What is the MITRE ATT&CK
What is MITRE ATT&CK?
The MITRE ATT&CK framework provides the cybersecurity community with information on more than 100 threat actor groups and the platforms they target.
The data within the framework comes from publicly available cyber threat intelligence and reports and security teams and threat researchers. ATT&CK is available for free to anyone who wants to use it.
Rather than just a repository of information, the framework is also used by private and public sector organisations to improve their security posture, produce threat models and methodologies, and speed up detections.
Detection, investigation, and response platforms like SenseOn that map detection signals to the ATT&CK framework can help analysts better and more quickly identify adversary behaviour and mitigation steps. This can significantly improve threat detection and response times.
History of the MITRE ATT&CK Framework
The ATT&CK (short for Adversarial Tactics, Techniques, and Common Knowledge) framework was created by the MITRE Corporation, a non-profit organisation that provides research and development, systems engineering, and information support to the federal government.
Developed in 2013 for an internal research project, FMX, the framework, which takes an attacker’s point of view, was made available to the public in 2015. However, the knowledge base has undergone several changes since then. For instance, in the 2021 April release, 13 new techniques and 20 new sub-techniques were added to the Enterprise matrix.
Benefits of the MITRE ATT&CK Framework for Organisations
There are many advantages to using the MITRE ATT&CK framework. Here are some of the more popular use cases:
Simulate real-world attacks. Red teams can mimic the behaviour of real-life threat groups with adversary emulation scenarios. In this way, they can test an organisation’s blue team and defences and gauge the potential impact of a breach.
Design defences. Organisations can more easily understand how cybercriminals specifically target their industry and prioritise detection capabilities based on real-world observations. For example, if you work in the financial sector, you may want to pay attention to the threat group Deep Panda and the techniques and software that it is known to use.
Quantify vendor efficacy. Security buyers can measure security providers’ capabilities and effectiveness through ATT&CK evaluations.
Improve alert triage process. Analysts can more efficiently gather context around alerts, speeding up alert triage and investigation.
Exchange knowledge. Stakeholders, security professionals, and vendors can communicate using a common lexicon.
Remediate infections. Incident response teams can quickly figure out what needs to be done to stop an attack in progress.
Eliminate weaknesses. Defenders can better understand the defensive strengths and weaknesses of their security operations centre (SOC) and validate system and tool configurations.
Track adversaries. Incident response teams can track how the techniques of particular attacker groups evolve and plan for them ahead of time.
ATT&CK Matrices
Because attackers tailor their tactics and techniques to their target’s environment, ATT&CK is broken down into three different matrices or “technology domains.”
Enterprise
The Enterprise matrix focuses on threat actors’ behaviour in Windows, macOS, Linux, SaaS, IaaS, Azure AD, PRE, Google Workspace, Office 365, Network, and Containers.
Mobile
The Mobile matrix focuses on threat actors’ behaviour on mobile devices (Android and iOS).
Industrial Control Systems (ICS)
The ICS matrix focuses on threat actors’ behaviour within an ICS network.
The MITRE ATT&CK Matrix
Siloed security tools and out-of-context alerts are significant problems for most modern security operations centres (SOC). A security team working at an organisation with 1,000+ employees is likely to see at least 1,000 alerts per day — many of them false positives. Unsurprisingly, many security professionals report experiencing “alert fatigue.”
Each false-positive alert takes 32 minutes to resolve. Most organisations never address all alerts on the day they are issued and rarely get to the root cause of threats. As a result, both productivity and security suffer.
When security professionals are stuck chasing false positives, they have less time to spend on critical tasks like endpoint hardening, proactive security, or threat investigation. Overwhelmed security professionals have also admitted to ignoring alerts when an alert queue is full. Predictably, the time it takes to identify and contain a breach is increasing. It now takes an organisation an average of 326 days to identify and stop a ransomware breach. In contrast, it only takes cybercriminals around two days to penetrate a business’ internal network.
Each ATT&CK matrix visually lays out tactics and techniques used by adversaries.
Attack tactics are displayed at the top, with individual techniques listed underneath. Each technique also has additional information, including mitigation and detection tips.
Here, we look at the MITRE ATT&CK enterprise matrix specifically.
1. Tactics
The top-level category of ATT&CK, tactics describe threat actors’ objectives, i.e., the “what” they are attempting to achieve.
Currently, the enterprise matrix outlines 14 tactics:
Reconnaissance. Discovering and collecting information about targets for future operations.
Resource development. Developing, purchasing, stealing, or compromising resources to support operations.
Initial access. Gaining the initial foothold in a network.
Execution. Executing malicious code.
Persistence. Maintaining access to systems even in the event of disruptions, i.e., credential changes or restarts.
Privilege escalation. Increasing privileges.
Defence evasion. Avoiding detection by defensive tools.
Credential access. Stealing credentials.
Discovery. Gaining an understanding of the target’s environment.
Lateral movement. Moving through the rest of the network.
Collection. Collecting useful data.
Command and control. Talking to compromised systems.
Exfiltration. Stealing data.
Impact. Compromising, disrupting, or destroying the target’s systems and data.
It’s important to note that a threat actor won’t necessarily always move through the different tactics linearly (i.e., from left to right). For instance, after Initial Access, a cybercriminal may move on straight to Exfiltration and only then carry out techniques that let them maintain a foothold on systems (Persistence).
Adversaries also don’t need to use all the ATT&CK tactics to accomplish their goals. If threat actors can achieve their objective in fewer steps, they will do so. The reason why is that doing so improves efficiency and reduces the likelihood of discovery by the target.
2. Techniques
Techniques refers to the methods cybercriminals use to achieve their objectives.
Each tactic has a number of techniques. Different threat actors will use different techniques to reach their goals. Their chosen technique can depend on several factors, including the target’s environment, skills level, etc.
For example, to steal credentials (i.e., Credential Access), cybercriminals might use techniques like Brute Force, Network Sniffing, etc.
Adversaries can use one technique to accomplish several objectives. As such, a single technique can be classed under several tactics. Abuse Elevation Control Mechanism appears under both Privilege Escalation and Defence Evasion.
At the moment, there are 191 identified techniques. Each technique includes:
Sub-techniques
Metadata
Description
Procedure examples
Tips for mitigation and detection.
2.1 Sub-techniques
Sub-techniques are specific techniques. Whereas a technique shows the general action an adversary might take, sub-techniques are more detailed.
For example, there are four sub-techniques under the Brute Force technique: Password Guessing, Password Cracking, Password Spraying, and Credential Stuffing.
Adversaries can use several techniques for one tactic. In a phishing campaign, cybercriminals may use both a Spearphishing Attachment and a Spearphishing Link to increase their chance of success.
2.2 Metadata
The metadata part of each technique/sub-technique includes things like:
The tactic(s) the technique belongs to.
The platforms impacted (like Windows).
Permissions required.
Defence bypassed (for example, file system access controls, Windows User Account Control, system access controls).
Etc.
2.3 Description
The description part of each technique/sub-technique describes how the technique is commonly used by threat actors.
For example, under Phishing, we are told that cybercriminals use phishing to access victims’ systems and that they may use targeted (spearphishing) and non-targeted phishing. It also warns that phishing can be conducted through third-party services like social media platforms.
2.4 Procedure examples
Procedures describe how a particular technique or sub-technique has been used in the wild.
For example, under Password Guessing, you can see that the malware variant Emotet has been noted to brute force user accounts by using a hardcoded list of passwords. On the other hand, the malware family Xbash brute forces user accounts with a list of weak credentials from a C2 server.
2.5 Mitigations
Mitigations outline how to defend against threat actors’ tactics and techniques. A single mitigation can address multiple tactics and techniques.
For example, creating a Data Backup addresses data encryption, data destruction, etc.
2.6 Detections
For every technique, MITRE provides several detection methods.
For example, under Brute Force, MITRE suggests that organisations monitor for the following to detect an in-progress brute force attack:
System and application authentication failures.
Executed commands and arguments.
User account authentication failures.
3. Groups
Groups are attacker groups, activity groups, threat actors, intrusion sets, and campaigns.
Each group entry contains information on the group, associated group descriptions, and the techniques and software used.
For example, Wizard Spider, the Russian-based threat group, is linked to 37 enterprise techniques and 16 types of software, including Ryuk and Emotet. The group is also known as UNC1878, TEMP.MixMaster, and Grim Spider.
The ATT&CK Navigator visualises how a group uses various techniques based on its tactics.
4. Software
Software refers to open-source software, commercial and custom code, operating system utilities, and other tools used to carry out behaviours described by the framework. ATT&CK divides software into two groups:
Tools. These are open-source, commercial, publicly available, or built-in tools used by adversaries, defenders, pen testers, and red teamers. This category includes both software found on an enterprise system (like Tasklist) and software not found on an enterprise system (like Mimikatz).
Malware. This is open-source, commercial, or custom closed-source software adversaries use for malicious purposes.
5. Data sources
Data sources refers to the raw logs or events by systems like endpoints and network devices.
In each technique, under “Detection,” organisations can see the types of data they need to collect to detect that specific technique.
How Does the MITRE ATT&CK Compare to the Cyber Kill Chain?
Both the MITRE ATT&CK and the Cyber Kill Chain are cybersecurity frameworks used by organisations to assist in threat hunting and detection.
The Cyber Kill Chain was developed by the global security and aerospace company Lockheed Martin. Based on the US military’s cyber kill chain, it is a popular framework that describes the sequence of events in an attack on an organisation’s environment.
The Cyber Kill Chain consists of the following steps:
Reconnaissance
Weaponisation
Delivery
Exploitation
Installation
Command & Control
Actions and Objectives
Whereas the ATT&CK is a “mid-level adversary model” (i.e., it looks at each attack stage in great detail through its techniques and sub-techniques), the Cyber Kill Chain is a high-level model (i.e., it notes attacker goals but doesn’t describe how they’re achieved in detail).
Also, while the Cyber Kill Chain is sequential (i.e., it begins with reconnaissance and ends with actions and objectives), the ATT&CK framework is not chronological. It expects threat actors to change their tactics and techniques during an attack.
MITRE ATT&CK in Detection and Response
Effective threat detection and response necessitates a deep understanding of adversary techniques and mitigation actions.
By providing context, the MITRE ATT&CK framework allows analysts to figure out quickly:
Whether an alert is genuine.
If any of the flagged behaviours are connected.
If an attack is in progress.
The severity of an attack.
What steps to take to stop an attack.
Increasing the speed with which analysts can triage and investigate incidents means that organisations can get through more alerts more quickly.
Because a high percentage of all alerts are false positives, this is an important capability. Recent research shows SOCs waste about 10,000 hours and $500,000 (around £406,000) every year to verify unreliable and incorrect alerts.
Unfortunately, analysts frequently suffer from “alert fatigue,” a phenomenon where an overwhelming number of alerts numb analysts tasked with responding to them and can lead to missed attacks.
Challenges with MITRE ATT&CK
The MITRE ATT&CK framework is not without its challenges. Some of the more important drawbacks of ATT&CK include:
Bias. MITRE itself makes it clear that the ATT&CK framework can be subject to several biases. These include novelty bias (where new techniques or existing techniques by new groups are reported more frequently than techniques used most commonly) and visibility bias (organisations that share information may have visibility into some techniques but not others).
Not all techniques within ATT&CK are malicious. For instance, file deletion is noted as a technique under defence evasion. But it could also be harmless, i.e., when an employee within an organisation deletes a file for a legitimate purpose. Some of the techniques within the framework also cover legitimate system functions that can be used maliciously by cybercriminals (known as “living off the land.”)
Some ATT&CK techniques are difficult to detect. Some malicious techniques may also be easier to spot (for example, credential stuffing) than others (for example, exfiltration over Alternative Protocol).
The MITRE ATT&CK Framework and SenseOn
To help organisations detect and understand threats as early as possible, SenseOn has integrated the MITRE ATT&CK framework directly into its automated threat detection, investigation, and response solution.
For every security observation that SenseOn makes, it maps it to the MITRE ATT&CK framework in real time.
Only behaviours that are actually malicious are flagged. To do this, SenseOn models behaviour on individuals, groups of users, and entire organisations to build a baseline of normal activity. When a behaviour different from the baseline is noted, SenseOn logs it as an “Observation.” However, it doesn’t immediately flag it (although analysts can view these Observations at any point via the SenseOn dashboard).
Instead, SenseOn uses a new technology, known as a “Universal Sensor,” to collect and correlate data across the various layers of an organisation’s IT infrastructure (endpoint devices, cloud infrastructure, the network, and investigator microservices). When other behaviour related to the Observation is discovered, SenseOn creates a threat “Case.”
Cases are mapped visually. The sequence of events is laid out in chronological order, the relationship between affected devices is displayed clearly, and each technique corresponds to a technique in the ATT&CK framework. We also include a link to the correlating ATT&CK technique on the MITRE ATT&CK framework website for analysts’ convenience.
Analysts can, therefore, immediately know what type of attack is in progress, who is likely targeting them, and what they should do to stop the attack.
Through automation of threat detection, investigation, and response, SenseOn helps defenders prevent, detect, and respond to attacks quickly and before substantial damage is done.
