What Is MITRE ATT&CK?
MITRE ATT&CK refers to a group of tactics organized in a matrix, outlining various techniques that threat hunters, defenders, and red teamers use to assess the risk to an organization and classify attacks. Threat hunters identify, assess, and address threats, and red teamers act like threat actors to challenge the IT security system.
The objective of the MITRE ATTACK framework is to strengthen the steps taken after an organization has been compromised. In this way, the cybersecurity team can answer important questions regarding how the attacker was able to penetrate the system and what they did once they got inside. As information is collected over time, a knowledge base is formed. This serves as an ever-expanding tool that teams can use to bolster their defenses. Using the reports generated by the MITRE ATT&CK, an organization can figure out where their security architecture has vulnerabilities and ascertain which ones to remedy first, according to the risk each presents.
For threat hunters, the MITRE ATT&CK framework presents an opportunity to analyze and evaluate the techniques attackers use. The framework is also a useful tool for assessing to what extent an IT team has achieved visibility across the network, specifically when it comes to cyber threats.
Origin of the ATT&CK Framework
Back in 2013, the MITRE Corporation started developing MITRE ATT&CK. But what does MITRE stand for? It means MIT Research Establishment. The term “ATT&CK” is an acronym for Adversarial Tactics, Techniques, and Common Knowledge. The framework was first presented to the public in May 2015, but it has been changed several times since then.
The MITRE Corporation is a nonprofit organization set up to support government agencies in the U.S. The MITRE ATT&CK framework was created to develop a straightforward, detailed, and replicable strategy for handling cyber threats. The underlying concept driving the framework is to use past experiences to inform future cyber threat detection and mitigation.
The Techniques and Tactics of the ATT&CK Framework
There are three different kinds of ATT&CK matrices: Enterprise ATT&CK, PRE-ATT&CK, and Mobile ATT&CK. Each individual matrix employs different techniques and tactics.
The Enterprise ATT&CK matrix consists of tactics and techniques that apply to Linux, Windows, and macOS systems. When one of these operating systems is penetrated, the Enterprise matrix helps identify the nature of the threat and outlines information that can be used to defend against it in the future. The Mobile ATT&CK matrix has the same objective, but it applies to mobile devices. The PRE-ATT&CK matrix focuses on techniques and tactics used by attackers before they attempt to penetrate a system or network.
The report generated by an ATT&CK matrix is separated into columns. Each column describes tactics, which are what the attacker aims to accomplish. The techniques are the methods they use to succeed in the tactics. This information can be used in an ATT&CK evaluation to gain insight into the attacker’s methodologies.
There are 11 different tactics in the matrix for an Enterprise ATT&CK:
- Initial access
- Privilege escalation
- Defense evasion
- Credential access
- Lateral movement
Each tactic is essentially a goal of the attacker. If cyber criminals are able to accomplish these individual goals, they are one step closer to their objective. In some cases, the attack will not seek to realize every tactic because some may go beyond what the attacker seeks to do. For example, an attacker may not want their attack to perform lateral movement if they simply want to steal information from a specific computer. In this case, the MITRE ATT&CK matrix may not have entries in the “Lateral Movement” section.
To illustrate how the techniques and tactics come to play in ATT&CK, suppose an attacker wants to access a network to install mining software. Their objective is to infect as many workstations as possible within the network, thereby increasing the yield of the mined cryptocurrencies. The end goal necessitates several smaller steps. Initially, the attacker has to get inside the network. They may use spear-phishing links, for example, that are sent to one or more users on the network. Then, to escalate their privileges, they may use process injection, which involves injecting code to get around defenses and elevate privileges. Once inside the network, the miner may try to infect other systems.
In this attack, the miner had to use a few different tactics. When they used spear phishing, they did so to attain Initial Access. This got them inside the network. Then, when they used process injection, they achieved the tactic of Privilege Execution. Further, as the miner infected other systems, they used the tactic of Lateral Execution. The ATT&CK report would outline how the miner accomplished each tactic and also the techniques used to get them done.
As security personnel analyze the results, they can ascertain not just the methods used but also why they were successful. For example, the phishing attack could only have been effective if someone clicked on a link. This raises important questions such as:
- Does all staff in the organization understand how to avoid phishing attacks?
- Are employees and management personnel educated regarding what a phishing attack looks like?
- Was there something about the target’s behavior, browsing habits, position, or personal network safety practices that made them a more likely target?
- What did the attack actually look like? How likely were other employees to have fallen for it?
- How can this information be used in future cybersecurity training?
How Does ATT&CK Help in Sharing Threat Intelligence?
Even though this framework is not new, it has become more and more popular as a tool for helping organizations, the government, and end-users combine efforts to combat cyber threats. Threat intelligence gives organizations, IT departments, and individual users an advantage when it comes to spotting and preventing cyber threats. Furthermore, with MITRE ATT&CK reports being generated on a consistent basis, the collection of threat profiles grows larger and more relevant. Over time, the portfolio of threats can help users prevent more types of attacks.
However, it is important to keep in mind that MITRE ATT&CK matrices are not a foolproof solution. While an attack may be well-described and the report contains a high level of detail, that does not mean that the same kind of attack cannot be accomplished using other techniques.
To again use the cryptomining example, the objective could have still been accomplished using whale phishing. While whale phishing merely goes after “bigger fish” in the organization, this may considerably change the nature of the attack. Specifically, the methods used to make the initial penetration successful may have taken more time to develop, perhaps incorporating social engineering or gathering personal data to help disguise the attacker’s approach. As a result, the MITRE ATT&CK report that began with a spear-phishing attack may have little relevance to one with the same objective but different initial steps.
To prevent succumbing to this vulnerability in the MITRE ATT&CK format, it is best to:
- Assume there are multiple ways to successfully execute ATT&CK techniques.
- Log the test results carefully so it can be easier to see the gaps attackers can use to their advantage, as well as specific techniques to accomplish tactics.
- Research the different methods attackers use and then test them against your current defenses, noting which protections work well and which fall short.
- Examine which tools do the best job of protecting your network, as well as where there are gaps that can threaten your system.
- Make sure you stay up to date with the most recent attack methods and continually test your strategies to defend against them.
It is also important to remember that not all attacks within one category behave the same and can be stopped using the same methods. For example, there are several different ways of getting ransomware into a network. An attacker can use drive-by downloading or it can be a more targeted assault, such as one that employs a Trojan horse.
How Fortinet Can Help?
Network Detection and Response (NDR) uses artificial intelligence and other analytics to identify suspicious network activity outside of the norm, which may be an indicator of a cyber attack in progress. FortiNDR enables full-lifecycle network protection, detection, and response. It covers both network traffic and file-based analysis, along with root-cause identification. New threats can be identified by FortiNDR so you can instantly adapt threat containment and protection to new attacks.