Let’s say, a massive supply chain attack targeting organizations worldwide is underway. The attackers behind the attack campaign are tinkering with the development lifecycle by manipulating the codes and exploiting vulnerabilities in third-party software. If these malicious changes go unnoticed, then it can cost companies millions of dollars in both repair costs and reputation damage. Furthermore, once the attackers gain unauthorized access to an internal network, they can maintain persistence and launch other malicious activities that can lead to data breaches or malware infection. While organizations may have implemented security tools such as firewalls and antivirus to maintain basic cybersecurity, they are not enough to protect organizations against such attacks.
To protect against such supply chain attacks, the security teams need to go beyond the traditional cybersecurity measures and this is only possible if they have complete visibility into the attacker's attack patterns, objectives, and motives. By gaining insights into the adversary's tactics, techniques, procedures (TTPs), and intentions, security teams can get answers to the ‘How’ and ‘Why’ of the attack campaign and improve their detection and analysis process to derive contextual and high-fidelity intelligence.
This is where the MITRE ATT&CK framework comes into the picture. It provides a comprehensive knowledge of tactics and techniques that reflect an adversary’s behavior when operating within an organization’s network. It expands the knowledge of security teams, defenders, and threat hunters and assists in prioritizing network defense by providing details about pre- and post-compromise tactics, techniques, and procedures executed by attackers. Using the ATT&CK framework, organizations can evaluate their current defense approaches, make necessary improvements, and take immediate actions to thwart impending cyber threats. It also facilitates organizations to build a holistic defense approach that can be helpful in the long run to protect their businesses.
Beyond the Cyber Kill Chain
Prior to the release of the MITRE ATT&CK framework, there was no single and comprehensive repository of adversary TTPs (Tactics, Techniques, and Procedures). As a result, security teams largely focused on forensic and historical attributes—stored in an unstructured manner—of adversary intrusions, which made information sharing difficult.
This eventually led to the birth of the ‘Cyber Kill Chain’ or ‘Kill Chain Framework’ in 2011. Lockheed Martin derived the framework from a military model that represents the phases of a cyberattack, starting from the early reconnaissance to weapons deployed, command and controls executed, to the objective of the attackers. However, the framework did not provide granular details of the attack techniques and adversary behaviors. Moreover, as Cyber Kill Chain used an ordered phase to describe high-level adversary objectives, it could not be used to define cyberattacks where multiple intrusions occurred throughout the infection process—as adversaries changed their tactical goals.
These limitations were addressed in the MITRE ATT&CK (Adversarial Tactics, Techniques, and Common Knowledge) framework which was developed in 2013 by the MITRE Corporation and was eventually released to the public in 2015. The framework goes a step further than the Cyber Kill Chain and expands on the attackers’ high-level goals by collating their tactics and techniques, and further articulating them in various matrices and STIX/TAXII format. It leverages publicly available information from real-world observations to create an organized list of known attacker behaviors that can be used to classify the attacks, identify attack attribution and objective, and assess organizations’ risks. Unlike other frameworks, it offers a more detailed insight into attackers’ behaviors by elaborating on techniques used, known practices, their characteristics, a list of tools used in attacks, and specific attack attributions. Besides, the framework provides suggestions for detection and mitigations that organizations can leverage to protect themselves better.
What is PRE-ATT&CK?
PRE-ATT&CK defines the pre-compromise techniques used by the attackers. It provides knowledge on the preparatory tactics and techniques used by bad actors to exploit and compromise a particular target network or systems. It basically includes details of how attackers perform reconnaissance activities and select their point of entry.
What is ATT&CK?
ATT&CK stands for Adversarial Tactics, Techniques, and Common Knowledge. It consists of three components - Tactics, Techniques, and Documentation of usage of techniques and other metadata. The complete behavior of an attack campaign can be modeled by leveraging these components that are associated with APT groups.
What are the Different Matrices of MITRE ATT&CK?
Depending on the adversaries’ behavior against the targets, the MITRE ATT&CK framework is categorized into three different matrices.
Enterprise Matrix: This matrix includes tactics and techniques for gaining access to software and devices used in Enterprise. It contains information for a broad range of platforms such as Windows, macOS, Linux, Azure AD, Office 365, Google Workspace, SaaS, IaaS, Networks, and Containers.
The new MITRE ATT&CK incorporates PRE-ATT&CK scope into the Enterprise matrix, which was previously considered a separate matrix.
Mobile Matrix: This describes the tactics and techniques used to compromise iOS and Android mobile devices.
ICS Matrix: This matrix is similar to Enterprise Matrix except that it specifically focuses on industrial control systems (ICS) such as power grids, interconnected machinery, and sensors.
According to MITRE, the latest version (Version 12), released in October 2022, of the Enterprise ATT&CK matrix includes 14 tactics. These are:
- Reconnaissance: Information gathered about the target before executing future operations.
- Resource Development: It refers to adversaries acquiring resources required to support an operation/attack.
- Initial Access: It represents the techniques that attackers may use to gain their initial foothold within a victim’s network.
- Execution: It refers to the techniques used to run malicious code on compromised networks or systems.
- Persistence: It indicates the ability to maintain a foothold on remote systems, devices, and other assets through various changes, reboots, etc.
- Privilege Escalation: It refers to the techniques that attackers use to gain higher levels of permissions on a system or network.
- Defense Evasion: It talks about the techniques that adversaries use to avoid defenses throughout the campaign. It can be done by disabling the security software, masquerading malware as approved operations, etc.
- Credential Access: It is a set of techniques that attackers use to steal users’ account names and passwords.
- Discovery: It talks about how adversaries gain knowledge about internal networks and systems. For attackers, this knowledge enables them to determine their next steps for target selection and lateral movement.
- Lateral Movement: It consists of techniques that attackers use to move through a remote network after gaining access through legitimate credentials or remote access tools (RATs), etc.
- Collection: This category covers the techniques used by attackers to gather data of their interest to meet their goals.
- Command & Control: It covers the techniques that attackers leverage to communicate with compromised devices and systems to control them.
- Exfiltration: It refers to techniques and attributes that adversaries use to steal data from a target network.
- Impact: It describes the techniques that adversaries use to manipulate, interrupt, and destroy the integrity of systems and data.
Although these 14 tactics indicate the possible phases for most enterprise-based cyberattacks, they do not necessarily have to be in the same order as every attack does not involve all tactics.
This version of ATT&CK for Enterprise contains 14 Tactics, 193 Techniques, 401 Sub-techniques, 135 Groups, 14 Campaigns, and 718 Pieces of Software. It is these techniques and sub-techniques that attackers/groups use to achieve subsequent tactics.
What is MITRE ATT&CK Navigator?
The MITRE ATT&CK Navigator is one of the important tools that enable security teams to navigate easily through the MITRE ATT&CK framework matrices. It enhances the action plan of security teams by helping them map out defense approaches against ATT&CK techniques. It provides easy navigation and annotation to ATT&CK matrices, thereby eliminating the headache of using spreadsheets or other tools to analyze threats, evaluate current defenses, identify security gaps, and plan attack simulations. With ATT&CK Navigator, security teams can get a better visualization of tactics and techniques that are unique to an adversary and, if needed, can be compared with the TTPs of other adversaries.
MITRE ATT&CK Use Cases
Understanding of APT Behavior
Many threat intel reports focus on malware engineering techniques, initial compromise, or command and control (C2) explanation. Having an understanding of these tactics and techniques is not enough to conclude an attack campaign or incident. When these tactics and techniques are chained to adversaries’ behavior, security teams can generate a well-informed action plan to emulate those APTs. MITRE ATT&CK framework helps address this issue by presenting a methodology to understand both known and suspected groups, along with their histories, habits, capabilities, and observed malicious behavior. Security teams can use this publicly documented analysis of tools, routines, and APT behavior to update themselves on the latest findings in the cybersecurity landscape, enhance threat hunting operations, and gain visibility against targeted attacks.
Security Defense Evaluation
Apart from threat hunting, the ATT&CK framework also enables threat defenders such as the red teams, blue teams, and purple teams to evaluate the security posture of an organization by validating security controls, identifying security gaps, and initiating the appropriate response and recovery processes.
Heat Map Creation
The ATT&CK framework is useful in creating ‘heat maps’ of frequently used adversarial tactics, techniques, and procedures. This allows security teams to audit and analyze systems, tools, controls, and policies for any malicious behavior. While ATT&CK describes the characteristics and behavior of an adversary, MITRE’s Cyber Analytics Repository (CAR) provides a means to identify and detect an adversary’s technique. CAR provides dozens of analytic categories—such as user login activity monitoring and remote registry— with associated techniques, implementations, and applicable platform information that facilitates attack detection and identification.
MITRE ATT&CK Benefits
Improved SOC Operation
MITRE ATT&CK framework is a powerful tool to improve the effectiveness of the Security Operation Center (SOC). It enables the security teams to connect and understand the flow of an attack, and identify the security gaps and faults, thus enabling them to prioritize their response activities. It also improves awareness and collaboration among cyber defenders by assisting them in understanding and exchanging information related to the behavior of an adversary.
MITRE ATT&CK helps security teams to map out the detection capabilities you need to prioritize. By understanding the modus operandi of known attackers and their common tactics and techniques, security teams can improve their detection and analysis capabilities.
With MITRE ATT&CK’s standard format of TTPs that threat actors employ, security analysts can examine the threat actor movements across their networks and explore the defense gaps. The framework allows security teams to gather appropriate evidence required for analyzing a cyberattack, thereby improving the visibility into threats that matter most for their organizations.
Reduced MTTD and MTTR
Security teams can calibrate their detection operations to the most prevalent intrusion scenarios and related tactics and techniques available in the MITRE ATT&CK framework. This saves a lot of time in detecting incidents. Using the framework, security teams can also deploy the required course of action to protect the systems and assets. This overall reduces the Mean Time To Detect (MTTD) and Mean Time To Respond (MTTR) to an incident/attack.
How does MITRE ATT&CK Assists in Cyber Incident Response?
With 14 tactical categories that are further divided and subdivided into techniques and sub-technique, the ATT&CK framework can be used to expedite the incident response process in an organization. It allows incident response teams to divert their focus from low-level Indicators of Compromise (IOC) to threat actors’ TTPs to understand their behavior. Moreover, the ATT&CK Navigator optimizes the incident response process, thereby allowing the team to map the flow of an incident with the available techniques and sub-techniques, and predict the response action.
Starting from seeking information from the ATT&CK tactics and techniques from detection and analysis to IOC and malicious signature identifications for the containment process, the incident response teams can leverage the framework to understand the nature of the threat and execute steps to minimize the adversary entrenchment. The team can also mitigate the impacts of the attack by mapping it to the ATT&CK framework to ascertain several defensive countermeasures for each attack phase. These countermeasures include but are not limited to resolving a misconfiguration, upgrading appropriate detection signatures, ingesting logs into a SIEM for correlation, and mitigating any compromised systems.
How MITRE ATT&CK Enhances Cyber Threat Intelligence?
The MITRE ATT&CK framework can be used for cyber threat intelligence as it provides security analysts with a common language to structure, compare, and analyze adversarial behavior. It provides an ultra-modern approach to analyzing cyberattacks by cataloging threat actor TTPs into a matrix. Once threat actors are tracked with associated tactics and techniques, the ATT&CK framework provides a roadmap to tackle the threat by helping the security teams in evaluating the strengths and the weaknesses in the organization’s infrastructure.
Organizations can use ATT&CK Navigator to get a good visual of TTPs used by specific threat actors and assess the environment’s performance against those actors or groups.
How Threat Intelligence Platforms (TIPs) Leverage MITRE ATT&CK?
The MITRE ATT&CK matrices are valuable resources to better understand adversarial behaviors. By leveraging this library of structured information of all existing TTPs employed across sophisticated attack campaigns, Threat Intelligence Platforms (TIP) can simplify the detection process as it helps security teams to map the observed attack pattern with specific threat actor(s). With this information, security analysts can analyze relevant threats and derive contextual intelligence. For every attack technique, analysts can gain insights into the impacted data sources, platforms, related malware, the defenses it can dodge, and the required mitigation steps. By steering through the ATT&CK Navigator in an advanced Threat Intelligence Platform, security teams can track the threats that are most important for their organizations. They can build custom layers with selected techniques and sub-techniques, and other aspects to examine the impacts on an organization. A Threat Intelligence Platform integrated with ATT&CK Navigator helps visualize the defensive coverage and optimizes the response action by narrowing down the attribution for an attack to a set of TTPs. Moreover, security analysts can transition between Enterprise and Mobile ATT&CK matrices to examine different sets of TTPs that impact corresponding assets and view a color-coded representation of critical TTPs.
The ever-expanding threat landscape needs organizations to be astute and wide awake. To tackle the challenges posed by threat actors, organizations and security experts need to leverage MITRE ATT&CK which paints a clear picture of loopholes in their cybersecurity postures, thereby enhancing their threat detection and response capabilities.