Simplifying the MITRE ATT&CK Framework
This blog was originally published on 11/3/21 on Scythe's blog site.
Author Nathali Cano
Introduction
Before we get into the nitty gritty of things, I’d like to briefly talk about the big picture here. MITRE ATT&CK is essentially a detailed collection of adversarial behaviors.
The immeasurable value of ATT&CK truly lies in being an open source tool, meaning it’s data has been shared from contributors from all over the globe. All the intelligence captured in the ATT&CK framework has brought communities of blue and red teamers that are looking to understand how adversaries operate, what they do, what tools they use, etc.
In other words; defenders are looking to learn how to play a more tactical game that involves anticipating their adversary’s moves.
Let me give an example of how this works. As defenders, our main priority is to protect our organization’s assets, correct?
Now let’s say our company has state of the art defense systems with best practices in place. Can we answer the following questions with confidence?
Do we know what are the types of threats that are more likely to target our specific industry?
If we do, do we really know how to defend against these types of threats?
Are we confident that our system will be able to detect and respond to techniques used against us?
Now, what if we can not only know the specific software or threat actors that are more likely to attack our company, but we can also anticipate the type of behavior or patterns of activity (TTPs) they are more prone to use in our environments?
Wouldn’t having this kind of knowledge make a ton of difference when tuning and calibrating our systems?
This kind of knowledge is called Cyber Threat Intelligence (CTI) and this is the backbone and the main purpose of the ATT&CK framework.
ATT&CK enable defenders to provide threat-informed defense that goes beyond the use of security sensing tools.
SOCs (Security Operation Centers) that integrate cyber threat intelligence are much better positioned to defend against some of the most ruthless cyber attacks, like the Conti ransomware that took down the largest pipeline in the U.S. earlier this year.
Threat-informed defense is the present and the future of Cybersecurity as this approach is founded in a deep understanding of adversary tradecraft and technology.
A seemingly unrelated story
To bring everything together, let’s see how the evolution and benefits of Artificial Intelligence (AI) compares to the evolution and benefits of the ATT&CK framework:
Some of you chess players might remember the historical match between the world chess champion, Garry Kasparov and IBM supercomputer, Deep Blue.
Garry Kasparov is the greatest chess player of all time, world champion at the age of twenty-two and the top ranked player in the world for two decades.
“What surprised Kasparov was Deep Blue’s subsequent move. Kasparov called it “human-like”... The move left Kasparov riled and ultimately thrown off his strategy. He was so perturbed that he eventually walked away, forfeiting the game.” [1]
You see, if IBM’s engineers would have not exposed Deep Blue’s intrinsic algorithm to countless chess matches from players from all around the world, Deep Blue would not have had the data (intelligence) to anticipate and predict so many of Kasparov’s moves, leading to its win.
The same is true for the match between European Go champion, Lee Sedol, and DeepMind’s program, AlphaGo. Where Sedol lost 4-1 against AlphaGo (If you haven’t watched the AlphaGo documentary, we highly suggest that you watch it, it is amazing!).
For context, Go is a board game far more complex than chess. Numerical estimates show that the number of possible games of Go far exceeds the number of atoms in the observable universe. Imagine that!
The intelligence and success behind both of these AI programs can be in a way compared to cyber threat intelligence. As more data is gathered into a single program or framework the more tactics, techniques and procedures the program or framework can anticipate.
Final thoughts
MITRE ATT&CK has evolved into the framework that it is now and provides an eagle eye view into different adversary behaviors thanks to the data fed in by contributors from all over the world. It is by being able to anticipate our opponent’s next move that we, as defenders, will win the game. The more moves we can predict, the more chances we have to win.
Decoding The Framework’s Objects
Let's start by defining Framework. When we say Framework we are referring to the underlying system behind MITRE ATT&CK®. It is precisely that system that we will break down into chunks of information that are easily digestible.
Matrices
A matrix is a technology domain. There are various matrices in ATT&CK. This blog is focused on the Enterprise matrix which is the most well-known and well-established of all matrices. Is representative of traditional enterprise technology as well as cloud-based technologies.
Matrices focus on the relationship between tactics, techniques and sub- techniques.
Tactics
There are 14 tactics in the ATT&CK Framework. ATT&CK refers to tactics as the end goal of an adversary during an attack. For example, Credential Access, Privilege Escalation, Impact, etc.
Each tactic within the ATT&CK framework is given a unique ID along with its own description.
Each tactic is represented in column headers. When we zoom in to each individual tactic, we can read the technique and sub-technique associated with that particular tactic.
Techniques & Sub-Techniques
A technique can be understood from the adversary’s perspective as the way an adversary operates. Techniques capture the means in which an adversary achieves its goal.
Sub-techniques are under the umbrella of techniques and serve to describe a technique at a lower level providing a more specific description of the adversarial behavior.
Data Sources and Detection
Data sources are defined as the type of data that sensing or logging systems collect. Data sources are relative to detection and are meant to be applied to techniques.
Defenders can utilize these values to begin the detection process of adversarial behavior by identifying relevant data.
For example, the ATT&CK framework considers