What is MITRE ATT&CK?

What is the MITRE ATT&CK®?

MITRE ATT&CK® (Adversarial Tactics, Techniques, and Common Knowledge) was developed in 2013 by MITRE Corporation to document attacker tactics and techniques based on real-world observations.

In doing so, researchers wanted to study the behaviour of attackers and defenders to improve detection after compromise.

The resulting ATT&CK framework is a knowledge base of cyber-criminal and cyber-attacker behaviours that reflects the different phases of the attack lifecycle.

The abstraction into concrete tactics, techniques and sub-techniques provide an easily understandable level of abstraction on which different IT security teams can communicate with each other.

MITRE represents ATT&CK in the form of a matrix. The column headings at the top are called tactics. The tactic is a goal that an attacker is trying to achieve. For each tactic, there is a set of techniques on how to achieve the goal.

The ATT&CK Matrices: Enterprise, Mobile and ICS

MITRE has divided ATT&CK into three broad areas: Enterprise, Mobile and ICS. Each area has its own matrix.

• ATT&CK Enterprise focuses on attacker behaviour in Windows, Mac, Linux and Cloud environments.
• ATT&CK Mobile focuses on attacker behaviour on iOS and Android operating systems.
• ATT&CK ICS focuses on describing the actions an attacker can perform while operating on an ICS network.

The ATT&CK Enterprise Matrix

The complete ATT&CK Enterprise matrix covers the areas of.

• PRE
• Windows
• Linux
• macOS
• Cloud
• Network
• containers

from.

The tactics, i.e. the column labels, can be roughly interpreted as a kind of cyber kill chain, although they do not have to be traversed linearly.

The PRE area, i.e. the activities preceding an attack, consist of:

Reconnaissance: This includes all activities with which interesting information about people, technology or network infrastructure of an organisation can be obtained.

Resource Development: Based on the collected information, suitable attack tools are developed and an IT infrastructure for the attack is set up. This may include phishing websites and a command & control infrastructure.

Example of an Enterprise ATT&CK technique.

For example, one of the tactics is Execution. In order for an attacker to successfully execute his own commands on an IT system, he will use one or more of the techniques listed in the Execution column.

One technique is the execution of code introduced by the attacker as a script with sub-techniques for execution as a Powershell script, CMD script (.BAT), and others. ATT&CK provides many details on each sub-technique and technique, including descriptions, examples, references, and suggestions for mitigation and detection.

How can ATT&CK specifically help businesses?

The MITRE ATT&CK framework is practical in a variety of situations. ATT&CK not only provides a comprehensive encyclopaedia for defenders of IT infrastructures (cyber defence), but also forms a basis for red teaming and penetration testing. This gives defenders (Blue Team) and Red Teamers a common taxonomy of behaviours of real attackers.

The most important use cases of MITRE ATT&CK for companies and public organisations include:

• Prioritising defensive measures in light of the organisation’s environment: Even the best-equipped teams cannot protect equally against all attack vectors. The ATT&CK framework can help teams prioritise.
• Value of defensive measures: Defensive measures can have well-understood meaning when compared to the ATT&CK tactics and techniques they relate to.
• Detection & Response: The Security Operations Centre (SOC) and Incident Response Team can refer to ATT&CK techniques and tactics that have been specifically detected or uncovered. This helps to better understand the strengths and weaknesses of the defensive measures used.
• Threat Hunting: Mapping defensive IT security measures to ATT&CK results in a map of potential defensive gaps. These can be good starting points for Threat Hunting to find escaped attacker activity.
• Using the MITRE ATT&CK framework to cover against specific attacker groups: Many organisations want to be able to prioritise identifying specific behaviours from attacker groups that they know are a particular threat to their business. MITRE is constantly evolving the framework, adding new techniques as they are used “in the wild” by cyber criminals. This allows techniques used by actors operating exclusively in the US to be less prioritised if the company is only operating in a completely different region.
• Integration and information sharing: Different tools and services can use the standardised ATT&CK tactics and techniques to better integrate and collaborate. Before ATT&CK, a common language and conceptual base was often lacking. This is valuable not only within an organisation, but also when sharing externally about attacks, cyber criminals or other groups.
• Red Team/Penetration Testing Activities: When planning, conducting and reporting Red Team, Purple Team and Penetration Testing activities, ATT&CK can be used to speak a common language with defenders and report recipients as well as each other.

Simulation of attackers with ATT&CK.

A relevant question from a Blue Team perspective is often how well you are positioned against current attack techniques with the defence technologies you have in place. Testing techniques relevant to attackers in companies and organisations is certainly one of the most effective ways to:

• test defence technologies and their effectiveness,
• ensure sufficient coverage and visibility against relevant techniques,
• better understand gaps in visibility or protection,
• validate the configuration of tools and systems,
• demonstrate where different actors would be successful – or not,

The use of ATT&CK techniques by penetration testers increases the understanding of the results by their own IT security team.

Simulations can be designed to reflect techniques known to be used by certain relevant actors. This can be particularly useful when assessing how successful certain attackers can be against the controls in place in the environment.

Software tools for simulating attackers.

There are also software tools for testing certain techniques directly in one’s own IT environment and which are also already aligned with the MITRE ATT&CK framework.

• MITRE Caldera (Open Source)
• Red Canary Atomic Red Team (Open Source)
• Uber Metta (Open Source)
• Endgame Red Team Automation (Open Source)
• Verodin (commercial)
• SafeBreach (commercial)
• Chariot Attack (commercial)
• AttackIQ (commercial)

As always, caution is advised when performing attack simulations and cooperation with experienced penetration testers is recommended.

The work with these tools basically consists of three phases.

1. Simulation: A selection of simulation criteria is made based on the desired tests. Dana either the software tool or a tester manually executes the selected technique.
2. Review & Hunt: Examine the logs of all security tools and other preventive and detective deployed software on the IT systems. If the desired detection performance does not match the observation, this is also documented.
3. Learn & Improve: Based on the results, it is checked whether an improvement of the performance for the detection of undesired activities is necessary. It should be taken into account that not all attack patterns or must always be prevented. It is usually sufficient if enough trip wires are designed.

ATT&CK- Resources

The MITRE ATT&CK framework is a very comprehensive tool to better understand the behaviour of attackers and also to secure one’s own IT infrastructure against them. There is now a vast amount of valuable information and software tools available. The following is a briefly commented list – in addition to the software tools for attack simulation listed in the previous section.

• ATT&CK website: MITRE’s ATT&CK website is certainly an important first port of call.
• ATT&CK Blog: MITRE maintains an Blog about ATT&CK on Medium.
• ATT&CK Conference: There is an Security Conference dedicated to ATT&CK.
• ATT&CK Navigator: The ATT&CK Navigator is an excellent tool to present threats before and measures against ATT&CK techniques.
• Malware Archeology MITRE ATT&CK Cheat Sheets: The Malware Archeology team provides two listings of relevant information sources for many ATT&CK techniques. Although the latest update is from 09/2018, it is still worth a look.

MITRE Cyber Analytics Repository (CAR): While the ATT&CK framework focuses primarily on the description of threats and their activities, another MITRE project is concerned with the detection of threats: the Cyber Analytics Repository (CAR).