What Is MITRE ATT&CK and How Is It Useful? | From Anomali

What is MITRE ATT&CK and How Is It Useful

What is MITRE ATT&CK™?

MITRE introduced ATT&CK (Adversarial Tactics, Techniques & Common Knowledge) in 2013 as a way to describe and categorize adversarial behaviors based on real-world observations. ATT&CK is a structured list of known attacker behaviors that have been compiled into tactics and techniques and expressed in a handful of matrices as well as via STIX/TAXII. Since this list is a fairly comprehensive representation of behaviors attackers employ when compromising networks, it is useful for a variety of offensive and defensive measurements, representations, and other mechanisms.

Understanding ATT&CK Matrices

MITRE has ATT&CK broken out into a few different matrices: Enterprise, Mobile, and PRE-ATT&CK. Each of these matrices contains various tactics and techniques associated with that matrix’s subject matter.

The Enterprise matrix is made of techniques and tactics that apply to Windows, Linux, and/or MacOS systems. Mobile contains tactics and techniques that apply to mobile devices. PRE-ATT&CK contains tactics and techniques related to what attackers do before they try to exploit a particular target network or system.

The Nuts and Bolts of ATT&CK: Tactics and Techniques

When looking at ATT&CK in the form of a matrix, the column titles across the top are tactics and are essentially categories of techniques. Tactics are the what attackers are trying to achieve whereas the individual techniques are the how they accomplish those steps or goals.

ATT&CK Enterprise Matrix
ATT&CK Enterprise Matrix from https://attack.mitre.org/matrices/enterprise/

For example, one of the tactics is Lateral Movement. In order for an attacker to successfully achieve lateral movement in a network, they will want to employ one or more of the techniques listed in the Lateral Movement column in the ATT&CK matrix.

A technique is a specific behavior to achieve a goal and is often a single step in a string of activities employed to complete the attacker’s overall mission. ATT&CK provides many details about each technique including a description, examples, references, and suggestions for mitigation and detection.

Technique description in MITRE ATT&CK
Example of a technique description in MITRE ATT&CK

As an example of how tactics and techniques work in ATT&CK, an attacker may wish to gain access into a network and install cryptocurrency mining software on as many systems as possible inside that network. In order to accomplish this overall goal, the attacker needs to successfully perform several intermediate steps. First, gain access to the network - possibly through a Spearphishing Link. Next, they may need to escalate privilege through Process Injection. Now they can get other credentials from the system through Credential Dumping and then establish persistence by setting the mining script to run as a Scheduled Task. With this accomplished, the attacker may be able to move laterally across the network with Pass the Hash and spread their coin miner software on as many systems as possible.

In this example, the attacker had to successfully execute five steps - each representing a specific tactic or stage of their overall attack: Initial Access, Privilege Escalation, Credential Access, Persistence, and Lateral Movement. They used specific techniques within these tactics to accomplish each stage of their attack (spearphishing link, process injection, credential dumping, etc.).

The Differences Between PRE-ATT&CK and ATT&CK Enterprise

PRE-ATT&CK and ATT&CK Enterprise combine to form the full list of tactics that happen to roughly align with the Cyber Kill Chain. PRE-ATT&CK mostly aligns with the first three phases of the kill chain: reconnaissance, weaponization, and delivery. ATT&CK Enterprise aligns well with the final four phases of the kill chain: exploitation, installation, command & control, and actions on objectives.

Cyber Kill Chain

PRE-ATT&CK TacticsATT&CK Enterprise Tactics
  • Priority Definition
  • Target Selection
  • Information Gathering
  • Weakness Identification
  • Adversary OpSec
  • Establish & Maintain Infrastructure
  • Persona Development
  • Build Capabilities
  • Test Capabilities
  • Stage Capabilities
  • Initial Access
  • Execution
  • Persistence
  • Privilege Escalation
  • Defense Evasion
  • Credential Access
  • Discovery
  • Lateral Movement
  • Collection
  • Exfiltration
  • Command and Control

What Can Be Done With ATT&CK

ATT&CK is valuable in a variety of everyday settings. Any defensive activities that reference attackers and their behaviors can benefit from applying ATT&CK’s taxonomy. Beyond offering a common lexicon for cyber defenders, ATT&CK also provides a foundation for penetration testing and red teaming. This gives defenders and red teamers common language when referring to adversarial behaviors.

Examples where applying ATT&CK’s taxonomy can be useful:

  • Mapping defensive controls
    • Defensive controls can carry well-understood meaning when referenced against the ATT&CK tactics and techniques they apply to.
  • Threat hunting
    • Mapping defenses to ATT&CK yields a roadmap of defensive gaps that provide threat hunters the perfect places to find missed attacker activity.
  • Detections & Investigations
    • The Security Operations Center (SOC) and incident response team can reference ATT&CK techniques and tactics that have been detected or uncovered. This aids in understanding where defensive strengths and weaknesses are and validates mitigation and detection controls, and can uncover misconfigurations and other operational issues.
  • Referencing actors
    • Actors and groups can be associated with specific, definable behaviors.
  • Tool integrations
    • Disparate tools and services can standardize on ATT&CK tactics and techniques, lending a cohesiveness to a defense that is often lacking.
  • Sharing
    • When sharing information about an attack, an actor or group, or defensive controls, defenders can ensure common understanding by using ATT&CK techniques and tactics.
  • Red Team/Penetration Test Activities
    • Planning, execution, and reporting of red team, purple team, and penetration test activities can use ATT&CK to speak a common language with defenders and report recipients as well as amongst themselves.

Use ATT&CK to Map Defenses and Understand Gaps

Many organizations maintain lists of detective and preventive security controls in their environment - a controls catalog. Looking at these controls through the lens of ATT&CK can help hone controls, expose inefficiencies, and show gaps in protection. It’s important to keep in mind that while ATT&CK can be used in this manner, it is primarily for describing attacker behaviors - not defensive mechanisms.

The process of aligning controls to ATT&CK techniques is pretty straightforward. For each control, consider what techniques (and specifically what ways of employing those techniques) can be detected or prevented by that control. Referencing ATT&CK’s techniques (or tactics where a specific technique can’t be nailed down) now allows for searching, pivoting, and reporting on the controls by means of how the environment looks to attackers. For example, once all controls have ATT&CK techniques associated with them, it should be easy to see what techniques have no detective or preventive controls in place at all. Using the MITRE ATT&CK Navigator is a great way to visualize this effort.

By stepping through the tactics (columns) in the ATT&CK Enterprise matrix and selecting techniques that have no controls in place, possible attack scenarios can be pieced together where the organization would have no visibility and no prevention in place to stop. Consider how likely the resulting scenarios would be and rank them by feasibility. The most feasible scenarios should be sources for threat hunting to see if attackers have already exploited them. These should also be the areas where investment occurs to get some controls in place.

Instead of operating on the assumption that the controls would indeed be effective against specific attacker techniques, simulating the techniques against the controls should be done when possible. Controls may not be as effective as we thought and testing is really the only way to know for sure. Also, configuration errors or system problems may exist that prevent the controls from operating effectively. These issues may not be known were the controls not tested from time to time.

Testing is also a good way to validate tool investments by showing which tools are really doing the lion’s share of providing detections or preventions, which aren’t doing much at all or are ultimately redundant to other tools in the environment.

Using ATT&CK With Cyber Threat Intelligence

ATT&CK can be useful to cyber threat intelligence as it allows for describing adversarial behaviors in a standard fashion. Actors can be tracked with associations to techniques and tactics in ATT&CK that they have been known to utilize. This gives a roadmap to defenders to apply against their operational controls to see where they have weaknesses against certain actors and where they have strengths. Creating MITRE ATT&CK Navigator entries for specific actors is a good way to visualize the environment’s strengths and weaknesses against those actors or groups. ATT&CK is also available as a STIX/TAXII 2.0 feed which makes it easy to ingest into existing tools that support those technologies.

ATT&CK provides details on nearly seventy actors and groups, including what techniques and tools they are known to use based on open source reporting.

MITRE ATT&CK Group List
MITRE ATT&CK Group List

The intelligence creation process itself can benefit from using the common vernacular of ATT&CK. As mentioned, this can apply to actors and groups but can also apply to observed behaviors as seen from the SOC or incident response activities. Malware can also be referred to in terms of behaviors via ATT&CK. Any threat intelligence tools that have support for ATT&CK help make this process straightforward. Commercial and open source intelligence that apply ATT&CK to any mentioned behaviors is also helpful in keeping things consistent. Disseminating intelligence to operations or management is ultimately much easier when all parties speak the same language around adversarial behaviors. If operations know exactly what Forced Authentication is and sees it mentioned in an intelligence report, they may know exactly what actions should be taken or what controls are already in place regarding that piece of intelligence. Standardizing on ATT&CK references in intelligence products in this way can dramatically improve efficiency and ensure common understanding.

Adversarial Simulation and ATT&CK

Testing the techniques in ATT&CK against the environment is the best way to:

  • Test controls and their efficacy
  • Ensure coverage against different techniques
  • Understand gaps in visibility or protection
  • Validate the configuration of tools and systems
  • Demonstrate where different actors would be successful or would be caught in the environment
  • Avoid guesses and assumptions with controls by knowing exactly what is detected or mitigated and what is not

The process of performing adversarial simulation isn’t foreign to many environments. When employing penetration testers to test the environment, organizations are engaging in adversarial simulation testing. The same applies to organizations that have internal red teams or that perform purple team engagements. Applying the activities of these engagements to ATT&CK techniques elevates the understanding of the results by defenders. Instead of reporting failures to detect certain activity, reporting from pen tests and red teams can contain better context to apply their activities directly to operational controls, defensive tools, and procedures. This makes it easier for defenders to take appropriate actions as a result of the reports.

Simulations can be designed to mirror tools and techniques known to be used by specific actors as well. This can be especially useful when trying to assess how successful certain adversaries might be against the controls present in the environment.

Additionally, there are tools available that provide mechanisms for testing certain techniques directly inside the environment and are already aligned with ATT&CK. Commercial tools such as Verodin, SafeBreach, and AttackIQ provide the ability to perform adversarial simulation aligned with ATT&CK. There are some open source options to do adversarial simulation and also align with ATT&CK as well (listed below). As always, take care when performing adversarial simulations on production networks where the scope of potential ramifications isn’t fully understood.

The process for making use of these tools is straightforward:

  1. Simulate - Chose simulation criteria based on the desired testing then run the tool or perform the technique manually
  2. Hunt - Examine logs and tool output for evidence of the simulated activity; note missed expectations with detective or preventive controls
  3. Detect - Add new detections or mitigations based on the findings; also note any gaps in visibility and any tools used for detection or mitigation

Best Practices for Using ATT&CK

The following is a list of best practices for ATT&CK.

  • Share discovered methods of detection and mitigation
  • Share tactics and techniques of observed attacker behaviors
  • Leverage ATT&CK integration in existing tools
  • Encourage vendors and service providers to add support for ATT&CK where it would be useful

Challenges When Leveraging ATT&CK

Using ATT&CK doesn’t come without challenges. It’s good to keep these in mind when leveraging ATT&CK.

  • Some techniques have many possible methods of execution
  • Some techniques are listed under multiple tactics
    • Example: DLL Search Order Hijacking (T1038)
    • Shows up under Persistence, Privilege Escalation, and Defense Evasion tactics
    • Some techniques, such as this one, can be used for multiple use cases and are useful in multiple stages of attack

ATT&CK Tools and Resources

The following is a list of tools and other resources that make use of ATT&CK. Some of these have been mentioned previously but are provided here for easy reference. To have something added to this list, send an email to marketing@anomali.com.

ATT&CK Navigator

ATT&CK Navigator is a great tool to use for mapping out controls against ATT&CK techniques. Layers can be added that show specifically detective controls, preventive controls, or even observed behaviors. Navigator can be utilized online for quick mockups or scenarios or it can be downloaded and setup internally as a more permanent solution.

MITRE ATT&CK Navigator
MITRE ATT&CK Navigator

Uber Metta

Metta is an open source project from Uber that performs adversarial simulation and is aligned with MITRE ATT&CK.

Uber Metta

MITRE Caldera

Caldera is an open source, automated adversary simulation tool that is based on MITRE ATT&CK.

MITRE Caldera
MITRE Caldera Screenshot

Red Canary Atomic Red Team

Atomic Red Team is an open source tool from Red Canary for simulating adversarial behaviors mapped to MITRE ATT&CK. More info available at: https://atomicredteam.io/

Red Canary Atomic Red Team
Atomic Red Team Test Example

Endgame Red Team Automation

Red Team Automation is an open source tool from Endgame that tests malicious behavior modeled on MITRE ATT&CK.

Endgame Red Team Automation
Current list of techniques supported by Red Team Automation (RTA)

Malware Archeology Windows ATT&CK Logging Cheat Sheet

The good folks at Malware Archeology provide a number of Windows logging cheat sheets to aid defenders in finding malicious activity in logs. They have one dedicated to finding techniques from MITRE ATT&CK.

Malware Archeology Windows ATT&CK Logging Cheat Sheet
Example of included details in the ATT&CK Logging Cheat Sheet from Malware Archeology

MITRE Cyber Analytics Repository (CAR)

MITRE has a resource called the Cyber Analytics Repository (CAR) which is a reference site to various analytics useful for detecting behaviors in MITRE ATT&CK.

MITRE Cyber Analytics Repository (CAR)
MITRE Cyber Analytics Repository (CAR)

ATT&CK Tableau Table by Cyb3rPanda

Cyb3rPanda has loaded ATT&CK into a public Tableau instance for easy pivoting and filtering.

ATT&CK Tableau Table by Cyb3rPanda
ATT&CK Enterprise Matrix in a public Tableau by Cyb3rPanda

Palo Alto Unit 42 Playbook Viewer

Palo Alto’s Unit 42 group has released a free playbook viewer which shows known adversarial behaviors for a handful of threat groups aligned to MITRE ATT&CK.

Palo Alto Unit 42 Playbook Viewer
Palo Alto Unit 42’s Playbook Viewer

Anomali Weekly Threat Briefing

The Anomali Weekly Threat Briefing is a free weekly report of key security and threat developments of the week. The report includes relevant IOCs and ATT&CK techniques for each story in the briefing.

Anomali Weekly Threat Briefing
Anomali Weekly Threat Briefing example

Summary

MITRE has made a significant contribution to the security community by giving us ATT&CK and its related tools and resources. It couldn’t have come at a better time. As attackers are finding ways to be more stealthy and avoid detection by traditional security tools, defenders find themselves having to change how they approach detection and defense. ATT&CK shifts our perception from low-level indicators like IP addresses and domain names and causes us to see attackers and our defenses through the lens of behaviors. This new perception doesn’t mean results will come easy though. The easy days of block lists and simple filters are all but gone. The road of detecting and preventing behaviors is a much harder path than the fire-and-forget tools of the past. Additionally, attackers will certainly be adapting as defenders bring new capabilities to bear. ATT&CK provides a way to describe whatever new techniques they develop and hopefully keep defenders in step.