By Thomas Hazel, CTO & Founder, ChaosSearch
MITRE ATT&CK® is an invaluable resource for IT security teams, who can leverage the framework to enhance their cyber threat intelligence, improve threat detection capabilities, plan penetration testing scenarios, and assess cyber threat defenses for gaps in coverage.
In this week’s blog post, we’ll explain more about MITRE ATT&CK and how organizations can use the framework to support their security log analytics initiatives, enhance threat defenses and protect their infrastructure and data from cyber adversaries.
What is the MITRE ATT&CK Framework?
The MITRE ATT&CK framework derives its name from the MITRE Corporation that maintains it and the acronym ATT&CK, which stands for Adversarial Tactics, Techniques, and Common Knowledge. The framework is publicly accessible and serves as a knowledge base of techniques used by cyber adversaries to target enterprise IT systems.
Techniques are the building blocks of the MITRE ATT&CK framework. All techniques described in the framework have been used by cyber attackers and criminal organizations in the real world to infiltrate the networks of targeted organizations and steal their data. At the time of writing, the framework contains information on 178 different techniques.
For each technique, the framework includes:
- A description of the technique.
- A list of sub-techniques related to the technique.
- A list of known mitigation methods for the technique.
- A list of known detection methods for the technique.
- Some metadata related to the technique.
- References and additional resources related to the technique.
Image Source: MITRE ATT&CK Framework – Active Scanning
The adversarial technique Active Scanning is described in the MITRE ATT&CK framework as probing the victim’s infrastructure via network traffic. The listed sub-techniques describe two ways adversaries can do this: by scanning IP blocks, or by scanning the target host for vulnerabilities to a known exploit. Active Scanning is categorized as a reconnaissance technique, meaning that it’s used to collect information from the target organization before escalating adversarial activities.
Techniques in the MITRE ATT&CK framework are categorized under 14 tactics that span the entire lifecycle of a cyber attack – from initial information-gathering, through to data exfiltration and additional impacts of the attack.
When cyber criminals target organizational IT, we know their ultimate goal is going to be data exfiltration.
How Cyber Criminals Take Data from Corporate Systems
We can predict what the adversary behavior will be:
- Get access to the network and avoid detection.
- Explore the network to discover valuable data assets.
- Secure the permissions needed to enable data exfiltration.
- Steal organizational data and damage network systems.
The 14 tactics described in the MITRE ATT&CK framework are an extension of this general pattern of action. They cover all of the short-term goals and objectives that cyber adversaries try to accomplish on their way to successfully stealing your data. Techniques are the specific methods used to accomplish these tactical objectives – that’s why each technique is listed according to the tactic it serves.
MITRE ATT&CK Tactics: 14 Ways Cyber Attacks Can Happen
The 14 tactics can be summarized as follows:
- Reconnaissance – Collecting information from the target organization to prepare future adversarial activities.
- Resource Development – Acquiring infrastructure and resources to support adversarial activities against the target organization.
- Initial Access – Gaining initial access to the target network.
- Execution – Techniques for running malicious code on the network, usually to explore or steal data.
- Persistence – Maintaining access to the target network over time by circumventing measures like credential changes or restarts that could interrupt access.
- Privilege Escalation – Gaining administrator or other high-level permissions on the target network.
- Defense Evasion – Avoiding detection by security software and IT security teams.
- Credential Access – Stealing account names and passwords, allowing the adversary to circumvent security measures by accessing the network with legitimate credentials.
- Discovery – Exploring the network and collecting information, such as which applications and services are running, what accounts exist, what resources are available, etc.
- Lateral Movement – Accessing and controlling remote services on the target network.
- Collection – Aggregating data from a variety of sources on the target network.
- Command and Control – Techniques for communicating with systems under the adversary’s control within the target network.
- Exfiltration – Techniques for stealing data from the target network and transferring it to an external server controlled by the adversary.
- Impact – Techniques for destroying data or disrupting the availability of applications, services, or the target network itself.
The MITRE ATT&CK framework also contains information about known cyber threat groups around the world.
For each known threat group, the framework describes what kinds of organizations they target, the techniques they’ve used in past attacks, and software programs they’ve used to attack target networks.
Finally, the framework includes a database of software programs that were used in malicious cyber attacks.
How to Use the MITRE ATT&CK Framework
If cyber security was an exam, the MITRE ATT&CK framework is like a cheat sheet.
The framework can tell your organization which cyber threat groups to watch out for, which specific techniques or software programs might be used to target your business, and how to detect and mitigate against the adversarial techniques described in the framework.
With high-quality information on adversary groups, the techniques they’re likely to use, and how they will behave once they access the target network, IT security teams can make targeted improvements to threat detection systems that increase the likelihood of containing and eradicating a threat before a data breach occurs.
4 MITRE ATT&CK Framework Use Cases – Enterprise Network Security
Cyber Threat Intelligence
Cyber threat intelligence is all about understanding the cyber threat groups that matter to your organization, including their motives, typical targets, behaviors, and preferred software/techniques. IT security teams can use the MITRE ATT&CK framework to access specific information on the behaviors of known threat groups, then identify strategies to detect and mitigate their preferred techniques.
IT analysts can leverage the framework to categorize and better understand network security events. When suspicious activity is detected on the network, analysts can investigate the behavior to determine:
- What was the overall goal or objective (tactic) of the behavior?
- What method was used (technique) to try and achieve the goal?
From there, security analysts can start correlating the suspicious activity to known threat groups or software programs and identifying ways to shut down the attack.
Ultimately, cyber threat intelligence should allow the organization to prioritize which techniques and tactics to defend against based on the perceived threat level from malicious groups.
Threat Detection & Analytics
Each technique in the MITRE ATT&CK framework includes a metadata field called “Data Sources”. This field lists specific types of data that organizations should collect to gain the visibility needed to detect that technique.
Common data sources include user authentication logs, file and registry monitoring, packet capture, process monitoring, Windows registry, Windows event logs, and process command-line parameters.
Image Source: MITRE ATT&CK Framework – Active Scanning
The framework tells us that IT security teams can enhance their ability to detect Active Scanning by capturing, storing, and analyzing packets and network device logs.
To enable threat detection using log analytics, organizations must be able to capture log and event data from these sources and store the data in a centralized repository, such as an AWS data lake. From there, the data must be cleaned and indexed before it can be queried by the organization’s log analytics/SIEM tool.
Many organizations are using the ELK stack (Logstash + Elasticsearch + Kibana) to support their threat detection efforts, but there’s now an even better way: ChaosSearch streamlines the threat detection process by empowering organizations to analyze log files directly in Amazon S3 buckets with no data movement and no ETL process.