If you’re an information security professional, there’s a good chance you’ve already heard about the MITRE ATT&CK framework. If it’s something you haven’t heard of, or if you haven’t found the time to dive into its vast trove of information, it’s never too late to start! The following are some of the most common questions related to the framework:
- What is the MITRE ATT&CK framework?
- How is the MITRE ATT&CK framework unique?
- What does ATT&CK stand for?
- What does MITRE stand for?
- How does MITRE ATT&ck help security operations?
- How many MITRE techniques are there?
- How does MITRE define adversary emulation?
Hopefully, this article will answer some of these questions.
What Does MITRE Stand For?
The MITRE Corporation is a nonprofit organization founded in 1958 and is based in Massachusetts and Virginia. MITRE manages federally funded research and development centers supporting a wide array of government initiatives and agencies. As noted on its website, “MITRE is dedicated to solving problems for a safer world.” If you look at the history of MITRE, you’ll note they’ve been involved in some fairly significant initiatives in support of public interest, with a focus that seems to transition with the ever-changing threat landscape. Clearly, cybersecurity and cyber threat intelligence are risk categories that have captured their attention.
What Does ATT&CK Stand For?
Development of the framework, also referred to as ATT&CK (Adversarial Tactics, Techniques, and Common Knowledge) began in 2013, and according to the MITRE ATT&CK website, version 1 of the framework was released in January 2018. MITRE’s ATT&CK framework attempts to identify common tactics adversaries use to penetrate (hack) public or private networks and the techniques or behaviors used to achieve their goals or objectives. ATT&CK attempts to provide potential answers to questions like: how did they get inside our network, how are they able to move around, and what exactly are they doing?
What is the MITRE ATT&CK Framework?
According to MITRE, MITRE ATT&CK® is a globally-accessible knowledge base of adversary tactics and techniques based on real-world observations. The ATT&CK knowledge base is used as a foundation for the development of specific threat models and methodologies in the private sector, in government, and in the cybersecurity product and service community.
MITRE’s attack framework describes how adversaries penetrate networks and then engage in activities such as lateral movement, escalation of privileges and avoiding detection. ATT&CK takes the perspective of the attacker (e.g. an attacker’s playbook). In other words, if you were the adversary or attacker, why would you want to breach my environment and what data do I have that you consider of value? Once those questions have been answered, the next step is to determine how the attacker would then act to achieve their objective.
To help organize the plethora of information contained in ATT&CK into an easy-to-read and understandable format, ATT&CK has been organized into thorough and informative matrices. These matrices help users identify and focus on particular tactics and techniques that may be of interest to their specific organization or industry. An Enterprise Matrix exists for Windows, macOS, Linux, PRE, AWS, GCP, Azure, Azure AD, Office 365, SaaS, and Network. Although the matrices are extremely helpful, the amount of information is very overwhelming.
As previously discussed, ATT&CK organizes malicious behaviors into a series of tactics. Tactics represent technical objectives or goals that an adversary wants to achieve. Examples include lateral movement, privilege escalation, credential access, command and control etc. Currently, ATT&CK identifies 14 tactics for the enterprise and 14 for mobile.
For each tactic, or technical objective, ATT&CK has defined a series of techniques, or ways in which an attacker may attempt to achieve their objective. There are multiple techniques within each listed tactic as attackers may use different methods based on their background and knowledge and the configuration of the target environment. Currently, ATT&CK identifies 178 techniques and 352 sub-techniques for enterprise and 86 techniques for mobile.
How Does MITRE ATT&CK Help Security Operations?
To help security professionals understand ATT&CK and actually put it to use, MITRE has a great Getting Started page. There are a number of resources listed that I found very useful. Specifically, I found the Getting Started with ATT&CK eBook to be very informative and easy to understand. ATT&CK isn’t meant to be just a treasure trove of information, but a tool that is actively used within your company to increase your level of cyber threat intelligence as well as your capabilities to defend yourself.
The eBook does a nice job of instructing readers to simplify their efforts by categorizing activity within four areas:
- Threat Intelligence
- Detection and Analytics
- Adversary Emulation and Red Teaming
- Assessment and Engineering
The eBook also identifies 3 maturity levels and has built out content that is pertinent to each of the 3 levels. Specifically:
- Level 1 for those just starting out who may not have many resources
- Level 2 for mid-level teams starting to mature
- Level 3 for more advanced cybersecurity teams and resources
The remainder of this article will focus on ATT&CK guidance for Level 1 orgs based on my own experience and where I think the majority of organizations operate. The entire eBook is a fantastic resource, but in order to avoid feeling overwhelmed, which can lead to analysis paralysis, I would keep it simple and just focus on content pertaining to Level 1.
As the subject indicates, the first step in building out your threat intelligence is to identify your attacker. Yes, that sounds easier said than done, but you have to start somewhere. Fortunately, ATT&CK provides a list of known groups as well as a list of activities and industries they’ve been known to target. As the eBook indicates, search the webpage for your industry. Examples could include, “financial,” “pharma,” “energy sector,” etc.
In searching for the phrase energy sector, I’m able to see that at least two of the identified groups seem to have a history of targeting that specific industry. For the sake of this example, if I select Dragonfly, it takes me to a page dedicated to the group Dragonfly and identifies techniques, as well as software, that have been used in their attacks. Clicking on any of the associated techniques mapped to the group’s activity returns a page dedicated to the selected technique. It includes a list of data sources that should be consumed that could potentially identify this group’s technique in a given environment.
Detection and Analytics
Continuing with the “Dragonfly” example noted above and having selected a technique that’s associated with the group’s activities, we were able to see what data sources need to be consumed to identify the selected technique. That’s the next step in this process – pulling in the right data and placing it somewhere that can be analyzed.
Once the data has been consumed and stored in a SIEM, you can start building and running analytics against the data you’ve collected to see if you can identify the malicious behavior associated with the technique. MITRE references some of its own analytics that can be used to help you get started.
Adversary Emulation and Red Teaming
Once analytics have been built, it’s time to test them. You’ll never know how effective your detection strategy is unless you put it to the test. MITRE refers to this as adversary emulation. As defined in the eBook, “Adversary emulation is a type of red team engagement that mimics a known threat to an organization by blending in threat intelligence to define what actions and behaviors the red team uses.”
As I mentioned earlier, at Level 1, most organizations at this level most likely don’t have an in-house red team to help carry out this type of activity. Once again, not to worry, MITRE has identified third party resources that can help an organization execute this type of activity when a pen-testing team isn’t readily available. Specifically, the eBook references Atomic Red Team, an open-source project maintained by Red Canary. It’s a collection of scripts that can be used to test how you might detect certain techniques and procedures mapped to ATT&CK techniques.
Assessment and Engineering
The final category addresses the need to continually assess your strategy and continue to refine and re-engineer based on the results of your testing. This section once again reminds small and inexperienced organizations to start small. Trying to boil the ocean or take on too many techniques will most definitely lead to burnout. The advice provided is to once again:
- pick one technique,
- pull in required data,
- build analytics, and
- run tests to see what the results look like.
If the results are unexpected, then perhaps the data is incomplete, incorrect, or the analytics require some tweaking. Either way, if you’re this far in the process, you’ve undoubtedly learned more about potential attackers, your environment, your data sources, and signs of compromise.
If you work with a small team, it may be beneficial to task each team member with picking a group, an associated technique, and bring their learnings back to the team. That may help you cover more ground at a quicker pace and develop a deeper knowledge base with your team.
In conclusion, making time to dig into the MITRE ATT&CK framework is well worth your time. If some of the concepts I’ve covered seem too elementary, make sure you review the materials I’ve referenced and take a deeper dive into Levels 2 and 3. ATT&CK is an excellent source of information that should be utilized to help build out your organization’s threat intelligence and evaluate the effectiveness of your current detection strategies.
Mark Larson started working in the technology industry in 1998 where he worked in a number of different roles prior to transitioning to the public accounting world in 2004 with Ernst & Young (EY). During his 6 years at EY, Mark provided both assurance and advisory services that spanned multiple industries for both public and private companies. After leaving EY, Mark filled leadership roles within Internal Audit, Technology, and Security functions for several companies. Mark specializes in SOC examinations and enjoys helping clients establish, formalize, and report on effective control environments while strengthening their security risk profile.