How To Use the MITRE ATT&CK Framework

1048

By Thomas Hazel, CTO & Founder, ChaosSearch

MITRE ATT&CK® is an invaluable resource for IT security teams, who can leverage the framework to enhance their cyber threat intelligence, improve threat detection capabilities, plan penetration testing scenarios, and assess cyber threat defenses for gaps in coverage.

In this week’s blog post, we’ll explain more about MITRE ATT&CK and how organizations can use the framework to support their security log analytics initiatives, enhance threat defenses and protect their infrastructure and data from cyber adversaries.

What is the MITRE ATT&CK Framework?

The MITRE ATT&CK framework derives its name from the MITRE Corporation that maintains it and the acronym ATT&CK, which stands for Adversarial Tactics, Techniques, and Common Knowledge. The framework is publicly accessible and serves as a knowledge base of techniques used by cyber adversaries to target enterprise IT systems.

Techniques are the building blocks of the MITRE ATT&CK framework. All techniques described in the framework have been used by cyber attackers and criminal organizations in the real world to infiltrate the networks of targeted organizations and steal their data. At the time of writing, the framework contains information on 178 different techniques.

For each technique, the framework includes:

  • description of the technique.
  • A list of sub-techniques related to the technique.
  • A list of known mitigation methods for the technique.
  • A list of known detection methods for the technique.
  • Some metadata related to the technique.
  • References and additional resources related to the technique.

Active Scanning: Cyber Security Threat

Image Source: MITRE ATT&CK Framework – Active Scanning

The adversarial technique Active Scanning is described in the MITRE ATT&CK framework as probing the victim’s infrastructure via network traffic. The listed sub-techniques describe two ways adversaries can do this: by scanning IP blocks, or by scanning the target host for vulnerabilities to a known exploit. Active Scanning is categorized as a reconnaissance technique, meaning that it’s used to collect information from the target organization before escalating adversarial activities.

Techniques in the MITRE ATT&CK framework are categorized under 14 tactics that span the entire lifecycle of a cyber attack – from initial information-gathering, through to data exfiltration and additional impacts of the attack.

When cyber criminals target organizational IT, we know their ultimate goal is going to be data exfiltration.

How Cyber Criminals Take Data from Corporate Systems

We can predict what the adversary behavior will be:

  1. Get access to the network and avoid detection.
  2. Explore the network to discover valuable data assets.
  3. Secure the permissions needed to enable data exfiltration.
  4. Steal organizational data and damage network systems.

The 14 tactics described in the MITRE ATT&CK framework are an extension of this general pattern of action. They cover all of the short-term goals and objectives that cyber adversaries try to accomplish on their way to successfully stealing your data. Techniques are the specific methods used to accomplish these tactical objectives – that’s why each technique is listed according to the tactic it serves.

 

MITRE ATT&CK Tactics: 14 Ways Cyber Attacks Can Happen

The 14 tactics can be summarized as follows:

  1. Reconnaissance – Collecting information from the target organization to prepare future adversarial activities.
  2. Resource Development – Acquiring infrastructure and resources to support adversarial activities against the target organization.
  3. Initial Access – Gaining initial access to the target network.
  4. Execution – Techniques for running malicious code on the network, usually to explore or steal data.
  5. Persistence – Maintaining access to the target network over time by circumventing measures like credential changes or restarts that could interrupt access.
  6. Privilege Escalation – Gaining administrator or other high-level permissions on the target network.
  7. Defense Evasion – Avoiding detection by security software and IT security teams.
  8. Credential Access – Stealing account names and passwords, allowing the adversary to circumvent security measures by accessing the network with legitimate credentials.
  9. Discovery – Exploring the network and collecting information, such as which applications and services are running, what accounts exist, what resources are available, etc.
  10. Lateral Movement – Accessing and controlling remote services on the target network.
  11. Collection – Aggregating data from a variety of sources on the target network.
  12. Command and Control – Techniques for communicating with systems under the adversary’s control within the target network.
  13. Exfiltration – Techniques for stealing data from the target network and transferring it to an external server controlled by the adversary.
  14. Impact – Techniques for destroying data or disrupting the availability of applications, services, or the target network itself.

The MITRE ATT&CK framework also contains information about known cyber threat groups around the world.

For each known threat group, the framework describes what kinds of organizations they target, the techniques they’ve used in past attacks, and software programs they’ve used to attack target networks.

Finally, the framework includes a database of software programs that were used in malicious cyber attacks.

How to Use the MITRE ATT&CK Framework

If cyber security was an exam, the MITRE ATT&CK framework is like a cheat sheet.

The framework can tell your organization which cyber threat groups to watch out for, which specific techniques or software programs might be used to target your business, and how to detect and mitigate against the adversarial techniques described in the framework.

With high-quality information on adversary groups, the techniques they’re likely to use, and how they will behave once they access the target network, IT security teams can make targeted improvements to threat detection systems that increase the likelihood of containing and eradicating a threat before a data breach occurs.

4 MITRE ATT&CK Framework Use Cases – Enterprise Network Security

Cyber Threat Intelligence

Cyber threat intelligence is all about understanding the cyber threat groups that matter to your organization, including their motives, typical targets, behaviors, and preferred software/techniques. IT security teams can use the MITRE ATT&CK framework to access specific information on the behaviors of known threat groups, then identify strategies to detect and mitigate their preferred techniques.

IT analysts can leverage the framework to categorize and better understand network security events. When suspicious activity is detected on the network, analysts can investigate the behavior to determine:

  1. What was the overall goal or objective (tactic) of the behavior?
  2. What method was used (technique) to try and achieve the goal?

From there, security analysts can start correlating the suspicious activity to known threat groups or software programs and identifying ways to shut down the attack.

Ultimately, cyber threat intelligence should allow the organization to prioritize which techniques and tactics to defend against based on the perceived threat level from malicious groups.

Threat Detection & Analytics

Each technique in the MITRE ATT&CK framework includes a metadata field called “Data Sources”. This field lists specific types of data that organizations should collect to gain the visibility needed to detect that technique.

Common data sources include user authentication logs, file and registry monitoring, packet capture, process monitoring, Windows registry, Windows event logs, and process command-line parameters.

How IT SecOps Detect Active Scanning

Image Source: MITRE ATT&CK Framework – Active Scanning

The framework tells us that IT security teams can enhance their ability to detect Active Scanning by capturing, storing, and analyzing packets and network device logs.

To enable threat detection using log analytics, organizations must be able to capture log and event data from these sources and store the data in a centralized repository, such as an AWS data lake. From there, the data must be cleaned and indexed before it can be queried by the organization’s log analytics/SIEM tool.

Many organizations are using the ELK stack (Logstash + Elasticsearch + Kibana) to support their threat detection efforts, but there’s now an even better way: ChaosSearch streamlines the threat detection process by empowering organizations to analyze log files directly in Amazon S3 buckets with no data movement and no ETL process.

Listen as Stephen Salinas shares the two biggest benefits realized to date from the ChaosSearch deployment.

The sharply reduced costs and the freedom of unlimited data retention, combine to make ChaosSearch a significantly better option for HubSpot than their previous ELK Stack.

Leveraging the Elastic API and an integrated Kibana dashboard, ChaosSearch allows IT security teams to index log files at scale for unlimited data retention, build queries and analytics to detect known cyber threat signatures, and utilize monitoring and alerts to notify IT personnel of suspicious behavior and streamline incident response.

Organizations can visit the MITRE Cyber Analytics Repository to access threat-detection analytics written by the global cybersecurity community.

Penetration Testing & Adversary Emulation

A third use case for the MITRE ATT&CK framework is penetration testing and cyber threat emulation. Once your security team writes an analytic or configures security monitoring to detect an adversarial technique, penetration testing or adversary emulation can be used to evaluate the effectiveness of the implemented threat detection measures. As a starting point, IT security teams can access Atomic Red Team, a collection of scripts used to simulate adversarial behaviors so organizations can test their threat detection capabilities and verify that monitoring/alerts are working as planned.

IT Security Teams Test Defenses

Image Source: Atomic Red Team

Atomic Red Team builds security tests that are mapped to specific techniques in the MITRE ATT&CK framework, allowing IT security teams to quickly and easily test their defenses against known adversarial techniques.

The process here is simple:

  1. Choose a technique from the ATT&CK framework and build analytics to detect it on your network.
  2. Choose a test for that technique from Atomic Red Team.
  3. Run the test and check whether your analytics/monitoring/alerting system detected the threat.
  4. Improve and refine your threat defenses to increase the detection rate and eliminate false positives.

Organizations with red team/blue team capabilities can construct more complex adversary emulation scenarios using the MITRE framework. Red teams can map their activities onto the framework or model adversarial behaviors in an emulation scenario on the preferred techniques of a known threat group.

Once the scenario is finalized, the red team will stage an attack on the network while the blue team works to detect, investigate, and contain threats. Following the exercise, red and blue teams can work together to evaluate the effectiveness of threat detection systems and identify opportunities for improvement.

Threat Coverage Gap Assessment

A final use case for the MITRE ATT&CK framework is threat coverage gap assessment.

IT security teams can map existing threat detection capabilities onto the MITRE ATT&CK framework to identify gaps in their defenses. They can identify the cyber threat groups which are most likely to target them and compare their threat coverage to the preferred techniques used by those organizations.

This process can help reveal the highest-priority areas where security teams should focus on implementing threat detection or mitigation solutions.

Strengthen Your Security Posture with Log Analytics and the MITRE ATT&CK Framework

The MITRE ATT&CK framework provides information, rooted in real-world observations, on the tactics, techniques, and software tools that cyber criminals use to infiltrate targeted networks and steal data.

Most importantly, the framework tells IT security teams how to detect each technique and which types of log data they’ll need to succeed.

Armed with this information, IT security teams can use log analytics software to collect log and event data from the necessary sources, build custom analytics and alerts to detect threats, and strengthen the organization’s overall security posture against cyber threat groups.

Ad