MITRE ATT&CK? An Interesting Guide For 2021

Introduction

Adversarial Tactics, Techniques & Common Knowledge- ATT&CK  was introduced by MITRE in 2013. MITRE ATT&CK uses real-world observations to categorize and describe adversarial behaviour. This structured list is used widely when representing or taking measures defensive and offensive of attacker behaviour used in network compromising. The TAXII/ STIX/ matrices also describe this behaviour as techniques and techniques of known-behaviour used by attackers.

In this article let us look at:

1. Understanding ATT&CK Matrices
2. Tactics and Techniques
3. Differences between PRE-ATT&CK and ATT&CK Enterprise
4. Best Practices for using MITRE ATT&CK
5. Challenges when leveraging ATT&CK
6. ATT&CK Tools and Resources

1. Understanding ATT&CK Matrices

MITRE ATT&CK uses the following MITRE framework matrices which have the techniques and tactics of adversarial-behavior associated with them-Mobile, PRE-ATT&CK and Enterprise Matrices. The mobile matrix applies to mobile devices, the Enterprise matrix applies to macOS systems Linux, and/or Windows and the PRE-ATT&CK matrix describes the techniques and tactics of pre-attack procedures used by attackers when targeting a system or network.

ATT&CK ’s defensive activities on the behaviour of attackers can greatly benefit from the taxonomy of ATT&CK applied to everyday settings. It is the cyber defender’s lexicon and is used by red teaming and penetration testing procedures of cybersecurity.

2. Tactics and Techniques

In the MITRE ATT&CK matrix, the titles of columns are known as tactics which are the various techniques categorized under them. Hence tactics are what describes the intent of the attackers whereas the techniques are about how to use the tactic to achieve the attack. Lateral Movement is a good example of MITRE ATT&CK use cases. The ATT&CK matrix defines in the column for Lateral Movement the various techniques or ways in which an attacker may use this tactic to compromise the system/ network.

A technique is thus a specific set of goal-achieving behavior using a particular tactic and typically lists all such activities employed by attackers in a single step generally. The technique also includes examples, descriptions, references, mitigation suggestions and detection of attacks using a particular tactic.

3. Differences between PRE-ATT&CK and ATT&CK Enterprise

ATT&CK and PRE-ATT&CK Enterprise together enumerate the complete tactics-list aligned approximately with a Cyber Kill Chain in the cyber kill chain vs MITRE ATT&CK war. PRE-ATT&CK deals with weapons, delivery and reconnaissance or the first 3-phases of the Enterprise kill chain and ATT&CK Enterprise is typically about the last 4-phases of the chain wherein installation, exploitation, control and command, and/or objective actions are dealt with.  

Some examples of ATT&CK Enterprise tactics to define adversarial in a MITRE ATT&CK framework are initial access, persistence, execution, defence evasion, privilege escalation, credential access, lateral movement, discover, ex-filtration, collection, command & control etc.

Some examples of PRE-ATT&CK Enterprise tactics are priority definition, information gathering, target selection, adversary OpSec, weakness identification, persona development, test, build and stage capabilities, establish & maintain infrastructure etc.

4. Best practices for using MITRE ATT&CK

Some of the MITRE ATT&CK best practices are

• Use techniques and tactics which are hard to pin down or ambiguous.

• Leverage via existing tools the ATT&CK integration. Sharing newer methods of mitigation and detection.

• Sharing the techniques and tactics of behavior used by observed attackers.

• Enroll service providers and vendor support.

• Check and research mitigations and detections better explained in the resources below.
  • JP-CERT Detecting Lateral Movement
  • Malware Archeology Windows Logging Cheat Sheets
  • JP-CERT Windows Commands Abused by Attackers.

5. Challenges when leveraging ATT&CK

Since security teams looking for MITRE ATT&CKs use the enterprise matrix to develop and prevent attacks using the listed techniques, there is no guarantee that attackers will not find newer tactics. Hence some caveats are required when ATT&CK nuances. Ex: If Mimikatz is detected by the antivirus,  it does not mean T1097-Pass the Ticket or T1075-Pass the Hash (T1075) are not present.

MITRE ATT&CK solutions should address challenges in the following manner.

• Watch for ATT&CK techniques that may have more than the described methods of attacking.

• Testing and research on the effectiveness of the visibility and tools used for specific techniques need to be done frequently.

• Always tabulate solutions to cover gaps in existing techniques and methods employed for mitigation.

• Log test results for technique gaps and methods to detect or prevent such gaps.

• List out the effective tools for specific detections and list out where the tools are insufficient in covering the gaps.

• Measure testing, coverage, environment performance, etc and be innovative in new techniques.

6. ATT&CK tools and resources

Several organizations use their internal purple team engagements or red teams to engage with MITRE ATT&CK techniques wherein the pen tests are used for developing a better understanding and control over such adversarial-behavior. Adversarial simulations mirror techniques and tools by specific actors and throw light on the behavior of adversaries in the control environment. Resources like Github, open-source suites, commercial suites like SafeBreach, Verodin and AttackIQ are aligned and can be used for ATT&CK adversarial simulation.

Testing MITRE ATT&CK techniques in its used environment can help

• Test efficacy and controls.
• Provide coverage against several employed techniques.
• Find gaps in protection visibility.
• Validate system and tools configuration.
• Demonstrate the environment to catch successful techniques and different actors.
• Prevent assumptions in mitigation methods using control measures.

Conclusion

MITRE ATT&CK is extremely useful in the detection and control of cyber threat intelligence and security of networks and systems from attackers compromising them. It gives a list of over 70 groups and actors including open-source reporting on use-based tools and techniques. One can use a variety of open-source and versions of MITRE ATT&CK like MITRE Caldera, feed on STIX/TAXII 2.0, Uber Metta, Red Canary Atomic Red Team, RTA–Endgame Red Team Automation etc.

So, have you made up your mind to make a career in Cyber Security? Visit our Master Certificate in Cyber Security (Red Team) for further help. It is the first program in offensive technologies in India and allows learners to practice in a real-time simulated ecosystem, that will give them an edge in this competitive world.

ALSO READ

• What Is IoC (Inversion of Control) Principle? A Basic Guide In 2021
• What Is Packet loss On Internet? An Important Overview (2021)