Introduction:
The MITRE ATT&CK framework is well known for being the most accomplished knowledge base of adversary tactics and techniques based on real-world observations and for its ability to accurately project possible steps the attackers would take in accomplishing goals.
The framework is unique and robust because there are constant active efforts by the cybersecurity community to keep it relevant and up to date. There is so much analysis and knowledge accumulated over the years from various cybersecurity incidents, researchers etc. This knowledge base never stops growing, and it is nice to see that the people behind this powerful framework managed to stay true to their vision of bringing communities together to deliver more effective cybersecurity.
What is MITRE ATT&CK Framework?
The MITRE ATT&CK framework is a comprehensive knowledge base for adversary behaviour, and it covers various phases of an adversary's attack lifecycle, tactics and techniques used to achieve the ultimate goal of the attacker.
MITRE ATT&CK® stands for MITRE Adversarial Tactics, Techniques, and Common Knowledge.
In today’s cybersecurity threat landscape, the variety of goals from the attackers is mind-baffling. This phenomenon could be attributed to a growing base of adversaries, the need to specialise and maximise on the current skill set, rivalry etc. For example, we have an Initial Access Broker (IAB), with the goal of gaining initial access to the environment and selling it to the highest buyer, which can come from the ransomware deploying groups, which will go further into the environment with the goal of exfiltrating data and deploying ransomware.
Framework Structure:
The MITRE ATT&CK framework employs a tactics and techniques system which provides a universal view and taxonomy of the adversary behaviour and tools used in the attack and this design can be understood by both offensive and defensive cybersecurity professionals.
Also, the framework evolved over the years and introduced additional knowledge base portions covering specific mitigations against the techniques, software used by the attackers etc.
Matrix Types:
Currently, the framework consists of three major matrix types, which can be subcategorised further into individual matrices based on the specific environment or domain being targeted by the adversary.
It is worth mentioning that each individual matrix has a unique number of tactics and techniques, but in general, all matrices follow the same logic structure when we add more tactics and techniques.
Please try to compare the Linux matrix vs Azure AD matrix and note the difference in the tactics and techniques.
Matrix Types:
- Enterprise
- Mobile
- Industrial Control Systems (ICS)
The biggest and the most detailed is the Enterprise matrix, which defines specific tactics and techniques the attackers used to infiltrate different environments, including networks, operating systems like Windows, macOS, and Linux, SaaS applications like Office 365 or Google Workspace, public cloud systems, or identity services like Azure AD.
The Mobile matrix describes tactics and techniques used to compromise iOS and Android mobile devices.
The ICS matrix covers industrial control systems (ICS) such as power grids, factories, manufacturing plants, and other organisations. These systems depend on interconnected machines, devices, sensors, and networks.
Matrix Components:
Each matrix has three major components: tactics, techniques, and sub-techniques, with every single component having its own unique ID.
The hierarchy in the framework follows certain a structure, which is illustrated with the example of Spearphishing Attachment (T1566.001) sub-technique:
Tactics (Why):
A tactic is the reason behind the techniques or sub-techniques that an adversary chooses to use. This can be defined as why the adversary will use a particular technique in the attack lifecycle.
Techniques (How):
Techniques are the methods and tools adversaries use to achieve their tactic or goal. Techniques can be defined as how the adversary is going to achieve the tactic. Some techniques can have several sub-techniques.
The massive number of techniques is the case for another topic and this number is actively growing.
Threat Hunting Perspective:
Looking from the threat hunting perspective, the MITRE ATT&CK framework has multiple use cases which could be useful to the threat hunting team:
- Raising hypotheses, which are crucial for starting the hunts.
- Building an adversary profile based on TTPs used.
- Establishing visibility blind spots, defensive coverage etc. (MITRE ATT&CK® Navigator)
- Response priority based on tactics.
The list of use cases is non-exhaustive and is usually unique to each organisation based on multiple factors.
It is common to start threat hunting hypotheses based on certain scenarios (IOCs, techniques, adversary groups etc.) and the MITRE ATT&CK framework provides an excellent base for this.
When modelling active threat based on the established pattern found through threat hunting, it is easier to defend against an attacker if you can associate it to a certain group and reference the attack methods and software used by that group in the MITRE ATT&CK framework database.
MITRE ATT&CK® Navigator is a solid tool used by the SOC team to establish visibility coverage and for threat hunters to establish defensive measures in place.
In the ideal scenario, the attackers should be found and stopped right after the Initial Access, and this should be the aim of all security teams. Because, when the attackers pivot into the environment and start moving through tactics to the right, it gets more difficult to find and eradicate them from the environment. Also, more tools and techniques become available from certain tactics (Defence Evasion, Persistence, Privilege Escalation etc.) which increase their abilities. The MITRE ATT&CK framework helps quickly establish the priority based on what position the attackers are in the tactics chain, with higher priority being towards the end of the chain.
Conclusion:
The MITRE ATT&CK framework is a powerhouse, which is unrivalled in the number of techniques recorded and analysed. It has proven to be very versatile and benefits the blue, red and purple teams.
The strength of the MITRE ATT&CK framework comes from defining adversary techniques in great detail and providing countermeasures against those techniques. The adversaries today are very likely to follow the same path as the jobseeker, they might take dark web courses, do related exams, try to expand their knowledge and the skill set to get hired. The knowledge is being transferred amongst the adversaries, and that knowledge which adversaries are going to use (techniques) is already defined and described in great detail by the MITRE ATT&CK framework.
In simple terms, to breakout of the MITRE ATT&CK framework described tactics and techniques, you have to do something completely different and unique, but this is usually available only to very few talented and skilful individuals.
The value of the MITRE ATT&CK framework is immense and integration of it into business defences is going to be beneficial for all IT teams.
Image Credit: DALL E 2, "A renaissance painting of a cyber attack"