Google Trends tells us that this strange new ampersand-infused acronym is red hot. But what is MITRE ATT&CK™ all about, and why should cybersecurity pros pay attention?
Figure 1: Search interest in MITRE ATT&CK has grown significantly in the last twelve months. Source: Google Trends
What is MITRE ATT&CK?
MITRE ATT&CK is a globally-accessible knowledge base of adversary tactics and techniques based on real-world observations of cyberattacks. They’re displayed in matrices that are arranged by attack stages, from initial system access to data theft or machine control. There are matrices for common desktop platforms—Linux, macOS and Windows—as well as mobile platforms.
What does ATT&CK stand for?
ATT&CK stands for adversarial tactics, techniques, and common knowledge. Let’s break this down.
Tactics and techniques is a modern way of looking at cyberattacks. Rather than looking at the results of an attack, aka an indicator of compromise (IoC), security analysts should look at the tactics and techniques that indicate an attack is in progress. Tactics are the why of an attack technique. Techniques represent how an adversary achieves a tactical objective by performing an action.
Common knowledge is the documented use of tactics and techniques by adversaries. Essentially, common knowledge is the documentation of procedures. Those familiar with cybersecurity may be familiar with the term “tactics, techniques, and procedures,” or TTP. (The “CK” makes for a sexier acronym than “P”— always a must in government projects.)
Who is MITRE?
MITRE is a government-funded research organization based in Bedford, MA, and McLean, VA. The company was spun out of MIT in 1958 and has been involved in a range of commercial and top secret projects for a range of agencies. These included the development of the FAA air traffic control system and the AWACS airborne radar system. MITRE has a substantial cybersecurity practice funded by the National Institute of Standards and Technology (NIST).
(Interestingly, MITRE is not an acronym, though some thought it stood for Massachusetts Institute of Technology Research and Engineering. The name is the creation of James McCormack, an early board member, who wanted a name that meant nothing, but sounded evocative.)
What is the goal of MITRE ATT&CK?
The goal is to create a comprehensive list of known adversary tactics and techniques used during a cyberattack. Open to government, education, and commercial organizations, it should be able to collect a wide, and hopefully exhaustive, range of attack stages and sequences. MITRE ATT&CK is intended to create a standard taxonomy to make communications between organizations more specific.
ATT&CK was created out of a need to systematically categorize adversary behavior as part of
conducting structured adversary emulation exercises within MITRE’s Fort Meade Experiment research environment.
How do you use the ATT&CK Matrix?
The MITRE ATT&CK Matrix visually arranges all known tactics and techniques into an easy to understand format. Attack tactics are shown across the top, and individual techniques are listed down each column. An attack sequence would involve at least one technique per tactic, and a completed attack sequence would be built by moving from left (Initial Access) to right (Command and Control). It is possible for multiple techniques to be used for one tactic. For example, an attacker might try both an attachment and a link in a spear phishing exploit.
Figure 2: The MITRE ATT&CK Matrix shows the tactics in an attack across the top, and individual techniques down each column.
It’s not necessary for an attacker to use all eleven tactics across the top of the matrix. Rather, the attacker will use the minimum number of tactics to achieve their objective, as it’s more efficient and provides less chance of discovery. In this attack (shown in Figure 3), the adversary performs Initial Access to the credentials of the CEO’s administrative assistant using a spear phishing link delivered in an email. Once they have the admin’s credentials, the attacker will look for a remote system in the Discovery stage.
Figure 3 shows an example attack with techniques from each tactical stage of the attack.
Figure 3: A simple attack to steal sensitive files from the CEO can be accomplished in three steps using three tactics and techniques.
Let’s assume that they’re after sensitive data in a Dropbox folder to which the admin also has access, so there is no need to escalate privileges. Collection, which is the last stage, is performed by downloading files from Dropbox to the attacker’s machine.
Note that if using behavior analytics, a security analyst might detect the attack in process by identifying anomalous user behavior. For example, let’s say the admin clicked a link that no one in the company has ever clicked before, then the admin accessed a particular Dropbox folder at an unusual time. During the final stage of the attack, the attacker’s computer accessed the Dropbox folder for the first time. With behavioral analytics, these activities would be flagged as suspicious user behavior.
How does MITRE ATT&CK compare to Lockheed Martin’s Cyber Kill Chain?
Lockheed Martin’s Cyber Kill Chain®? and ATT&CK resemble each other in that both are models that define the steps an attacker uses to achieve their goal. Lockheed Martin’s Cyber Kill Chain identifies seven steps in an attack:
- Command and control
- Actions on objectives
ATT&CK has ten steps that make up an attack chain:
- Initial access
- Privilege escalation
- Defense evasion
- Credential access
- Lateral movement
- Collection and xfiltration
- Command and control
In addition to more granularity in the attack chain tactics, ATT&CK delineates the techniques that can be used in each stage, where as the Lockheed Martin’s Cyber Kill Chain does not.
How can organizations use MITRE ATT&CK?
There are a number of ways an organization can use MITRE ATT&CK. Here are the primary use cases.
- Adversary Emulation – ATT&CK can be used to create adversary emulation scenarios to test and verify defenses against common adversary techniques.
- Red Teaming – ATT&CK can be used to create red team plans and organize operations to avoid certain defensive measures that may be in place within a network.
- Behavioral Analytics Development – ATT&CK can be used to construct and test behavioral analytics to detect adversarial behavior within an environment.
- Defensive Gap Assessment – ATT&CK can be used as a common behavior-focused adversary model to assess tools, monitoring, and mitigations of existing defenses within an organization’s enterprise.
- SOC Maturity Assessment – ATT&CK can be used as one measurement to determine how effective a SOC is at detecting, analyzing, and responding to intrusions.
- Cyber Threat Intelligence Enrichment – ATT&CK is useful for understanding and documenting adversary group profiles from a behavioral perspective that is agnostic of the tools the group may use.
Exabeam’s relationship with MITRE ATT&CK
Exabeam security researchers participate in MITRE ATT&CK discussions and events. They have also contributed several new techniques that are pending publishing. And researchers have performed extensive research on how to perform machine learning-based anomaly detection to effectively apply MITRE ATT&CK into the security analyst’s detection arsenal.