Listen to post:
MITRE ATT&CK is a popular knowledge base that categorizes the Tactics, Techniques and Procedures (TTPs) used by adversaries in cyberattacks. Created by nonprofit organization MITRE, MITRE ATT&CK equips security professionals with valuable insights to comprehend, detect, and counter cyber threats. In this blog post, we dive into the framework, explore different use cases for using it and discuss cross-community collaboration.
This blog post is based on episode 12 of Cato’s Cyber Security Masterclass, which you can watch here. The masterclass is led by Etay Maor, Sr. Director of Security Strategy at Cato. This episode hosted guests Bill Carter, system engineer at Cato, Ross Weisman, innovation lead at MITRE CTID.
Security Frameworks: A Short Into
MITRE ATT&CK is one of the most advanced security frameworks in use, but it is not the only one. Additional frameworks in use include:
The Lockheed Martin Cyber Kill Chain
One of the most foundational and venerable frameworks is the Lockheed Martin Cyber Kill Chain. The kill chain includes seven different stages spanning three category buckets. They are:
- Preparation – Reconnaissance, Weaponization
- Intrusion – Delivery, Exploitation, Installation
- Breach – Command & Control (C&C), Action
This kill chain is widely-used across organizations due to its easy-to-understand, high-level approach.
The Diamond Model
Another popular model is the diamond model, The diamond model connects four aspects:
- Adversary (a person or group)
- Capability (malware, exploits)
- Infrastructure (IP, domains)
- Victim (person, network)
The advantage of the diamond model is that it encompasses the complexity and dimensionality of attacks, rather than attempting to analyze them in the kill chain’s linear form.
By combining the diamond model with the Lockheed Martin kill chain, security researchers can build an attack flow chain or activity graph:
The MITRE ATT&CK Framework
MITRE ATT&CK (Adversarial Tactics, Techniques, and Common Knowledge) is a widely used knowledge base that describes and categorizes the tactics, techniques, and procedures (TTPs) employed by adversaries during cyberattacks. The MITRE ATT&CK framework was developed by MITRE, a nonprofit organization, And used by security professionals to understand, detect, and respond to cyber threats.
The framework covers a wide range of techniques, sub-techniques and tactics that are organized in a matrix. Tactics include Reconnaissance, Resource Development, Initial Access, Execution, Persistence, Privilege Escalation, Defense Evasion, and more.
MITRE ATT&CK Framework Biases
The information in the MITRE ATT&CK framework is accumulated based on real-world observed behaviors. Therefore, when using the framework it’s important to acknowledge the potential biases.
- Novelty Bias – New and interesting techniques or existing techniques that are used by new actors get reported, while run-of-the-mill techniques that are being used over and over again – do not.
- Visibility Bias – Organizations publishing intel reports have visibility of certain techniques and not others, based on the way they collect data. In addition, techniques are viewed differently during and after incidents.
- Producer Bias – Some organizations publish more reports than others, and the types of customers or visibility they have may not reflect the broader industry.
- Victim Bias – Certain types of victim organizations may be more likely to report, or be reported on, than others.
- Availability Bias – Techniques that easily come to mind are more likely to be reported on as report authors will include them more often.
The Pyramid of Pain
The knowledge provided by the ATT&CK framework enables researchers to identify behaviors that could be indicative of an attack. This increases their chances of mitigating attacks, since behaviors are nearly impossible for attackers to hide. To explain this statement, let’s look at the Pyramid of Pain.
The Pyramid of Pain is a framework introduced by David Bianco for understanding and prioritizing indicators of compromise (IOCs). The pyramid illustrates the relative value of different types of IOCs based on the level of difficulty they pose for an adversary to change or obfuscate. Security professionals can use the Pyramid of Pain to detect a compromise in their systems.
Each pyramid layer represents a different type of IOC:
1. Indicators at the bottom layer are easy, and even trivial, for adversaries to modify or evade. These include basic indicators such as file hashes, IP addresses and domain names. While these indicators can help detect attacks, they are not considered robust indicators, since adversaries can easily change them.
2. Moving up the pyramid, the middle layers include artifacts that are harder for adversaries to modify, such as mutexes, file names, and specific error codes. These indicators often require modification of the adversary’s tools or techniques, which can be time-consuming and risky.
3. At the top of the pyramid are the most difficult indicators for adversaries to change: tools, adversary behavior and techniques.These indicators are highly valuable for security defenders since they require significant effort and time for adversaries to alter their behavior, making them more reliable and persistent indicators of compromise. These are also the types of IoCs the MITRE ATT&CK framework focuses on.
How Defenders Can Use MITRE ATT&CK
With the MITRE ATT&CK framework, security researchers can delve into different procedures, analyze them and gain information they need. The framework’s matrix structure enables researchers to choose the level of depth they want. A helpful tool for leveraging the MITRE ATT&CK Framework is the MITRE ATT&CK Navigator. With the navigator, researchers can easily explore and visualize defensive coverage, security planning, technique frequency, and more.
The MITRE ATT&CK framework can be used by security professionals for a variety of use cases. These include threat intelligence, detection and analytics, simulations, and assessment and engineering. In addition, the framework can help security professionals start an internal organization discussion about detection and mitigation capabilities.
Here are a few examples of potential use cases.
Threat Actor Analysis
Security professionals can use the framework to gain and provide information about threat actors. For example, if a C-level manager asks about a breach or threat actor, researchers can investigate and extract the relevant information from the framework at a high level.
At a deeper level, if a researcher needs to understand how to protect against a certain threat actor, or wants to learn which threat actors use certain techniques, they can drill down into the matrix. The provided information will help them learn how the technique is executed, which tools are employed, and more. This helps expand the researchers’ knowledge by introducing them to additional operational modes of attackers.
Multiple Threat Actor Analysis
In addition to researching specific actors, the MITRE ATT&CK framework can be used for analyzing multiple threat actors. For example, during times of geo-political crisis, the framework can be used to identify common tactics used by nation-state actors.
Here’s what a visualized multiple threat actor analysis could look like, showing the techniques used by different actors in red and yellow, and overlaps in green.
Another use case is analyzing existing gaps in defenses. By analyzing defenses and attack techniques, defenders can identify, visualize and sort which threats the organization is more vulnerable to.
This is what it could look like, with colors used to indicate priority.
The framework can also be used for testing. Atomic Red Team is an open source library of tests mapped to the MITRE ATT&CK framework. These tests can help identify and mitigate coverage gaps.
Looking Forward Together: The MITRE CTID (Center for Threat-Informed Defense)
The MITRE CTID (Center for Threat-Informed Defense) is a privately funded R&D center that collaborates with private sector organizations and nonprofits. Their goal is to change the game by pooling resources, conducting more incident responding and less incident reacting. This mission is based on John Lambert’s idea that as long as defenders think in lists, rather than graphs, attackers will win.
One of the key projects around this motion is “Attack Flow”. Attack Flow aims to overcome the challenge oftracing adversary behaviors atomically. They claim that this makes it harder to understand adversary attacks and build effective defenses.
Attack Flow operates by creating a language and associated tools that describe flows of ATT&CK techniques and combining those flows into patterns of behavior. As a result, defenders and leaders can better understand how adversaries operate. Then, they can compose atomic techniques into attacks to better understand the defensive posture.
Here’s what it looks like:
Based on the such attack flows, defenders can answer questions like:
- What have adversaries been doing?
- How are adversaries changing?
Then, they can capture, share and analyze patterns of attack.
Ultimately, they will be able to answer the million(s) dollar questions:
- What is the next most likely thing they will do?
- What have we missed?
The community is invited to participate in CTID activities and contribute to the shared knowledge. You can contact them on LinkedIn or walk up to their booth at conferences, like at RSA.
To watch the entire masterclass and see how the MITRE ATT&CK framework is incorporated into Cato’s solution, click here.