Amateur Security Archaeologists, trying not to break things.

Worry less and know your enemy with MITRE ATT&CK!

AI depiction of barbarians waiting at the fiery gates of something ominous
Our last penetration test was a little too obvious – maybe we should specify “don’t burn it all down”?

If you’ve known me for a while, you know I love talking about MITRE’s ATT&CK (Adversarial Tactics, Techniques, and Common Knowledge). I probably have an unhealthy addiction to discussing it, but I do think it is helpful to understand why it is both cool and has limits. So let’s discuss!

What is ATT&CK?

MITRE ATT&CK is a community-driven database and framework that primarily focuses on documenting and categorizing adversary behavior, including tactics, techniques, and procedures (TTPs). MITRE centered its focus on more traditional network-based threats, and includes coverage for mobile, ICS, and Enterprise environments. While we’re on the topic, we’ll mostly leverage the Enterprise Matrix unless explicitly noted. ATT&CK provides potential detection and mitigation guidance, and links the TTPs to groups and software applications that are implicated. Folks use ATT&CK for threat modeling, red teaming, and improving detection and prevention capabilities through both tuning and gap analysis. Launched for the public in 2011, ATT&CK is a widely accepted lingua franca in the security space and covers 625 Techniques and Sub-techniques arranged into 14 Tactics at the time of publishing (version 13.1, 6 Nov 2023). At first glance, it may seem an eye chart, like this top-level view of the enterprise matrix below:

Overall look at the Enterprise Matrix from MITRE ATT&CK
Memorize it quick, kids, this will be on the test!

The Basic Constructs of MITRE ATT&CK

Core to the ATT&CK framework is the association of Tactics, Techniques, Groups, Software, and the Detection & Mitigations. The relationships between each of these are illustrated below:

Diagram showing the ATT&CK entities and their relationships
Connecting the “entities” in MITRE ATT&CK can help us see why they are there

So what do these different blocks mean?

Groups

Groups, (the Who of ATT&CK): Adversaries are who do the bad stuff – who might they be? This may sound like we’re pushing for attribution, but the real value to a serious security operator is in anticipating or uncovering what came next. These are denoted by a “G” prefix in ATT&CK. G0007 is the identifier for APT28 (https://attack.mitre.org/groups/G0007/), for instance.

Techniques

Techniques (the What & How): There may be many approaches to achieve the same goal, and these are techniques. “T” prefixes identify these. What did they do and how did they do it? (e.g. T1110 Brute Force: https://attack.mitre.org/techniques/T1110/) and – if sub-techniques exist – which specific variation did they leverage? (e.g. T1110.004 Credential Stuffing: https://attack.mitre.org/techniques/T1110/004/).

Tactics

Tactics (the Why): So what did the adversary use that technique for? What are they trying to accomplish? Tactics refer to the high-level goal of an adversary’s behavior. These are identified with a “TA” prefix. They might want to achieve Credential Access (TA0006: https://attack.mitre.org/tactics/TA0006/), as an example. These Tactics are the most analogous to the seven steps defined in the Lockheed Martin Cyber Kill Chain.

Software

Software (another aspect of the How): Some techniques are completed without a specific tool, but most conduct the action and have impact on the environment with an application, tool, or script. Impacket (S0357: https://attack.mitre.org/software/S0357/) is a very popular library and tool used assist with a lot of sniffing, relay, and remote service attacks for Windows.

Each technique also includes any recommended areas for Detections or Data Sources (“DS” prefix) or Mitigations (“M” prefix) to aide you in countering these threats and offer an alternative view very suited to defenders.

Where does ATT&CK get its info?

This structure has served it well, and ATT&CK now offers matrices covering Enterprise, Mobile, and ICS environments. Valuable CTI is also easily shared via STIX and TAXII feeds or APIs, and multiple ecosystem efforts (supported by both MITRE and the community at large) continue to extend its utility. Some of those inputs, outputs, and areas covered are shown below:

Diagram showing the inputs, outputs, and cahracteristics of MITRE ATT&CK.  This was based on 13.1, but 14 is out so the numbers are a little changed.
Ok, so the technique count is off. This stuff changes rapidly!

If you’re wondering – “what about the Cyber Kill Chain?” then this might help. Lockheed Martin’s repurposing of the US DoD’s Kill Chain concept into a cybersecurity institution was helpful, but inflexible. broken up into 7 cycles, the Kill Chain wasn’t able to dive deep enough to actually recommend actions or guide its many stakeholders. So when MITRE decided to make their own framework, we got something that goes way deeper if needed. Those 7 phases now translate to the 14 tactics. And unlike the Kill Chain, which sort of left us hanging, MITRE’s ATT&CK drills deeper and correlate more information. So this is a huge improvement!

ATT&CK uses a database-oriented approach, and this means it fits multiple personas in the environment really well.  While its roots are in Threat Intelligence, its structure allows it to greatly assist with four main use cases: Threat Intelligence, Detection and Analytics, Adversary Emulation and Red Teaming, and Assessment and Engineering. We’ll talk about these in the next few posts!

Verified by MonsterInsights