Open in app

Sign in

Write

Sign in

ATT&CK Sub-Techniques Feedback

Daniil Yugoslavskiy
atc-project
Published in
5 min readSep 26, 2019

We have been working on ATT&CK operationalization for the last four years in multiple Security Operation Centers around Europe, facing many challenges, contributing and supporting the framework as much as we could.

Now we would like to put our two cents into planned restructure.
We’ve sent it to attack@mitre.org as proposed, and at the same time, we’ve decided to share it with the community.

This is our feedback to the ATT&CK Sub-Techniques Preview article by Blake Strom.

Comments

We agree with the points and explanations provided in the original article.

There are a few supporting comments to the “Benefits of ATT&CK with Sub-Techniques” section of the article from our side.

Levels of granularity

This point, mentioned in the original article, could also be represented through related analytics, like Threat Simulation Tests and Detection Rules.

Mostly they are addressed to some specific way of technique implementation. We would like to highlight it for Credential Dumping (T1003) technique, which was also mentioned in that regard in the original article.

Let’s take a look at all Simulation Test available for this technique in Atomic Red Team project repository:

$ grep -irh "\- name" atomic-red-team/atomics/T1003/T1003.yaml
- name: Powershell Mimikatz
- name: Gsecdump
- name: Windows Credential Editor
- name: Registry dump of SAM, creds, and secrets
- name: Dump LSASS.exe Memory using ProcDump
- name: Dump LSASS.exe Memory using Windows Task Manager
- name: Offline Credential Theft With Mimikatz
- name: Dump Active Directory Database with NTDSUtil
- name: Create Volume Shadow Copy with NTDS.dit
- name: Copy NTDS.dit from Volume Shadow Copy
- name: GPP Passwords (findstr)
- name: GPP Passwords (Get-GPPPassword)

There are 12 Simulation Tests, some of them about different methods, some of them about different tools.

Let’s take a look at all Detection Rules available for this technique in Sigma project repository:

$ grep -irh "attack.t1003" sigma/rules -B 40 | grep "title:"
title: Judgement Panda Exfil Activity
title: Antivirus Password Dumper Detection
title: NotPetya Ransomware Activity
title: Activity Related to NTDS.dit Domain Hash Retrieval
title: Suspicious SYSVOL Domain Group Policy Access
title: Cmdkey Cached Credentials Recon
title: Process dump via comsvcs DLL
title: Suspicious Use of Procdump
title: Rubeus Hack Tool
title: Invocation of Active Directory Diagnostic Tool (ntdsutil.exe)
title: Mimikatz Detection LSASS Access
title: Mimikatz In-Memory
title: Detection of SafetyKatz
title: Password Dumper Remote Thread in LSASS
title: LSASS Memory Dump
title: QuarksPwDump Dump File
title: Mimikatz through Windows Remote Management
title: SAM Dump to AppData
title: Malicious Service Install
title: Mimikatz DC Sync
title: Mimikatz Use
title: WCE wceaux.dll Access
title: Possible Impacket SecretDump remote activity
title: Password Dumper Activity on LSASS
title: LSASS Access Detected via Attack Surface Reduction

There are 25 rules available only for Credential Dumping (T1003) technique.

It is reasonable to split technique to sub-techniques where it’s possible. This way we dividing it by more specific behaviors, which we could:

  • simulate independently and test more specific security controls and detection rules
  • detect independently and provide analysts with more detailed context of observed suspicious activity
  • etc

At the same time, sub-techniques will help to adjust the mapping of related analytics and their mapping to each other. We believe that it will dramatically change the way projects integrate and overall strengthen the ecosystem around the MITRE ATT&CK framework for a common benefit.

Extendability

A couple of years ago, just like Deloitte Threat Library Team, we’ve created our own sub-technique “Exfiltration over DNS” under Exfiltration Over Alternative Protocol technique. We’ve also split Account Discovery to 2 sub-techniques — “Domain” and “Local”. However, we have done it in our internal Use Case Framework and have never published it.

Custom/internal techniques is a quite common thing for those who operationalizing the framework. Since there was no “official” way to manage this, everybody was doing it differently, creating custom technique ID, custom sub-technique (dot/dash/whatever notation), or even just some custom entity outside of the framework.

It is a great idea to make ATT&CK extendable, allowing people to create their own sub-techniques and integrate it into workflow more naturally.

Proposals

There are just a few proposals we would like to bring up for a discussion, preparing some food for thoughts for the upcoming ATT&CKcon and EU ATT&CK Community workshop.

Completeness

“A good model is imperfect. […] A key to understanding a theory or system is the ability to know when it does not work. […] A model should have clear criteria for its use so that it isn’t over-applied in situations that are not appropriate.”
Information Security Mental Models, Chris Sanders, May 2019

Since MITRE ATT&CK is a threat model that describes methods adversaries achieve their goals, users of the framework will always want to see all ways to perform a technique in it. There is nothing wrong with that and it is possible to describe all meaningful ways to implement some techniques.

At the same time, we understand that it’s not achievable to list all possible ways to perform a technique (list sub-techniques) for some techniques, but it is still important to define that there is something unknown, define (in)completeness of sub-techniques lists for all techniques. This way absence of such metric will not mislead people and make them “check things off the list” that is ATT&CK.

We see that this idea is written between the lines, but we believe that the community needs to have it clearly defined.

Transparency

A year ago, 24 September 2018, we’ve contributed WPAD technique to MITRE ATT&CK. For some internal reasons it wasn’t released yet, and there is no publicly available information about this contribution (we are in touch, and it’s in progress, but this is not the point).

It is hard to imagine how many people contributed to the same technique (because it’s quite common and well-known). Probably there are a lot of contributions from multiple people regarding the same stuff, but nobody knows about it and there is no option to see it.

We believe that MITRE ATT&CK Framework development should be more open for community, so people will be able to:

  1. See what exactly they can focus on, what is not fully covered yet (i.e. sub-techniques for specific techniques), some TODO list
  2. See what kind of (sub)techniques have been already contributed and waiting for review/release
  3. Discuss existing techniques or other contributions, improving them together; vote for some specific contributions, highlighting its importance for community, even though final choice and way it will (not) be integrated is up to MITRE ATT&CK Team

We believe that this way framework will engage more people into development, become more transparent, responsive and community-driven.

Final thoughts

Upcoming ATT&CKcon and EU ATT&CK Community workshop are promising to be much bigger and fruitful this time. We think that such messages are one of the best ways to contribute to upcoming discussions and (hopefully) decisions. That’s why we are sharing it with the community.

There is room for improvement and we hope that MITRE ATT&CK Team will consider our humble proposals.

Thank you for your great job. We are looking forward to the upcoming changes!

References

Security
Mitre Attack
Threat Intelligence
Threat Modeling
Threat Hunting

--

--

Daniil Yugoslavskiy
atc-project

Written by Daniil Yugoslavskiy

84 Followers
Editor for

Involved into @atc_project, @oscd_initiative; Hold OSCP, CCNP Security, GCFA, GNFA.

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams