There have been a variety of models used to define different attack methodologies. Perhaps the most common is Lockheed Martin’s Cyber Kill Chain, that identifies the individual phases of malware attacks. Defining the phases enables you to better understand how to anticipate, prevent, detect, and respond.
Lockheed derived the name from the military term “kill chain” used to define the traditional attack phases from the identification to the destruction of a target. The guiding principle is that when you understand how an adversary operates, you can determine the best opportunity to stop the attack before it’s launched.
Similarly, the Cyber Kill Chain focuses on malware based attacks. Althoughthe Cyber Kill Chain of an individual attack can be generalized to describe other cyber attacks, sharing that information is difficult. Enter MITRE ATT&CK.
A New Approach
MITRE ATT&CK intends to be a knowledge base of adversary tactics and techniques. Its organization of tactics and techniques provides a framework for threat models and techniques. This is a much more comprehensive approach to identifying and thwarting cyber attacks than focusing only on the malware. It also recognizes the fact that attackers may not follow every phase of the defined methodology.
Attackers might not be as organized as you believe. At the same time, some attacks might not require technology, and therefore do not have to go through all of the phases of a traditional attack. For example, an insider might already have access to internal information and only needs to walk out of the door with it.
Source: Andy Applebaum, MITRE ATT&CK™
There are a variety of uses for this knowledge base, including identifying and prioritizing security countermeasures, analyzing attacks in progress, and performing red teaming.
For example, if you are in the healthcare space you can see which threat actors are targeting your industry and the techniques and tools they tend to leverage. This will allow your blue team to practice threat hunting aimed at detecting those TTPs, and ensure you prioritize your security investments appropriately.
An Attack Hits – What’s Next?
When you detect an attack, the first step is to use the model to help you determine all possible points where you may have been compromised, and analyze the extent of the damage.
For example, if you detect malware on your systems, you would investigate how the malware might have got on the systems, and search for other possible compromises. Or if you detect spyware, you can more easily determine how the data is being exfiltrated. This will enable you to stop future attacks, or if you caught the attack in time, prevent data exposure or theft altogether.
At the same time, MITRE ATT&CK can serve as a red team playbook. It allows penetration testers to create realistic attack scenarios and provides technical guidance on how to implement them.
The ATT&CK knowledge base is so information-rich that it behooves any security professional to at least become familiar with it at a high level. We all have different levels of involvement with cyber attacks, and we should be proactive in knowing where to access relevant information before and attack hits.