Every day, it feels like cybercriminals have deployed a new ransomware. They often seem like they can create new attacks in a matter of moments, often exploiting new vulnerabilities before companies can apply security updates. More often than not, threat actors do not create entirely new attack paths, they simply re-organize their steps to evade detection. To think like a malicious actor, organizations can use the MITRE ATT&CK framework to move towards a proactive cybersecurity posture.
Who is MITRE?
MITRE is a non-profit research and development organization that works across industry verticals, academia, and federal, state, and local governments. In 2013, the organization set out to document common tactics, techniques, and procedures (TTPs) as part of one of its research projects.
What is MITRE ATT&CK?
MITRE ATT&CK is an open-source framework that builds on the TTP knowledge base so that cybersecurity teams can identify risks and prioritize mitigation activities. MITRE ATT&CK offers a matrix for tactics and techniques across:
- Industrial control systems
This post will focus on the Enterprise matrix.
Tactics are the reason that an adversary wants to take a specific action.
As malicious actors try to attack organizations, MITRE ATT&CK outlines the following tactics under its Enterprise section:
- Reconnaissance: gathering information
- Resource Development: establishing resources to support operations
- Initial Access: getting into networks
- Execution: running malicious code
- Persistence: maintaining the foothold
- Privilege Escalation: gaining more access with higher-level permissions
- Defense Evasion: hiding in system to avoid detection
- Credential Access: stealing account names and passwords
- Discovery: learning more about the environment
- Lateral Movement: moving through the environment
- Collection: gathering data that helps achieve end goal
- Command and control: communicating with compromised systems to control them
- Exfiltration: stealing data
- Impact: manipulating, interrupting, or destroying systems and data
While these may look like actions, they are really the outcomes of the various techniques that threat actors use.
MITRE ATT&CK techniques
The techniques are the technical actions that threat actors use to achieve their desired outcomes. In other words, while tactics are the why, techniques are the how.
ATT&CK outlines 188 techniques and 379 sub-techniques, all aligned to different tactics.
For example, under the Enterprise tactic Reconnaissance, ATT&CK lists the following ten techniques:
- Active Scanning: probing infrastructure via network traffic
- Gather Victim Host Information: learning about hosts to gain details like administrative data or configuration information:
- Gather Victim Identity Information: learning about identities like email addresses or credentials
- Gather Victim Network Information: obtaining information about networks like administrative data, topology, or operations
- Gather Victim Org Information: finding out information about details like division or department names, business operations, or key employee roles and responsibilities
- Phishing for Information: tricking targets into providing information, like credentials
- Search Closed Sources: using information from paid or unpaid threat intelligence sources including databases, the dark web, or cybercrime black markets
- Search Open Technical Databases: obtaining information from online databases and repositories, like domain or certificate registrations
- Search Open Websites/Domains: locating information online, like with social media, news sites, or hiring/contract sites
- Search Victim-Owned Websites: gaining information about organizational structures through the company’s website
MITRE ATT&CK Mitigations
Finally, ATT&CK suggests preventive security strategies and types of tools that can help prevent a technique or sub-technique from successfully achieving the goal. It provides forty-three Enterprise Mitigations and thirteen Mobile Mitigations.
Under each of the different primary techniques, ATT&CK lists a series of sub-techniques which lists specific tools or strategies threat actors use as part of their attacks. For example, Account Use Policies can be used to mitigate the following sub-techniques that fall under T1110 Technique Brute Force:
- Password Guessing
- Password Spraying
- Credential Stuffing
MITRE ATT&CK Pre-compromise Mitigations
This category applies specifically to the Reconnaissance and Resource Development techniques. Since threat actors use these techniques prior to gaining access, they are more difficult to prevent. Detection capabilities focus on understanding “normal,” or baseline, behaviors within an environment and looking for abnormal activities.
Since the Reconnaissance and Resource Development tactics rarely engage actively with an organization’s environment, putting mitigations in place are more difficult.
For example, to mitigate the risks associated with Active Scanning, MITRE ATT&CK notes that efforts should focus on minimizing the amount and sensitivity of data available to external parties.
What is MITRE ATT&CK mapping?
ATT&CK offers several different matrices that can help an organization map its security controls to the different tactics and techniques.
The ATT&CK matrices outline the different techniques and sub-techniques, organized by technology type. For example, under the Execution technique, it lists Command and Scripting Interpreter sub-techniques unique to Windows, MacOS, and Linux.
How is MITRE ATT&CK useful?
As organizations look to uplevel their proactive threat mitigation strategies, MITRE ATT&CK helps them view their environments from a threat actor’s perspective. This makes it a flexible framework for various use cases.
Threat hunters use ATT&CK to act like malicious actors when trying to find exploitable gaps in an organization’s defenses. They can align their plans to achieve specific goals, then follow the ATT&CK mapping of techniques to try to achieve them.
Some threat actors have “signatures,” a specific set of TTPs used as part of their attacks. If organizations are aligning their threat hunting capabilities to ATT&CK, they can also use the matrices to help test against known Indicators of Compromise (IoC) and reduce weaknesses in their defensive controls.
Security Tool Optimization
Organizations that run Red Team or Purple Team exercises can use the ATT&CK matrices to understand how well their security tools detect abnormal activity. This allows them to fine-tune their tools for better alerting and more robust security.
Detection and Investigation
Security operations centers (SOCs) and incident response teams use the ATT&CK mapping as a way to investigate incidents more rapidly. A detection can tell them what activity occurred. By following the series of steps set out in the ATT&CK mappings, they can more rapidly investigate the incident, reducing key metrics like Mean Time to Respond (MTTR) and Mean Time to Contain (MTTC).
Alert Logic: Managed Detection and Response (MDR) Mapped to MITRE ATT&CK
Alert Logic’s MDR solution rapidly detects and responds to threats both left and right of boom. Our comprehensive coverage ingests data from on-premises, multi-cloud, and hybrid environments. We use MITRE ATT&CK across our analytics, incident classification, dashboards, and reporting providing a familiar taxonomy which helps security teams make decisions regarding threat management.
Our global team provides 24/7 security operations team uses the same content and to help customers mitigate risks and suggest additional security controls that protect networks, systems, endpoints, users, and data.