique named ‘Active Scanning’. The sub-techniques under this technique are:
- 0.001 Scanning IP blocks
- 0.002 Vulnerability scanning
By searching for techniques, security teams can map these techniques and sub-techniques with detection and mitigation measures.
In this instance, Mitigation would be M1056 – Pre-compromise. Detection monitors suspicious network traffic and looks for patterns such as traffic origins belonging to known adversary/botnets.
Procedures
In MITRE’s context, a procedure consists of the steps taken to implement a particular technique. An example of a procedure could be an attacker using PowerShell to dump credentials from LSASS memory on a target system.
Tactics and techniques: how it all comes together
The importance of the MITRE ATT&CK framework for detection and response operations for any security team becomes clear when all three of its basic principles are considered together.
Sometimes the tactics employed by certain adversaries are not included in the framework; these approaches are referred to as zero-day vulnerabilities since they are not yet implemented.
MITRE does consider such scenarios hence why it persistently suggests that your organization’s cyber defensive team and red team brainstorm techniques based on the data they have observed on different framework matrices to become enabled for the management and mitigation of zero-day vulnerabilities.
The cyber kill chain: a theoretical approach for an adversary defence
The cyber kill chain is a set of steps that track the stages of a cyberattack, beginning with reconnaissance and ending with data exfiltration. The cyber kill chain aids in our comprehension and defence against ransomware, security breaches, and advanced persistent threats (APTs).
Lockheed Martin drew the kill chain framework from a military concept – which was initially developed to identify, prepare for, engage, and destroy the target.
We have covered this topic in detail here:
https://thecyphere.com/blog/cyber-kill-chain/
Organizations have increasingly shifted their focus away from preventative methods towards detection and response solutions. MITRE’s ATT&CK Framework is a reaction to this resource reallocation. Unlike the theoretical cyber kill chain model, the ATT&CK Framework is built on real-world attack data from millions of incidents.
MITRE Att&ck cloud matrix
Cloud technology is complex due to visualization, which makes it quite difficult to figure out ways to maximise security when data is in transit.
MITRE ATT&CK has developed a sub-section for cloud security-related tactics and techniques based on real-world observations. For cloud security, different techniques are used as compared to on-prem infrastructure. This matrix covers information around Azure AD, Office 365, Google Workspace, SaaS, IaaS.
A total of 11 tactics and 46 techniques are presented in the ATT&CK cloud matrix. The important point is that the framework has different matrices for different technology platforms, such as the cloud matrix we discussed above.
Due to the difference in technological infrastructure, cyber attackers use different techniques to achieve their goals. These different matrices allow a red team the right tools to built simulations.
Cloud matrix techniques and examples
In the cloud att&ck matrix, the following list of techniques is used by attackers to exploit different cloud platforms, which are quite clever in their execution.
Drive-by compromise
Adversaries may acquire access to a system through a user’s routine online surfing activity. While this approach is generally used to hack the user’s web browser, adversaries may also utilize compromised websites for non-exploitation purposes, such as collecting Application Access Tokens (AATs).
Driven-by-compromise is a technique that comes under the initial access tactic.
Implant internal image
Adversaries may inject malicious malware into cloud or container images to create persistence after obtaining access to an environment.
It is possible to implant or backdoor Amazon Web Services (AWS) Amazon Machine Images (AMIs), Google Cloud Platform (GCP) Images, and Azure Images, as well as popular container runtimes such as Docker.
Modify cloud computing infrastructure
An attacker may attempt to modify a cloud account’s computed service infrastructure to evade security measures.
A compute service architecture update may include the addition, deletion, or modification of one or more components, such as compute instances, virtual machines, or snapshots, as well as changes to the compute service architecture’s configuration.
Permissions obtained through the modification of infrastructure components may be used to circumvent current infrastructure access restrictions.
Additionally, altering infrastructure components may enable adversaries to escape detection and eliminate proof of their presence from threat intelligence teams.
In my opinion, this is perhaps one of the most complex techniques present in the cloud att&ck matrix.
MITRE ATTACK mobile matrix
Mobile matrix from MITRE ATT&CK framework contains 14 tactics and 118 techniques involving device access and network-based effects supporting Android and iOS platforms. When it comes to mobile devices, the specific techniques used by adversaries are slightly different due to the nature of the technology on which attacks are being implemented.
As an example, two of these mobile ATT&CK techniques are provided below:
Disguise root/jailbreak indicators
An attacker might utilize knowledge of security software’s process to escape detection.
For instance, some mobile security programs detect compromised devices by looking for certain artefacts, such as an installed “su” binary. However, this check may be circumvented by simply renaming the binary.
Similarly, polymorphic coding methods might be employed to avoid discovery via signatures.
Access stored application data
Adversaries may get access to and acquire data stored on the device’s applications. Adversaries frequently target well-known programs like Facebook, WeChat, and Gmail.
This approach requires either elevated privileges or an insecure data storing method on the part of the targeted program (e.g., with insecure file permissions or in an insecure location such as an external storage directory).
Threat intelligence with MITRE ATT&CK
A major part of defensive security for organizations worldwide is threat analysis and threat impact, which commonly comes under threat intelligence. As we know, a threat is anything that poses a risk to an organization, and detecting such risk early on is important.
MITRE ATT&CT framework is now being integrated into many SIEM (Security Information and Event Management) solutions to aid the process of threat hunting.
MITRE ATT&CK provides a threat intelligence framework that can and should be linked with a SIEM solution to assist threat analysts in detecting and identifying abnormalities by evaluating the framework’s description of tactic and technique used for such an attack.
This contributes to improving the effectiveness of threat detection and prevention activities.
Red teaming using MITRE ATT&CK framework
To determine which scenarios are realistic for a company, we must first identify the potential techniques that would be used to provide access to the system. This is what threat intelligence is all about.
MITRE ATT&CK helps with the methodologies used to observe attackers who possess essential capabilities to attack designated assets containing critical data. MITRE does this by providing techniques based on real observations of events from the cyber threats occurring around the world. Some of this data can also be obtained through SIEM monitoring.
Mitigations made simple with MITRE ATT&CK
When examining attack techniques on any organization, MITRE ATT&CK can aid in the establishment of controls to address gaps in the investigation’s findings. MITRE ATT&CK provides several different mitigation methods, which is now common knowledge in cyber forensics.
There are several types of initiatives described and how they may be utilized to detect, prevent, or protect an organization from being attacked by such techniques.
In this way, we can do a future state analysis and assess the potential risk reduction associated with deploying suitable mitigation resources.
ATT&CK tools and resources
MITRE and third-party developers use this framework to help red and blue teams implement and boost their defensive controls. There are various related tools and resources available today; some of these are:
- Attack navigator helps you to track ATT&CK status providing you basic navigation around the different matrics
- ATT&CK is available in STIX to exchange cyber threat intelligence (CTI)
- Cyber analytics repository (CAR) from MITRE based on ATT&CK adversary model
- OilRig playbook from PaloAlto
- Caldera is an attack technique emulator tool
- Red Team Automation (RTA) is n open-source framework of scripts to help blue teams test their detection capabilities
MITRE ATT&CK FAQs
What does Mitre ATT&CK stand for?
The word “ATT&CK” stands for adversarial tactics, techniques, and common knowledge, whereas MITRE is the organisation’s name that created the knowledge base.
Is MITRE ATT&CK a threat model?
ATT&CK framework is designed to support security teams with real-world observations for various exercises such as threat modelling, penetration testing and defensive capabilities.
How many techniques are there in MITRE ATT&CK?
There are a total of 245 techniques in the Enterprise model.
How many tactics are there in MITRE ATT&CK?
There are 14 tactics covered under the ATT&CK enterprise matrix. These are
- Reconnaissance
- Resource Development
- Initial Access
- Execution
- Persistence
- Privilege Escalation
- Defence Evasion
- Credential Access
- Discovery
- Lateral Movement
- Collection
- Command and Control
- Exfiltration
- Impact
What are the best practices for ATT&CK?
The following best practices are recommended for ATT&CK usage:
- Encourage vendors in pen testing and threat modelling exercises to add support where it is useful
- Leverage ATT&CK in toolsets used by the security team
- Share tactics and techniques of observed attack and attacker behaviours
- Follow industry standards around detection and mitigation techniques
What are the top 10 critical MITRE ATT&CK techniques?
The top 10 critical ATT&CK techniques are:
- T1055 Process Injection
- T1086 PowerShell
- T1003 Credential Dumping
- T1036 Masquerading
- T1059 Command-line Interface
- T1064 Scripting
- T1053 Scheduled Task
- T1060 Registry Run Keys / Startup Folder
- T1082 System Information Discovery
- T1564 Hidden Files and Directories
What next?
MITRE ATT&CK framework covers a lot of depth in defensive security, including threat hunting, red teams and their management, and cyber forensics. This blog was written to give the readers an idea regarding the framework basics and what resources are there for its implementation. There remains a vast ground to cover and for a more thorough reading on the framework, visit MITRE ATT&CK’s website to start getting your hands dirty and, as always, be an informed cyber warrior.
Get in touch to discuss your security concerns or how you can leverage this framework within your business.
Shahrukh, is a passionate cyber security analyst and researcher who loves to write technical blogs on different cyber security topics. He holds a Masters degree in Information Security, an OSCP and has a strong technical skillset in offensive security.
