MITRE ATT&CK Framework Primer

Will
November 16, 2020

The MITRE ATT&CK framework is a fairly familiar term within the Cyber Security industry. It has quickly evolved from a niche framework, to the core of many security operation centers. While the vast majority of security operating centers are familiar with the framework, less mature businesses have trouble understanding where to start and, how to apply the framework effectively.

ATT&CK 1-0-1

ATT&CK is broken up into various categories called ‘Tactics’ starting from ‘Initial Access’ all the way down to ‘Impact’. We liken the order of ATT&CK Tactics from left to right with the Lockheed Martin Cyber Killchain. The Lockheed Martin Cyber Kill Chain visualises the phases a threat actor will have to transition through to meet their objective. As such, detecting or mitigating a technique in an earlier Tactic allows you to limit the impact the breach will have on your environment by preventing the threat actor from actioning a technique in a later Tactic. 

We use this as a general rule, it is possible for some attacks to completely skip various Tactics. However, it is much easier to defend or recover from an attack when you have implemented appropriate mitigation, detection and recovery strategies to better respond to a technique earlier, rather than responding to them in a later Tactic such as ‘Impact’. For example, if you have strategies in place that allow you to detect or prevent potentially malicious remote access events such as a user logging into a VPN service from outside of Australia. You can proactively respond by disabling the account, resetting the users password and preventing the threat actor from actioning techniques from later Tactics. This makes it significantly more difficult for a threat actor to reach their end goal while allowing you to more easily defend your environment.

Reconnaissance > Resource Development > Initial Access > Execution > Persistence > Privilege Escalation > Defence Evasion > Credential Access > Discovery > Lateral Movement > Collection > Command and Control > Exfiltration > Impact 

The MITRE ATT&CK framework is built from the perspective of a threat actor, detailing how a threat actor may break into an environment and move laterally. Each of these tactics contain multiple techniques, with each technique containing detailed information.

The techniques within the framework contain detailed information including:

  • Methodologies used by threat actors to leverage and exploit the technique.
  • The systems or services the technique applies to, such as operating systems.
  • Which threat actors utilise the technique.
  • How to mitigate or detect the technique in your environment.
  • Published references to the technique being utilised in the wild. 
This image shows a sample of the numerous Tactics and Techniques that make up the MITRE ATT&CK framework.
This image shows a sample of the numerous Tactics and Techniques that make up the MITRE ATT&CK framework.

Using The Framework

So now we understand the basics of ATT&CK, there are various ways of utilising the framework to better defend an environment against a malicious threat actor. Luckily, MITRE have released a tool called ‘ATT&CK Navigator’ that makes this process significantly easier.

The ATT&CK Navigator tool allows cyber security teams to easily navigate and annotate ATT&CK matrices in multiple layers. This allows the team to easily plan, measure and visualise both offensive and defensive capabilities through colour coding, numerical values and comments. 

One of the more common use cases for the framework is to regularly measure and mature the defensive capabilities of an organisation. This is done by measuring the effectiveness of various controls and mitigations (Anti-Virus, Email Gateways, Firewalls etc..) against the ATT&CK framework. This can then be used to combine each service matrix into a combined layer, making it simple to identify improvement opportunities. The below image shows how an organisation can easily visualise gaps in their mitigation and detection strategies.

This image shows multiple product matrices combined to give an overall idea of the detection capabilities. The default navigator legend goes from red through to bright green with red being a combined score of 0.
The above image shows multiple product matrices combined to give an overall idea of the detection capabilities. The default navigator legend goes from red through to bright green with red being a combined score of 0.

Another excellent use case for the framework, is measuring the effectiveness of a product in mitigating various Techniques and, any potential overlap the product will have with existing products or services in your Cyber Security stack. It is also quite common for vendors of cyber security products and services to align or measure themselves against the framework. MITRE make this even easier by providing pre-evaluation reports of various products against ATT&CK using the Navigator tool. This means an organisiation can simply overlay the MITRE or vendor provided matrices over an overall matrix to identify how effective a product will be alongside existing controls. 

The screenshot below (https://attackevals.mitre-engenuity.org/APT29/results/crowdstrike/matrix.html) shows the effectiveness of CrowdStrike Falcon while detecting Tactics, Techniques and Procedures (TTPs) from the threat actor group Advanced Persistent Threat 29 (APT 29), with a total detection rate of 100%!

This image shows a MITRE ATT&CK Evaluation of Crowdstrike Falcon against the Advanced Persistent Threat 29.
The above image shows a MITRE ATT&CK Evaluation of Crowdstrike Falcon against the Advanced Persistent Threat 29.

Here at Alchemy Sec, we also utilise the framework when performing incident response for customers. MITRE keep up to date matrices of a vast range of threat actors that allow cyber security teams to easily identify the known TTPs to look for when dealing with known adversaries. Having this information at hand allows cyber security teams to more efficiently detect, mitigate and eradicate the threat actor from the environment.

The Differentiator

Unlike other frameworks, ATT&CK is built around technical tactics, techniques and procedures from the perspective of threat actors. As such, many security teams proactively choose to align their detection, mitigation and incident response processes with the framework to better understand their own strengths and weaknesses. Integrating MITRE ATT&CK into an organisation’s existing processes does require a degree of technical knowledge. 

In saying that, AlchemySec have guided numerous customers in enhancing their existing processes and leveraging relationships with vendors to have them align their own tools or services against the framework. This allows organisations to utilise the framework without the same degree of technical knowledge and putting all of the heavy lifting back on the vendor to align their product with the framework.

While the framework is effective from a technical perspective, it can also be used at a management level to easily visualise strengths, weaknesses and opportunities to improve in maturity. This process can be pivotal in acquiring buy in from key stakeholders when looking to augment or rationalise existing capabilities with new services.

In Conclusion

The MITRE ATT&CK framework can used as the foundation of a broad range of use cases to allow an organisation to better detect, mitigate and eradicate threats within their environment. To get the most value out of the framework an organisation will require a certain level of maturity from both cyber security processes and technically capable resources. However, the framework contains a wealth of cyber security information that can be utilised for product selection, incident response and threat actor profiling with very little technical knowledge.

While some of Alchemy Sec’s example use cases can be niche, we hope the concepts shared resonate and inspire you to generate interesting ones of your own to be used in concert with the framework to the benefit of your own environment. 

References

MITRE ATT&CK Framework: https://attack.mitre.org

MITRE ATT&CK Navigator: https://mitre-attack.github.io/attack-navigator/

MITRE ATT&CK Evaluations: https://attackevals.mitre-engenuity.org

CrowdStrike MITRE ATT&CK Framework Evaluation: https://www.crowdstrike.com/blog/crowdstrike-falcon-mitre-attack-evaluation-results-second-iteration/

Lockheed Martin Cyber Kill Chain: https://www.lockheedmartin.com/en-us/capabilities/cyber/cyber-kill-chain.html

Share this article

Recent Post

Detecting and defending against advanced persistent threats utilizing the latest in industry-leading tools and techniques to strengthen and mature the security posture.

CONTI Group - The not so advanced APT

Recently in the news it was revealed that a member of an “APT” group that utilises the “Conti” ransomware became disgruntled at the state of their relationship with the group and leaked a large majority of the groups “Tools, Techniques and Procedures” documents. Conti was first discovered in 2020 and is used primarily by the […]

Read More

Hidden Cobra - Uncovering the North Korean APT

Advanced persistent threats come in many forms ranging from your crime groups, activists all the way through to your state sponsored groups. While some of these threat actors such as crime groups are seen on a regular (if not daily..) basis, state sponsored attacks are less common and more sophisticated. While most state sponsored groups […]

Read More

Please Sign Here - Why NTLM Relaying Is Still a Risk in 2021

The Windows Name Resolution Flow You may be under the impression that turning host names into IP addresses is simple. You check:  The Hosts file; then  Your system’s DNS (Domain Name System) resolver  That’s it right? If you don’t get a response from your local file or DNS, then the system doesn’t exist. Well, no; the name resolution flow in Windows looks something like this:  Well, that’s a […]

Read More

The benefits of Red Teaming

Red teaming is not a new concept within the cyber security community. However in Australia, Red Teaming is a relatively new term for most organisations. In this blog post we'll take a dive into: What differentiates a Red Team engagement from a Penetration Test. Why you shouldn't consider a red team engagement (You totally should.) […]

Read More

Stealing Password Reset Tokens for Fun and Profit

When adding a “Password Reset” function to your application it is especially important to ensure this has the same security considerations as any other critical function within the application. Due to the nature of resetting a user’s password, along with many security considerations being overlooked, it is not uncommon for attackers to spend extra time […]

Read More

MITRE ATT&CK Framework Primer

The MITRE ATT&CK framework is an incredibly powerful framework that organisations can utilise to improve their cyber security capabilities.

Read More