From Reconnaissance to Exfiltration: Understanding the 14 Steps of the Mitre ATT&CK Framework

In our last discussion, we explored the European Cybersecurity Skills Framework Role Profiles, focusing on the cyber security architects who build our online safeguards. Today, we set sail on a fresh journey, navigating the challenging waters of the Mitre ATT&CK framework, a crucial guide for those in the cybersecurity field. Using our favorite tools of analogies and storytelling, we’re set to make this complex topic both fun and easy to remember. So, hold tight and prepare to dive into the exciting world of the Mitre ATT&CK framework.

To make the post more reader-friendly, I have divided it into two parts. In the first part, you will discover Lord Mitre’s journey about TTP, and in the second part, you will learn about the Mitre Att&ck in a nutshell, including its use cases and benefits.

Follow me for more engaging tales from the cybersecurity landscape. Ready? Let’s get started!

Lord Mitre was tasked with investigating and unraveling the thieves’ tactics.

Lord Mitre’s Quest: Uncovering Adversaries’ TTP

Once upon a time, the wise king sought to fortify his kingdom, employing craftsmen to harden the kingdom’s defense with four (cyber)security disciplines. While the wise king’s country was safe, the neighboring kingdom was in chaos. A notorious band of thieves, the Forestworm gang, was wreaking havoc, looting castles and opening gates to barbarian raids for the right price. Disturbed by this, the king dispatched Lord Mitre to investigate and unravel the thieves’ tactics.

After a thorough investigation and clever infiltration, Lord Mitre discerned Forestworm’s methods. He documented these in a manual, Mitre’s Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK), and dispatched it to the castle commanders in the Northern Kingdom. The manual outlined the thieves’ step-by-step approach:

A Frostworm member is using the secret entrance to breach the castle's defenses

1. Reconnaissance: Gathering intelligence about the castles, often through deception. Like spies gathering intelligence about the castles, hackers might research their targets, using phishing emails or social engineering to gather information.
2. Resource Development: Forestworm secured resources to aid their operations, such as inside informants or stolen maps. That mirrors how hackers create, buy or steal resources, like botnets, credentials, or exploit kits, to aid their operations.
3. Initial Access: Breaching defenses through clever ways, like tunnels or secret entrances. Similar to breaching physical defenses, hackers might infiltrate network defenses through methods like spear-phishing or exploiting vulnerabilities.
4. Execution: Once inside, the attackers are like silent saboteurs, subtly poisoning the castle’s water supply. They leverage the castle’s resources to execute their plan, sowing chaos and incapacitating the castle’s inhabitants, thereby seizing control with minimal resistance. Once inside the network, hackers implement their plan, using malware, ransomware, or leveraging system vulnerabilities.
5. Persistence: They devised methods to remain undetected, like hiding in secret passages or blending in with staff. Just as Forestworm remained hidden within the castle, hackers might install backdoors or rootkits to maintain access even after detection.
6. Privilege Escalation: Forestworm sought higher authority, impersonating officials to gain more control. Hackers, like Forestworm, might seek higher system privileges, exploiting system flaws or using password cracking tools.
7. Defense Evasion: They skillfully avoided detection, blending in, or disabling security systems. Forestworm’s evasion mirrors how hackers might use obfuscation techniques or antivirus disabling to avoid detection.
8. Credential Access: They stole keys or badges to access more restricted areas. Similarly, hackers often steal usernames and passwords to access more sensitive data or areas of a network.
9. Discovery: Forestworm carefully studied the castle’s layout, routines, and environment, exploring what they could control and what opportunities lay around them. Just as Forestworm explored its control extent, hackers map the network, identifying assets and services to exploit.
10. Lateral Movement: They navigated throughout the castle, exploiting internal security weaknesses to reach their targets. Attackers navigate throughout the network, much like Forestworm moved through the castle, exploiting system vulnerabilities to reach their targets.
11. Collection: Once at their objective, they collected valuable assets. Once at their objective, they gather valuable assets, such as credit card information, sensitive emails, or proprietary data.
12. Command and Control: They effectively communicated with compromised insiders to maintain control. Hackers can establish covert channels for communication with compromised systems, similar to how Forestworm controlled insiders.
13. Exfiltration: Finally, they made their escape, avoiding capture. Just as Forestworm escaped with stolen goods, hackers extract the stolen data, often encrypting it to avoid detection.
14. Impact: Forestworm’s actions disrupted the kingdom’s prosperity, preventing vital operations like trade and agriculture, and damaging public order. Like the chaos caused by Forestworm, hackers can disrupt operations, alter or delete data, and damage systems, creating havoc in their wake.

Exfiltration: The Frostworm gang is making their escape!

This manual gave the king’s men insight into the adversaries’ tactics and techniques, preparing them for any potential threats.

Studying Lord Mitre’s ATT&CK manual, the castle commanders foiled the Forestworm gang’s attacks and captured most members. Some turned to banditry and piracy, however, since their attack tactics remained the same, caravan leaders and ship captains, armed with the Mitre ATT&CK, were able to see and prevent attacks targeted at their respective industries.

The Northern Kingdom regained safety due to Mitre’s team. Castle commanders, merchants, farmers, and captains established an intelligence-sharing network using Mitre’s standards, collectively defending against similar threats.

Intelligence sharing meeting

Upon his mission’s end, Lord Mitre returned home. The wise king directed his craftsmen to use the ATT&CK framework to assess their defenses. He also tasked Master Kali to form a Red Guards to test their defenses using Forestworm’s tactics. The story of Master Kali will be the subject of another one of our articles, stay tuned.

Just as Lord Mitre’s manual gave the king’s men insight into Forestworm’s tactics, understanding these steps can help cybersecurity professionals predict and mitigate potential threats.

The MITRE ATT&CK framework, much like our story, provides valuable insights into potential threats, helping cybersecurity professionals understand, anticipate, and mitigate them. By sharing information and utilizing frameworks like ATT&CK, we can fortify our collective defenses against evolving cybersecurity threats.

Thank you for reading my story about the 14 tactics of the MITRE ATT&CK framework. To delve deeper into its use cases and benefits, follow the link below for Part 2 of my post. Happy reading!

Part 2: Mitre ATT&CK Framework: Origins, Use Cases, and Benefits

Thank you for reading!

My other great stories are waiting for you:

Cybersecurity Stories: A Jurassic Journey Through the OWASP Top 10

SOAR For Dummies

Sources:

Images generated by Midjourney

Getting Started | MITRE ATT&CK®

https://www.paloaltonetworks.com/cyberpedia/what-is-mitre-attack-framework#:~:text=The%20MITRE%20ATT%26CK%C2%AE%20framework,and%20assess%20an%20organization's%20risk.