View More guides on Incident Response
What is MITRE ATT&CK Framework?
- Incident Response
- Cyber Threat Intelligence
Posted on: July 22, 2019
Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK) is a globally-accessible knowledge base of adversary techniques and tactics based on real-world observations of cyberattacks. In 2013, MITRE introduced Adversarial Tactics, Techniques & Common Knowledge (ATT&CK) as a means to outline and classify adversarial behaviors stemming from real-world observations. ATT&CK framework, also known as ATT&CK Navigator, is an organized list of known attacker behaviors that have been collated into tactics and techniques, and articulated in various matrices and STIX/TAXII. As this list is an extensive representation of techniques attackers use when abusing networks, it is useful for a wide range of defensive measurements, characterizations, and other mechanisms. One such critical defensive activity is incident response.
As attackers are finding new tricks to avoid detection, security teams are changing the way they approach incident response. ATT&CK framework allows security teams to shift their focus from low-level indicators to attackers’ defenses through their behaviors. MITRE’s ATT&CK Navigator is one of the tools that helps security teams keep pace with the attackers and enables them to delineate their new techniques.
Three Different Flavors of ATT&CK
The ATT&CK framework has three different flavors:
- PRE-ATT&CK: Focuses on the tactics used by the attackers before they exploit their target.
- ATT&CK for Enterprise: Covers the techniques and tactics employed for targeting Windows, Linux, or Mac OS.
- ATT&CK for Mobile: Underlines the attack tactics and techniques utilized for compromising mobile devices.
Why did MITRE develop ATT&CK?
MITRE began developing ATT&CK in 2013 as a part of its research project called Fort Meade eXperiment (FMX ). The goal of FMX was to investigate and analyze the endpoint telemetry data to improve the discovery of adversaries operating within enterprise networks post-attack. Furthermore, ATT&CK was built to provide detailed documentation of the common (TTPs) used by the advanced persistent threats (APTs) against the Windows enterprise networks. Initially used as the foundation for testing the effectiveness of the sensors and analytics under FMX, ATT&CK now serves as the common language or a framework for both defense and offense strategies of organizations.
What is PRE-ATT&CK?
PRE-ATT&CK model defines the pre-compromise techniques used by attackers. This model intends to raise awareness amongst defenders in terms of the actions that can be taken before a network intrusion occurs. It allows a comprehensive evaluation of computer network defense (CND) technologies, processes, data, and policies against a standard enterprise threat model.
What is ATT&CK for Enterprise?
ATT&CK for Enterprise is a framework and an adversary model, which can be used for explaining the actions a threat actor could take to compromise and operate within an enterprise network. This model can be used to better describe and characterize post-compromise adversary behavior. It broadens the knowledge base for security experts and helps them prioritize network defense at the same time. Moreover, this framework provides an in-depth understanding of the TTPs used by threat actors to gain access inside a network, helping in identifying their objectives while operating.
What is ATT&CK for Mobile?
ATT&CK for Mobile model is a comprehensive list of threats against mobile devices and other aspects of the mobile ecosystem. This model is designed to support the development of mobile security capabilities, solutions, and best practices to defend organizations as they deploy mobile devices.
What are Tactics, Techniques, and Procedures (TTPs) and Common Knowledge (CK)?
In simple words, TTPs and CK in the ATT&CK framework cover wide-ranging ways leveraged by the threat actors to better categorize attacks and evaluate organizational risk.
- The “tactics” explain the main aim or purpose of the adversary behind the attack and answer the ‘why’ of an ATT&CK technique. The objective of the adversary could be initial access, execution, persistence, privilege escalation, defense evasion, credential access, discovery, lateral movement, collection, and exfiltration.
- The “techniques” describe “how” an adversary succeeds in a tactical goal, detailing the attack method used by the adversary. For example, an adversary may send a spearphishing link via spam email, use process injection, credential dumping, unauthorized access, data theft, brute force attack, removable media, or other methods.
- The “procedures” are the exact ways a specific adversary or piece of software performs a technique whereas CK is the documented use of techniques and tactics by adversaries. Essentially, CK is the documentation of procedures.
How can Security Teams Benefit from the MITRE ATT&CK Framework?
The MITRE ATT&CK framework is open-source, and hence easily accessible to any individual or organization. The main goal of this framework is to bring security experts and organizations together to develop a more effective cybersecurity model. The framework knowledge base can be used as a foundation to build more effective threat intelligence and security models, which can provide actionable insights needed by security teams to proactively mitigate cyberattacks. Security teams can use the ATT&CK Framework to picture their defensive handling, red/blue team planning, the rate of detected techniques, threat intelligence analysis, and in overall incident response process. Basically, it is a tool employed for mapping out controls against attacker techniques such as preventive controls, detective controls, or observed behaviors. Moreover, Navigator can be used online for quick mockups or scenarios, or it can be downloaded and internally installed as a more permanent solution.
In addition to using the ATT&CK methodologies to create a scenario to test network defenses, security teams use ATT&CK to plan their cybersecurity roadmap. The framework helps teams to build defense to respond to the known techniques and identify evidence of ATT&CK techniques in their network.
ATT&CK Navigator is a reference for incident response teams who can employ ATT&CK to learn the nature of threats they encounter and methods to alleviate those threats. By using ATT&CK as a reference for new threats, they can plan ahead and assess their overall cybersecurity strategy and bridge the gaps they discover.
MITRE’s ATT&CK Navigator tool can be utilized to extract all the controls of techniques that attackers deploy for pre-attack and post-attack stages. Subsequently, security teams can extract the information and compare it with their implemented controls or simply for educational or research purposes
Role of ATT&CK Framework in Incident Response
Detection and Analysis
Security operations centers (SOCs) and incident response teams can refer to the ATT&CK techniques and tactics that have been detected or undiscovered. This helps in understanding the defensive strengths and weaknesses, validating mitigation and detection controls, and identifying misconfigurations and related operational issues.
This stage is an effort to stop the threat from further spreading. The containment stage is an actionable phase where the security teams implement steps to reduce the adversary entrenchment. ATT&CK helps security teams with updated malicious signatures, IOC identification, contextual analysis of SIEM logs, providing tactical insights on moving abused hosts to a controlled environment for further monitoring, and much more.
Eradication and Recovery
In this situation, security teams review an overall attack by aligning it to the ATT&CK framework to determine various defensive countermeasures for every attack phase. Typically, these countermeasures include rectifying a misconfiguration, updating relevant signatures, ingesting respective logs into a SIEM for correlation, or managing an internal workflow to ensure an alert is attended significantly faster.
This is often an overlooked process but it is crucial. With the help of ATT&CK Navigator, security teams can easily summarize the incident and learn whether the deployed countermeasures will be effective in the long run.
MITRE ATT&CK Framework for Threat Intelligence
ATT&CK Navigator empowers organizations by helping in deducing contextual threat intelligence. It provides a common standardized framework that is globally accessible, allowing security teams to work together with data to compare and tackle threat groups. As it offers a structured representation of adversary TTPs and real-time behavior of cybercriminals, security teams can draw significant analogies amongst the adversary groups.
Security analysts and defenders can organize their information through ATT&CK matrices. While the former can create and share threat intelligence related to the behavior of attackers, the latter can structure them for analyzing the behavior utilized in detection and mitigation by prioritizing risks. Collaboratively, they can create and share threat-based knowledge by closing the information gaps that attackers abuse. Hence, the ATT&CK Navigator is beneficial in quick decision making and incident response plans for every organization due to its significance in deducing contextual threat intelligence.
Threat actors can be also tracked with connections to techniques and tactics in ATT&CK that they have been utilizing. This provides a roadmap to security teams to apply in their operational controls and realize their weaknesses and strengths against certain actors. Any threat intelligence platform that supports ATT&CK streamlines this process. Disseminating intelligence to various management is much easier when all parties communicate in the same language around adversarial behaviors. Therefore, standardizing on ATT&CK references in intelligence tools dramatically improves efficiency and ensures shared understanding.
MITRE ATT&CK for Security Analysts
MITRE ATT&CK framework allows security analysts to define adversarial behavior in a standard fashion. They can track the tactics and techniques associated with any threat actor in ATT&CK. This information can be used by the security experts to fix any known bug or vulnerability, or prepare counter-measures for the methods used by the threat actors. Besides, the ATT&CK framework can be used with STIX/TAXII 2.0 feeds, allowing organizations to leverage existing tools and investments into cyber threat intelligence.