Preventing a cyber attack is a top priority of any security officer. The best way to do it is, of course, to build a security system that can’t be breached. But in the real world, catching a criminal in the act is also good. John Chambers, ex-CEO of Cisco, used to say “There are two types of companies: those that have been hacked, and those who don’t know they have been hacked”. Therefore, an important question is how you detect and isolate hacker’s activity inside your network.
The MITRE ATT&CK matrices break down known hackers attack strategies. Using this extensive database of hacker behavior, you can analyze your IT security system and identify possible weaknesses.
How do cyberattackers act?
Most of us tend to think about a hack as a done deal and think only about its consequences. Yet each attacker’s intrusion has a detailed action plan, consisted of several stages.
Hacker attack lifecycle is a schematic representation of the most popular vectors of digital intrusion. While those stages can vary, usually an attack lifecycle model consists of these steps:
- Recon. A hacker collects as much information about their victim as possible.
- Weaponization. Depending on data about the target’s security system, an intruder selects the best tools to hack.
- Delivery. Chosen tools are delivered to the target’s environment.
- Exploitation. A hacker exploits vulnerabilities in the target company’s defense.
- Installation. An attacker installs a malicious code inside the target’s protected environment.
- Command and Control (C&C). An attacker takes control over some part of the target’s system and establishes a continuous communication between a breached network and their own environment.
- Actions on Objective. At this stage, an attacker steals or modifies data, destroys the network, or blocks some part of the infrastructure, etc.
This model of a cyber attack lifecycle was developed by Lockheed Martin, who implemented it in the Cyber Kill Chain framework. Applying this framework to an incident analysis, you can determine the stage of an attack, anticipate further actions, and find out how to stop it or minimize damage.
What is the MITRE ATT&CK?
The ATT&CK (Adversarial Tactics, Techniques, & Common Knowledge) is a knowledge base of cybercriminal behavior, strategies, and pieces of advice on how to detect and stop an attack. The ATT&CK framework provides a deep overview of hacker’s actions on each stage of the cyberattack lifecycle and offers possible countermeasures for attack mitigation.
Currently, there are around 200 kinds of adversarial behavior types in this library, and its number keeps growing. The ATT&CK knowledge base is quarterly updated with information from official incident and threat intelligence reports. The database was created in 2013 by American non-profitable corporation MITRE. It started as an internal document for securing company’s inner network.
The ATT&CK framework provides three types of matrices: the PRE-ATT&CK Matrix, the ATT&CK for Enterprise Matrices (Windows, Linux, and macOS based), and the ATT&CK Mobile Matrices (Android and iOS).
The PRE-ATT&CK Matrix refers to Recon and Weaponize stages of the Cyber Kill Chain. It describes techniques a hacker can use in order to get inside your network. The ATT&CK for Enterprise and Mobile Matrices help with detecting and mitigating a threat at other Cyber Kill Chain stages.
All the data in the ATT&CK Mobile and Enterprise Matrices are broken down on 11 tactics of an attack:
- Initial access. An attacker gains access to a targeted system, ensures that its possible to install malicious software.
- Execution. It can be a part of the preparation for the attack or the attack itself. It depends on the tools chosen by the hacker.
- Persistence. An attacker ensures the presence of a malicious code inside your protected system at this stage.
- Privilege escalation. It’s required when a hacker needs a high level of privileges to access the data they need.
- Defense evasion techniques. As well as security officers study common attack vendors, hackers study common types of defense. The only way to defend from that is to ensure that your security system is filled with up-to-date defense mechanisms.
- Access to credentials. Obtaining a privileged profile literally let hackers loose inside a protected network. For instance, admin credentials grants access to key infrastructure points.
- Discovery. When malicious code is firmly established inside a protected network, it starts searching for valuable data or critical points to mess with.
- Lateral movement. After deploying on one machine, the malware tries to take control over a larger part of the network. Data collection. Hackers obtain sensitive data stored inside a protected perimeter.
- Exfiltration. When the hack is done, malicious software tries to disappear from the network without being noticed.
- Сommand and control (C&C). At this final stage, attacker’s servers can command infected machines to do anything in your network.
How to improve your security with the MITRE ATT&CK Matrices
While the Cyber Kill Chain contains information regarding typical stages of a cyber attack, the MITRE ATT&CK is a comprehensive knowledge base about tactics and techniques used by hackers. Each technique is complemented with records on which platforms are endangered, which permissions are required, what data sources are affected.
It’s also possible to use the ATT&CK framework for a simulation of an attack conducted by famous hacker groups. In 2018, several providers of security solutions partnered with MITRE to replicate a security breach done by APT3 threat group. The results of the breach evaluation provide us with detailed information on how the cybersecurity software providers detected (or didn’t detect) techniques used in the attack.
The same way you can use the ATT&CK matrices to test your own environment. It’s also a good practice to examine the network if you work with third-party vendors. If your company is a cybersecurity vendor, consider validating your defense system with the MITRE ATT&CK knowledge base. Let’s consider other use cases of using the MITRE ATT&CK framework:
- Intrusion emulation. The ATT&CK matrices can be used as a tool for creating a scenario of a network attack.
- Red team training. The ATT&CK Matrix is often used for conducting security testing. A security department team up in an attempt to penetrate into the company network. This red team can use techniques described in the ATT&CK framework to improve their performance.
- Visualization of security vulnerabilities. The results of security testing arranged with the MITRE ATT&CK matrices are understandable for someone not familiar with security systems. These results can be used, for example, for discussing cybersecurity spendings with a company management.
- Behavioral analytics. The ATT&CK database is built on official intrusion and cyber threat reports. This data is useful for behavioral analytics to detect a malicious intent within the protected environment.
The ATT&CK framework is a great database for evaluating your security system. Using it, you can spot weaknesses and potential entry points, detect various indicators of compromise. Also, it provides you with solutions on how to fix or improve your cybersecurity system.
The only flaw of the MITRE ATT&CK Matrix is that it wouldn’t help in case of a zero-day attack. It lists only known types of attacks and is updated quite slowly (every three months).
In any case, implementing the ATT&CK Matrix to your company is a good practice. It’s widely used by the cybersecurity vendors providing security testing services.