There is an old English proverb - “There is honor among thieves”. While one can doubt the validity of the proverb, it is a fact that threat actors often learn from each other to realize their ill motives.
In this challenging scenario, it is essential for security professionals to also work together in order to defend against the ever-improving threat actors. One of the ways to do this is to develop a shared knowledge base for the security community. The MITRE ATT&CK framework is a major step in this direction.
What is ATT&CK?
MITRE’s ATT&CK, which stands for Adversarial Tactics, Techniques, and Common Knowledge, is a repository for modeling the cybercriminals’ behavior and documenting the various components of a cyberattack and the various target platforms.
ATT&CK began as a project to specify the known tactics, techniques, and procedures (TTPs) of the cybercriminals, especially those targeting Windows systems. Presently, the project has expanded to include other target systems like Linux and MacOS, pre-attack tactics and techniques, and attacks targeting mobile devices.
The motivation behind ATT&CK & Origin of the project
Any major collaborative project arises out of a strong need for addressing critical concerns in a certain domain. The same is true for the MITRE ATT&CK framework.
It was created out of a need to incorporate a systematic understanding of adversary behavior in enterprise security operations. The initial efforts began in 2010 at MITRE’s Fort Meade Experiment (FMX) research lab where researchers studied the methods aimed at detecting advanced persistent threats (APTs) in a quick and efficient manner.
The researchers conducted various exercises to “improve post-compromise detection of threats penetrating enterprise networks through telemetry and behavioral analytics”.
As per the ATT&CK philosophy whitepaper, the primary metric for success was “How well are we doing at detecting documented adversary behavior?”. The researchers enriched the knowledge base by categorizing the observed behavior of real-world threat actor groups and conducting controlled experiments using that knowledge. Blake Storm, who is a MITRE ATT&CK lead, in his blog post, describes four main issues that the researchers aimed to address which include, focusing on adversary behaviors, creating lifecycle models suitable for mapping TTPs for new devices, maintaining applicability to real environments, and building a common taxonomy.
Components of ATT&CK
The ATT&CK consists of three core components - Tactics, Techniques, and observed adversary usage of techniques.
Tactics represent what tactical steps a threat actor takes during different their attack campaign. This can include different phases like initial access, execution, persistence, privilege escalation, defense evasion, credential access, discovery, lateral movement, collection, exfiltration, and command & control.
Techniques denote the methods used by the threat actors for executing the different tactics.
For example, an APT group can get Initial Access to their target device or network using different Techniques like Spearphishing Attachment or Drive-by Compromise.
Each Technique provides various details like the platforms it can be used to target, the permissions it requires, sources for data capture, detection of the technique, examples of the Technique usage from previous attacks along with detailed logs, and the mitigation steps required to protect against that Technique.
The complete behavioral profile of an attack campaign can be modeled by specifying the whole set of tactics and corresponding techniques used by the APT group. The ATT&CK framework also documents the observed usage of different techniques by relevant threat actors.
The first ATT&CK model released publicly in May 2015 contained 96 techniques categorized under 9 tactics. The initial focus of the model was on Windows enterprise systems, however, it now covers over 200 techniques across Windows, Linux, and Mac OS systems.
Currently, the model also features a separate knowledge base for documenting pre-compromise tactics and techniques which is known as PRE-ATT&CK and the main model is now referred to as the Enterprise ATT&CK. Furthermore, ATT&CK for Mobile was also created to focus on attacks targeting mobile devices.
The ATT&CK framework has helped address many of the issues the researchers had in mind when they first began working on it. However, the framework can only stay relevant and reliable if it evolves with the changing landscape of the cyberspace. The inclusion of newer attack vectors, techniques, and studying the activities of emerging threat actors is crucial for maintaining and improving the efficacy of the framework.