MITRE ATT&CK

There are three different kinds of ATT&CK matrices: Enterprise ATT&CK, PRE-ATT&CK, and Mobile ATT&CK. Each individual matrix employs different techniques and tactics.

The Enterprise ATT&CK matrix consists of tactics and techniques that apply to Linux, Windows, and macOS systems. When one of these operating systems is penetrated, the Enterprise matrix helps identify the nature of the threat and outlines information that can be used to defend against it in the future. The Mobile ATT&CK matrix has the same objective, but it applies to mobile devices. The PRE-ATT&CK matrix focuses on techniques and tactics used by attackers before they attempt to penetrate a system or network.

The report generated by an ATT&CK matrix is separated into columns. Each column describes tactics, which are what the attacker aims to accomplish. The techniques are the methods they use to succeed in the tactics. This information can be used in an ATT&CK evaluation to gain insight into the attacker’s methodologies.

There are 11 different tactics in the matrix for an Enterprise ATT&CK:

1. Initial access
2. Execution
3. Persistence
4. Privilege escalation
5. Defense evasion
6. Credential access
7. Discovery
8. Lateral movement
9. Collection
10. Exfiltration
11. Impact

Each tactic is essentially a goal of the attacker. If cyber criminals are able to accomplish these individual goals, they are one step closer to their objective. In some cases, the attack will not seek to realize every tactic because some may go beyond what the attacker seeks to do. For example, an attacker may not want their attack to perform lateral movement if they simply want to steal information from a specific computer. In this case, the MITRE ATT&CK matrix may not have entries in the “Lateral Movement” section.

To illustrate how the techniques and tactics come to play in ATT&CK, suppose an attacker wants to access a network to install mining software. Their objective is to infect as many workstations as possible within the network, thereby increasing the yield of the mined cryptocurrencies. The end goal necessitates several smaller steps. Initially, the attacker has to get inside the network. They may use spear-phishing links, for example, that are sent to one or more users on the network. Then, to escalate their privileges, they may use process injection, which involves injecting code to get around defenses and elevate privileges. Once inside the network, the miner may try to infect other systems.

In this attack, the miner had to use a few different tactics. When they used spear phishing, they did so to attain Initial Access. This got them inside the network. Then, when they used process injection, they achieved the tactic of Privilege Execution. Further, as the miner infected other systems, they used the tactic of Lateral Execution. The ATT&CK report would outline how the miner accomplished each tactic and also the techniques used to get them done.

As security personnel analyze the results, they can ascertain not just the methods used but also why they were successful. For example, the phishing attack could only have been effective if someone clicked on a link. This raises important questions such as:

1. Does all staff in the organization understand how to avoid phishing attacks?
2. Are employees and management personnel educated regarding what a phishing attack looks like?
3. Was there something about the target’s behavior, browsing habits, position, or personal network safety practices that made them a more likely target?
4. What did the attack actually look like? How likely were other employees to have fallen for it?
5. How can this information be used in future cybersecurity training?

MITRE formalizes the process of categorizing attacks and allows for a common language when different security teams have to communicate with each other. MITRE provides you with a system you can use to consistently address threats.

However, MITRE also presents challenges because it’s only a security framework, which means it may or may not work in a real-life scenario. For instance, if one company decides that the cyber risk associated with a threat is higher than that of another, the steps MITRE requires may end up being applied differently—even though both are facing the same threat.

Even though this framework is not new, it has become more and more popular as a tool for helping organizations, the government, and end-users combine efforts to combat cyber threats. Threat intelligence gives organizations, IT departments, and individual users an advantage when it comes to spotting and preventing cyber threats. Furthermore, with MITRE ATT&CK reports being generated on a consistent basis, the collection of threat profiles grows larger and more relevant. Over time, the portfolio of threats can help users prevent more types of attacks.

However, it is important to keep in mind that MITRE ATT&CK matrices are not a foolproof solution. While an attack may be well-described and the report contains a high level of detail, that does not mean that the same kind of attack cannot be accomplished using other techniques. 

To again use the cryptomining example, the objective could have still been accomplished using whale phishing. While whale phishing merely goes after “bigger fish” in the organization, this may considerably change the nature of the attack. Specifically, the methods used to make the initial penetration successful may have taken more time to develop, perhaps incorporating social engineering or gathering personal data to help disguise the attacker’s approach. As a result, the MITRE ATT&CK report that began with a spear-phishing attack may have little relevance to one with the same objective but different initial steps.

To prevent succumbing to this vulnerability in the MITRE ATT&CK format, it is best to:

1. Assume there are multiple ways to successfully execute ATT&CK techniques.
2. Log the test results carefully so it can be easier to see the gaps attackers can use to their advantage, as well as specific techniques to accomplish tactics.
3. Research the different methods attackers use and then test them against your current defenses, noting which protections work well and which fall short.
4. Examine which tools do the best job of protecting your network, as well as where there are gaps that can threaten your system.
5. Make sure you stay up to date with the most recent attack methods and continually test your strategies to defend against them. 

It is also important to remember that not all attacks within one category behave the same and can be stopped using the same methods. For example, there are several different ways of getting ransomware into a network. An attacker can use drive-by downloading or it can be a more targeted assault, such as one that employs a Trojan horse.

Here are five different ways enterprises can use MITRE:

1. Sharing information between organizations regarding how threats behave
2. Keeping track of the techniques, tactics, and procedures (TTP) threat actors use over time
3.  Emulating the behavior and tactics of different types of hackers for internal training purposes
4. Mapping out the connections between the tactics malicious actors use and the kinds of data they are after
5. Figuring out which tactics are used the most frequently so cyber defense teams can keep an eye out for them

MITRE removes ambiguity and provides a common vocabulary for IT teams to collaborate as they fight threats. This is because, with the ATT&CK framework, the techniques hackers use are broken down, step-by-step. As a result, cybersecurity teams can communicate more clearly about MITRE ATT&CK techniques.

The MITRE ATT&CK framework is designed to address a broad range of attacks that could impact many different types of organizations. The Cyber Kill Chain, on the other hand, was developed by Lockheed Martin for the military, and it segments an intrusion into seven specific phases: reconnaissance, weaponizing, attack delivery, exploitation of the target, installation of malicious software, command and control (C2), and actions taken on objectives.