In the hope of preventing a breach, companies deploy various detectors: from border security (firewall, proxies, …) to endpoint protection (EDR, antivirus, …). And, potentially, centralize all these events in a SIEM to correlate and implement Use Cases.
So many solutions and vendors, but yet some questions remain: how well (or not) is your detection against the most common attack vectors for your business sector? Are you able to detect attackers’ activity once they breached your infrastructure? Do you have overlapping sensors?
This article presents a framework, Mitre Att&ck (Adversarial Tactics Techniques & Common Knowledge), which becomes more and more popular and attempts to address the above questions. We will first, remind the existing methods and detail how Mitre Att&ck contributes to improving the understanding of an attack. We will then describe the various objectives achievable with this, as well as the requirements to get the most of it. Lastly, we will consider the interface developed by Mitre to fulfil the objectives efficiently.
Existing methods: what, when, where
The most common assessment of the surface coverage is implemented in a two-steps process.
Firstly, indicators of compromise (IoC) and attack (IoA) are ingested at various places (firewall, internet proxy, endpoint protection, Use Cases in SIEM). These can be a network indicator (domain, IP address). However, it can also be anything characterizing the attack or the attacker:
- A file,
- A process,
- A user agent,
- An email address,
- An IBAN,
- A Bitcoin address,
- A backdoor name,
- A CVE, …
These indicators, once caught by the monitoring system in place, permit to answer to some questions pertaining to the attack:
- When the attack started (the first occurrences of the IoC/IoA),
- Where it occurred in the infrastructure (the sensor(s) which triggered the alert),
- What kind of attack is ongoing (the known usage of the IoC/IoA).
Drawback and first improvement
However, they do not highlight how the attacker managed to breach the infrastructure, hence does not allow you to pinpoint where the effort should be put to improve your detection. Lockheed Martin developed the Cyber Kill Chain framework for this purpose, and models the engagement steps of an attacker:
- Reconnaissance and Weaponization: These two first steps, consist of the attacker’s preparation. During the reconnaissance phase, it will gather public information and assess the security of the exposed surface by scanning your assets. Once the entry point is decided, time is to weaponise: planning the attack, buy or steal servers that will be the sources of the attack, buy or compile exploits required, create a phishing campaign with a malicious attachment, ….
- Delivery: the attack is launched, hitting the target infrastructure (email campaign, vulnerable server facing internet, whatever the attacker chose as entry point).
- Exploitation: a piece of code, from the weaponized content delivered, is executed on the target, with or without user action (e.g., the dropper in an office document that downloads the malware).
- Installation: the malware gets installed and persisted on the compromised system.
- Command and Control (C2): the malware establishes the connection with its C2 peer, allowing the attacker to take control of the compromised system.
- Action on objectives: having hands on the target, the attacker can now accomplish its primary intents.
Assigning a step from the Cyber Kill Chain to a Use Case allows you to pinpoint strengths and weaknesses in your detection: your monitoring might be good at detecting delivery and exploitation, but unprepared to detect the other steps. Hence, assuming your mail gateway or your antivirus fails to detect a malicious email or a code execution, the attacker has room to persist and establish remote access.
Mitre ATT&CK: who, how
The major drawback of the Cyber Kill Chain framework is that it does not scale well with reality. As you might have noticed, the examples provided are focused on malware. Unfortunately, breaching a whole infrastructure is more complex than solely deploying malware:
- A first device is compromised,
- Then, the attacker spends some time to understand its environment, scanning internally, moving laterally to more attractive hosts like servers, elevating its privileges until gaining domain administrator ones,
- Once domain administrator, the attacker accomplishes its primary intents.
Starting from 2016, Mitre extended the Cyber Kill Chain to be as exhaustive as possible and answer the need to share a standardized way to identify attackers. Indeed, we can identify an attacker thanks to his modus operandi as for police work. No matter if the attacker is an opportunist, state-sponsored, or an organized APT group, as long as its set of techniques and tools works, it has no reason to change.
Therefore, Tactics, Techniques, and Procedures of attackers, also known as “TTP”, are crucial to:
- Recognize the same threat actor behind several attacks (the “who”),
- Focus the detection on the most observed paths and tools (the “how”).
At a high level, Mitre Att&ck framework is a giant library. It gathers and structures tactics and techniques.
Firstly, tactics are essentially the Cyber Kill Chain expended in 14 pillars at the time of writing (version 8 of the framework)-:
- Reconnaissance and Resource Development corresponds to the Reconnaissance and Weaponization in the Cyber Kill Chain, and was previously the Pre-Att&ck framework,
- Initial Access represents how the attacker can manage to get a foothold in the infrastructure,
- Execution, like Delivery in the Cyber Kill Chain, represents the means for an attacker to get malicious code executed on the target system,
- Persistence represents the means for an attacker to keep controls of the compromised system,
- Privilege Escalation represents the means for an attacker to go from a simple user (when someone opens a malicious document for example) to a privileged user (local administrator, then domain administrator),
- Defence Evasion represents the means for an attacker to prevent the detection (disabling logging and bypassing the antivirus for example),
- Credential Access represents the means for an attacker to access more credentials once inside the target system (keylogger, network sniffing, brute-forcing, process dumping, …),
- Discovery are the tools an attacker uses to understand its environment once an initial foothold is gained on the target system: scanning, identifying enticing targets like servers and Domain Controllers,
- The lateral movement represents the means for an attacker to jump to the juicy targets identified. For example, it can leverage RDP connections with compromised credentials, or tools like PsExec, SMBExec, etc,
- The collection is more general. It contains techniques to gather information, from email and documents to credentials, through anything that can be of interest for the attacker,
- Command and Control contains protocols used to establish a channel with the attacker (encrypted or not, network ports and protocols),
- Exfiltration represents the mean for an attacker to collect information out of the target system,
- Impact relates to consequences on the infrastructure, not the money, but the confidentiality (data exposed publicly), the integrity (data altered) and the availability (data destroyed by ransomware or system shut down).
Secondly, for each of these tactics, a bunch of techniques (and sometimes sub-techniques) describes how an attacker can achieve a tactic. For instance, the tactic “Initial Access” is currently made of 9 techniques, among which:
- Drive-by-compromise is the exploitation of browser vulnerabilities.
- Exploit public-facing application leverages vulnerabilities in your applications exposed, like in web applications (SQL injection, stored XSS, remote code execution, …).
- External remote services leverage VPNs and other mechanisms allowing to reach the internal resources of the target.
- Phishing is composed of three sub-techniques, depending on the vector used: an attachment, a link, or a service.
In version 8 of the framework, a total of 206 techniques are referenced. This is a lot, and it is still growing as Mitre strives to be exhaustive with this project.
Lastly, for each technique and sub-technique, a card provides:
- A general description of the attacker path and tools,
- How to mitigate the risk,
- How to detect, with the recommended log sources,
- The platforms the technique can impact,
- Most famous procedures that make use of the technique. This includes both APT groups and tools,
- Links to the literature on the subject.
So much information! What to do with all of this?
Such an amount of information can easily divert us from the main objective: enhancing the detection to defeat the most common paths and tools used by attackers.
The recommended way to navigate along the tactics and techniques is to use Mitre Navigator. It presents the framework as a big table on which you can select, filter, colour, score the cells (where a cell is a technique). You can use either their online navigator or deploy your own from the source code (see references at the end).
As a first step, you can map your surface. Mitre already implemented a filter for most common platforms: Windows, MacOS, Linux, Cloud (Office 365, Azure, AWS, GCP). Although the previous paragraph depicted Mitre Att&ck Enterprise, slightly different versions also exist for mobiles and the industrial environment. This way, you only keep on the table the techniques (the cells) that apply to your context.
Then you want to assess your coverage. In the list of the simplest questions:
- How can I detect this technique? The description card includes two pieces of information for this. The first one is an entire paragraph on how to detect. The second, called “data sources”, shows the logs to monitor to address the technique.
- Can I detect APT42 or Trickbot? For this, Mitre has another filter that will highlight the known techniques involved. You can then refer to the cards to verify with the documented data sources if your monitoring addresses it or not.
- Can I detect the common TTPs targeting my location or my business sector? From incident responses performed all along the year, Excellium CSIRT aggregates the TTP observed. This list of techniques is then a guide for prioritizing detection Use Cases. Without this source, you would have to collect the techniques targeting specifically your location or business sector on your own. This should be even more valuable than being able to detect an APT since opportunistic attackers are more likely to hit your infrastructure. Critical vulnerabilities in software exposed to the Internet (like VPN or Exchange to name few recent ones) combined with proof of concepts (PoC) available publicly attracts a lot and does not require advanced skills.
- Will this additional trending solution improve my coverage? From vendors speech, you can look at the techniques covered. Then, from the description, you can estimate if your current monitoring already addresses it or not.
Then comes more advanced questions like: Are my logs useful? What are the gaps in my monitoring? Do I have redundant detection? For these global reviews, you should use the scoring implemented in the navigator. This simple feature will colour the cell with respect to a score (between 0 and 100 by default).
At Excellium, we tag our detection Use Cases with the techniques they address. Going through all the techniques addressed, one can increment the cells by a fixed score so that a technique addressed three times will have a higher score (changing its colour to red). Without such mapping, you would have to review each technique card from the massive table. Also, you would have to figure out from the description card if you have the required logs and monitoring in place for the detection. Finally, you would have to apply the same scoring strategy. Whatever method you use, you would end up with a map representing the techniques addressed by your monitoring. The greenest a cell is, the more the technique is addressed.
The navigator has another powerful feature: combining the maps. On one hand, you have the map representing your monitoring, your defence. On the other hand, you have a map representing one or more attacks techniques (specific to a software, a threat actor, or a set of techniques known to represent the highest risks for your context). The navigator allows you to create a third layer highlighting the difference between the first two. The resulting map gives you a coloured view of the strengths and weaknesses in your detection confronted to the second map. Thus, the framework and the navigator provide a great way to reconcile technical staff and the management. While the administrators can map the techniques they can address, the management can prepare the map for attacks of their interest. Then visualize the gaps.
No magic here
Sadly, things are not that simple. First of all, the framework is continuously evolving. In 2018, there were 11 pillars. One year later, in 2019, they added sub-techniques. In October 2020 (version 8 release) they integrated Reconnaissance and Resource Development. In case you build documentation, referencing links about techniques you want to address, it might become broken at some points: the technique was removed or moved to another tactic, etc. To limit the consequences, Mitre maintains 2 links for a tactic or a technique: the first one will point to the latest version, the second one, called “permalink”, embeds the version number, so that the description you based your detection on will always be available.
Then, you might have noticed that we favoured the verb “address” over “cover” all along with the article. This deliberate choice is of importance: having a cell coloured does not mean the technique is fully covered. Let take, for instance, the “Boot or logon autostart” technique. It consists of detecting malicious process starting at user logon or system boot. You might conclude “I cover this cell, I have an EDR, and I monitor logs generated by it”. But … will your EDR detect any malicious process? Will it never fail? Do you monitor all logs or only those from servers because your SIEM cannot scale to also integrate workstations? This points out the difference between covering and addressing:
- addressing means some efforts were put to detect the technique but is not perfect,
- covering means you assert no attacker would, anyhow, be able to apply this technique in your infrastructure.
The last important drawback relates to the difficulty level to detect TTPs. Indeed, detecting an IP address, a domain name, a file, and a tool from its hash is now largely feasible. However, it is also easy to tamper. Attackers can deliver their payloads over thousands of ephemeral IPs and domains as well as packing or obfuscating them to circumvent detection based on signatures. While TTPs are harder to tamper with because they represent the behaviour and habits of an attacker. They are also often hard to implement: most of the techniques require monitoring processes, commands executed or file access/changes. These data sources, while meaningful, will also induce lots of work to spot the suspicious and limit false positives.
Mitre Att&ck framework in a nutshell
The Mitre Att&ck framework is a great tool to assess the efficiency of your detection regarding common toolbox and paths used by attackers. This giant library combined with a careful knowledge and review of your detection can be a guide to define and prioritize your improvement paths.
Mitre also provides a platform, which can be complex to approach but with many interesting features, more than the ones exposed here. If needed, Excellium can provide training to become familiar with the framework and its navigator.
- Cyber Kill Chain framework: https://www.lockheedmartin.com/en-us/capabilities/cyber/cyber-kill-chain.html
- Mitre Att&ck framework for enterprise: https://attack.mitre.org/matrices/enterprise/
- Mitre Att&ck navigator online: https://mitre-attack.github.io/attack-navigator/
- Mitre Att&ck navigator code: https://github.com/mitre-attack/attack-navigator