Learn about the MITRE ATT&CK Framework, how it can be used to classify adversary behaviors, and assess an organization's risk in this week's Data Protection 101.
A Definition of the MITRE ATT&CK Framework
The MITRE ATT&CK™ framework is a comprehensive matrix of tactics and techniques used by threat hunters, red teamers, and defenders to better classify attacks and assess an organization's risk.
The aim of the framework is to improve post-compromise detection of adversaries in enterprises by illustrating the actions an attacker may have taken. How did the attacker get in? How are they moving around? The knowledge base is designed to help answer those questions that while contributing to the awareness of an organization’s security posture at the perimeter and beyond. Organizations can use the framework to identify holes in defenses, and prioritize them based on risk.
Threat hunters can leverage the ATT&CK framework to look for specific techniques adversaries may use in conjunction with others. As Tim Bandos, Digital Guardian's VP of Cybersecurity, points out, the framework can be extremely useful for gauging an environment’s level of visibility against targeted attacks with the existing tools deployed across an organization's endpoints and perimeter.
There are technically three "flavors" or matrices of ATT&CK. There’s the most popular and the one we’ll be discussing here:
- Enterprise ATT&CK
- PRE-ATT&CK - which covers tactics and techniques pre-compromise, what attackers before before exploiting a target network, and
- Mobile ATT&CK - a model of adversarial tactics and techniques used to gain access to mobile devices.
When was the ATT&CK Framework Created?
The MITRE Corporation, a not-for-profit that supports several U.S. government agencies, began developing ATT&CK in 2013. The framework, which stands for Adversarial Tactics, Techniques, and Common Knowledge, was officially released in May 2015 but has undergone several updates, usually quarterly, since.
According to Blake Strom, a MITRE ATT&CK Lead, the framework was created to better document adversary behaviors within an internal research project, FMX. In addition to behaviors, the group wanted a way to classify how attackers interacted with systems, across all groups, all while being based on real-time activity.
What are the Tactics of the ATT&CK Framework?
The Enterprise ATT&CK framework consists of 11 tactics. Consider tactics the "why" part of the ATT&CK equation. What objective did the attacker want to achieve with the compromise?
• Initial Access
• Privilege Escalation
• Defense Evasion
• Credential Access
• Lateral Movement
What are the Techniques of the ATT&CK Framework?
Each tactic contains an array of techniques that have been observed being used in the wild by malware or threat actor groups in compromises. Tactics are thought of the “how” part of ATT&CK: How are attackers escalating privileges? How are adversaries exfiltrating data?
While there are only 11 tactics in the Enterprise ATT&CK framework, there are scores of techniques, too many to list here; 291 at the time of writing this. They're perhaps best visualized via MITRE's ATT&CK Navigator, a nifty open source web app that allows for basic navigation and annotation of all of the framework's matrices. Techniques are referenced in ATT&CK as Txxxx; Spearphishing link is T1192, Remote Access Tools is T1219, so on and so forth.
Each technique contains contextual information, like the permissions required, what platform the technique is commonly seen on, and how to detect commands and processes they’re used in.
Here’s an example: It's not uncommon for attackers to move laterally through networks with legitimate Windows tools like Windows Management Instrumentation (WMI). A strain of the ransomware Petya leveraged WMI (along with PsExec, EternalBlue, and EternalRomance) to spread laterally in 2017. A threat hunter could use ATT&CK to look at relationships between techniques like WMI and others that can be used to gather data for the discovery and execution of files through lateral movement.
By skimming down to the "Detection" section of the technique, a threat hunter can learn they could monitor network traffic for WMI connections, look for WMI usage in environments that don't typically use it, and perform process monitoring to capture command-line arguments of "wmic," to identify the technique.
What are the Procedures of the ATT&CK Framework?
As far as ATT&CK is concerned, a procedure describes the way adversaries or software implements a technique.
Keeping the WMI example in mind – by navigating to the WMI technique listing anyone can see that the popular Russian hacker group APT29 uses WMI to steal credentials and execute backdoors at a future time. BlackEnergy, an APT group linked to attacks on Ukrainian energy companies in 2015, meanwhile uses WMI to gather victim host details.
“The procedure is a particular instance of use and can be very useful for understanding exactly how the technique is used and for replication of an incident with adversary emulation and for specifics on how to detect that instance in use,” MITRE's Strom, wrote earlier this year.
How Does ATT&CK Help in Sharing Threat Intelligence?
While the framework has been around for years, it's especially caught on of late as a way to help organizations, end users, and the government share threat intelligence. While there are certainly other ways on the books to share threat intel, ATT&CK provides a common language that’s standardized and globally accessible.
As Katie Nickels, ATT&CK Threat Intelligence Lead for MITRE, points out, analysts and defenders can work together with data to compare and contrast threat groups. Analysts can structure intelligence around behavior while defenders can structure information around behavior they can detect and mitigate. Nickels gives a good example, comparing and contrasting techniques used by the APT3 and APT29 groups, on MITRE's blog. By identifying the highest priority techniques an organization can better determine how to mitigate and detect them.
The fact the knowledge base is community-driven and widely accepted for sharing structured information has afforded it a great deal of momentum as well.
Who does the ATT&CK Framework Benefit?
ATT&CK can aid red teams and blue teams alike. Red teams can follow MITRE's adversarial emulation plans to test their networks and defenses by modeling off of adversary behavior classified by ATT&CK. Campaigns based around ATT&CK can make it easier to track attacks, decipher patterns, and rate the effectiveness of defense tools already in place.
Blue teams can leverage the ATT&CK framework to get a better grip on what adversaries are doing, prioritize threats, and to ensure the right mitigations are in place.
- The MITRE ATT&CK Enterprise Matrix
- Using ATT&CK to Advance Cyber Threat Intelligence – Part 1 (Blog)
- The Philosophy of ATT&CK (Blog)
- Videos from ATT&CKcon, a conference based around the framework held by MITRE in Virginia in October
- Threat Hunting with MITRE's ATT&CK Framework
- Webinar: Understand, Deploy, and Hunt with MITRE’s ATT&CK Framework: The Blueprint for Repeatable Threat Hunting Success