Simplifying the MITRE ATT&CK Framework

This blog was originally published on 11/3/21 on Scythe's blog site.

Author Nathali Cano

Introduction

Before we get into the nitty gritty of things, I’d like to briefly talk about the big picture here. MITRE ATT&CK is essentially a detailed collection of adversarial behaviors.

The immeasurable value of ATT&CK truly lies in being an open source tool, meaning it’s data has been shared from contributors from all over the globe. All the intelligence captured in the ATT&CK framework has brought communities of blue and red teamers that are looking to understand how adversaries operate, what they do, what tools they use, etc.

In other words; defenders are looking to learn how to play a more tactical game that involves anticipating their adversary’s moves.

Let me give an example of how this works. As defenders, our main priority is to protect our organization’s assets, correct?

Now let’s say our company has state of the art defense systems with best practices in place. Can we answer the following questions with confidence?

• Do we know what are the types of threats that are more likely to target our specific industry?

• If we do, do we really know how to defend against these types of threats?

• Are we confident that our system will be able to detect and respond to techniques used against us?

• Now, what if we can not only know the specific software or threat actors that are more likely to attack our company, but we can also anticipate the type of behavior or patterns of activity (TTPs) they are more prone to use in our environments?

Wouldn’t having this kind of knowledge make a ton of difference when tuning and calibrating our systems?

This kind of knowledge is called Cyber Threat Intelligence (CTI) and this is the backbone and the main purpose of the ATT&CK framework.

ATT&CK enable defenders to provide threat-informed defense that goes beyond the use of security sensing tools.

SOCs (Security Operation Centers) that integrate cyber threat intelligence are much better positioned to defend against some of the most ruthless cyber attacks, like the Conti ransomware that took down the largest pipeline in the U.S. earlier this year.

Threat-informed defense is the present and the future of Cybersecurity as this approach is founded in a deep understanding of adversary tradecraft and technology.

A seemingly unrelated story

To bring everything together, let’s see how the evolution and benefits of Artificial Intelligence (AI) compares to the evolution and benefits of the ATT&CK framework:

Some of you chess players might remember the historical match between the world chess champion, Garry Kasparov and IBM supercomputer, Deep Blue.

Garry Kasparov is the greatest chess player of all time, world champion at the age of twenty-two and the top ranked player in the world for two decades.

“What surprised Kasparov was Deep Blue’s subsequent move. Kasparov called it “human-like”... The move left Kasparov riled and ultimately thrown off his strategy. He was so perturbed that he eventually walked away, forfeiting the game.” [1]

You see, if IBM’s engineers would have not exposed Deep Blue’s intrinsic algorithm to countless chess matches from players from all around the world, Deep Blue would not have had the data (intelligence) to anticipate and predict so many of Kasparov’s moves, leading to its win.

The same is true for the match between European Go champion, Lee Sedol, and DeepMind’s program, AlphaGo. Where Sedol lost 4-1 against AlphaGo (If you haven’t watched the AlphaGo documentary, we highly suggest that you watch it, it is amazing!).

For context, Go is a board game far more complex than chess. Numerical estimates show that the number of possible games of Go far exceeds the number of atoms in the observable universe. Imagine that!

The intelligence and success behind both of these AI programs can be in a way compared to cyber threat intelligence. As more data is gathered into a single program or framework the more tactics, techniques and procedures the program or framework can anticipate.

Final thoughts

MITRE ATT&CK has evolved into the framework that it is now and provides an eagle eye view into different adversary behaviors thanks to the data fed in by contributors from all over the world. It is by being able to anticipate our opponent’s next move that we, as defenders, will win the game. The more moves we can predict, the more chances we have to win.

Decoding The Framework’s Objects

Let's start by defining Framework. When we say Framework we are referring to the underlying system behind MITRE ATT&CK®. It is precisely that system that we will break down into chunks of information that are easily digestible.

Matrices

A matrix is a technology domain. There are various matrices in ATT&CK. This blog is focused on the Enterprise matrix which is the most well-known and well-established of all matrices. Is representative of traditional enterprise technology as well as cloud-based technologies.

Matrices focus on the relationship between tactics, techniques and sub- techniques.

Tactics

There are 14 tactics in the ATT&CK Framework. ATT&CK refers to tactics as the end goal of an adversary during an attack. For example, Credential Access, Privilege Escalation, Impact, etc.

Each tactic within the ATT&CK framework is given a unique ID along with its own description.

Each tactic is represented in column headers. When we zoom in to each individual tactic, we can read the technique and sub-technique associated with that particular tactic.

Techniques & Sub-Techniques

A technique can be understood from the adversary’s perspective as the way an adversary operates. Techniques capture the means in which an adversary achieves its goal.

Sub-techniques are under the umbrella of techniques and serve to describe a technique at a lower level providing a more specific description of the adversarial behavior.

Data Sources and Detection

Data sources are defined as the type of data that sensing or logging systems collect. Data sources are relative to detection and are meant to be applied to techniques.

Defenders can utilize these values to begin the detection process of adversarial behavior by identifying relevant data.

For example, the ATT&CK framework considers Process: Process Creation as a recommended data source for the T1543.003 - Create or Modify System Process: Windows Service technique.

Now you might ask, What security events logs can give me context about the creation of a process? For example, on the Windows platform environments Security Auditing event 4688 and Sysmon event 1 can aid us to cover this data source recommendation.

Mitigation

Mitigations are essentially recommendations on how to prevent specific adversarial patterns of activity in our systems. ATT&CK define the mitigations as configurations, tools and processes. Mitigations are mapped to specific techniques within the framework. The description for such mitigation can be found in the technique page as well as on their own mitigation page.

Mitigation are also objects in the ATT&CK framework, hence they have their own unique IDs.

Types Of Threats

Groups

ATT&CK defines Groups by related intrusion activity which is tracked by means of a common name, even though those procedures are populated on a technique page , you can additionally view them from the perspective of an entire group or software program.

Groups are also objects. These are assigned a completely unique identifier, a name, description and numerous metadata like aliases.

Software

In simple words, software describes the tools or malware that adversaries use during attacks. Some softwares have multiple names.

Let’s take a look at the APT38 group page.

Evolution and growth of the MITRE ATT&CK framework

The image below shows what the ATT&CK framework looked like back in 2014. It only had 8 tactics and about 60 techniques.

As opposed to the current MITRE ATT&CK v10 Framework which has 14 techniques and over 500 techniques and sub-techniques.

The ATT&CK framework is usually updated every two years. These updates are hosted at github.com/mitre/cti

The latest version, version 10, was released in October 2021.

The biggest change is the addition of a new set of Data Source and Data Component objects in Enterprise ATT&CK, complimenting the ATT&CK Data Source name changes released in ATT&CK v9.

The growth and evolution of the MITRE ATT&CK rely on the community.

Conclusion

The need to understand the tactics, techniques and procedures of adversaries gave birth to the ATT&CK Framework. This framework has allowed adversaries from around the globe to map these TTPs to groups and software equipping Blue, Red and Purple teams with a more focused and tactical form of defense.

Resources

1. Twenty years on from Deep Blue vs Kasparov: how a chess match started the big data revolution

2. What the AI Behind AlphaGo Can Teach Us About Being Human | WIRED

3. https://cybrary.it/immersive/11001712/activity/55378

4. Updates - Updates - October 2021 | MITRE ATT&CK®

5. MITRE ATT&CK · GitHub

About the Author: Nathali Cano is the Adversary Emulation Jr. at SCYTHE. She performs Red Team and Purple Team Exercises and supports the creation and curation of adversary emulation plans. She holds the MITRE ATT&CK Cyber Threat Intelligence (CTI) Certification. Nathali is passionate and committed to giving back to the community, she is the founder of a non-profit organization in NJ that supports individuals and small businesses from low-resource communities with basic needs and cyber literacy. She is both a member of LULAC and Women in Cybersecurity.