MITRE ATT&CK : The Overview
Well , if you have worked or if you are in touch with information security domain for a decent tenure it’s obvious you definitely have crossed path along with the term CVE(Common Vulnerability and Exposures) , also if you have been a part of the offensive side of the security , you will be more prone to the term . Simplifying the dilemma about the framework which assigns CVEs aka MITRE , debunking terms like TTPs would be our main goal alongside understanding of MITRE ATT&CK framework which will be the main goal for the overall blog .
0 : A general overview of the threat landscape
Before getting started with MITRE ATT&CK , we make it sure the blog thwarts answers regarding to (Why MITRE ATT&CK? How MITRE ATT&CK ? What MITRE ATT&CK? ) as simplifying things will be our overall center of focus .The adversary is a critical and main aspect of the entire threat landscape understanding the various ways on a particular domain and information in context to various vulnerabilities and risk factors which can bring changes onto the landscape knowing about them is of a great importance and further developing multiple various methods to stop propagation of the malicious intent is the goal of the analyst , we will get to know how MITRE ATT&CK framework comes into play and makes life easier for analysts producing an overall quality threat informed defense mechanism.
1 :MITRE ATT&CK : Getting started
MITRE which has been more of a broad landscape in addition to the information security domain has contributed to defense and intelligence , civil systems and is well maintained by federal structure to solve and bring quality in solving methodology of some state’s biggest problems through independent research and development . The leading and most intriguing part of MITRE ATT&CK framework is the wrapping up of common vocabulary and documenting frameworks related to adversarial behavior that helps the security community to leverage its threat research and adds quality towards it.
2 :MITRE ATT&CK : Threat Informed Defense
Understanding how MITRE ATT&CK is efficient for the leveraging the ante of quality threat informed defense is very important .
The important goal is to understand the adversary trade craft and using it to harden the defense mechanism and improving the quality of threat research .
For better understanding , threat informed defense is classified onto 3 broader categories :
Sharing & Collaboration
Let us further divide and understand the terms in quite a brief manner .
3: Understanding Intelligence Analysis
A quite important glimpse of the term cyber threat intelligence is very important to understand this phase of threat informed defense in layman’s term usage of various TTPs , and various typical IOCs(Indicators of Compromise) like MD5 hashes of malware files , malicious domains and a lot of them in a proactive manner to defend one’s threat landscape from preexisting threats by hardening the entire security pipeline acting as a boon for the defensive side of security
. A very practical example of good intelligence source can be CRITs by MITRE , CRITs stands for Collaborative Research Into Threats . Creating a cohesive picture of cyber threat analysis is one of the main goal of CRITs . The scope of CRITs ranges from collection of various threat artifacts , associating them with the threat lifestyle , reverse engineering the malware and further analysis along with analysis of malicious traffic and a lot others to produce quality for the better analysis and better results .
A detailed info on how CRITs works can be found here .
4: TTPs or (Tactic , Technique , Procedure)
-A very important aspect of the ATT&CK framework is TTP. Understanding TTPs and what role they play on the entire framework is very important .
[ T ] — Tactic
Tactics are the adversary’s technical goal .
[ T ] — Technique
Techniques are how those goals are achieved .
[ P ] — Procedures
Procedures are how those goals are specific implementation of various technique .
We can have a look over to the official website for a detailed view of the Tactics & Techniques & Procedures .
5: Understanding Tactics
[ T ] — Tactics
Tactics are the adversary’s technical goal , let us understand it in a more detailed way , assuming our daily goals , starting from getting up early to driving to office and staying healthy , other daily goals , these goals can be defined as our daily tactics , which we strive to achieve in the best way possible , compared to the ATT&CK framework we have 12 tactics and various techniques underlying them .
6: Understanding Techniques
[ T ] — Techniques
Techniques can be declared as different ways to meet the adequate requirement to achieve the tactic , let’s get back to the example where our tactic was staying fit , now we can adapt the way to eat healthy , exercise during the early morning and various ways to stay healthy or achieve the tactic or the goal . So these are the techniques , similarly there are multiple techniques to achieve a certain tactic or a goal , therefore techniques may span multiple tactics , as similar to above let us take an example in context to the ATT&CK framework .
We took an example of “Defense Evasion” tactic and “Access Token Manipulation” . It leads us to various other sub techniques . Further we can read about the technique and how threat actors leverage this procedure to achieve their tactic of Defense Evasion.
7:MITRE ATT&CK : Threat Informed Defense : Defensive Engagement
A defensive engagement of the threat is one of the core part of the threat informed defense , it helps to regulate the analytics harvested from the intelligence sources and use it to simulate inside the threat landscape through Breach and Attack Simulation tools which is responsible for reverting back to the intelligence analysis for producing better and quality outcome to the entire landscape of threat informed defense .
8:MITRE ATT&CK : Threat Informed Defense : Sharing & Collaboration
The last but not the least intriguing part of threat informed defense is focused sharing of quality analysis on threat informed defense through various communities and groups , MITRE ENGENUITY and various other keeping in mind the lieu of better threat informed defense among the community . Also another definite example which can be counted is the CTID(Centre for Threat Defense) which focuses on global understand understanding of adversary trade craft and evolving adversary behavior which shapes the quality of defense assessment along with further ways to thwart ATT&CK techniques .
9: MITRE ATT&CK : Getting hands onto APT 18
An assessment after learning is definitely great to grasp concepts a better way . In the upcoming slides we will actively use MITRE ATT&CK framework to map down APT 18 it’s tactics , techniques , software used , and how could we use the freely available data to leverage our analytics and understanding .
Let’s head over to https://attack.mitre.org/ . Next step would be selecting the threat group which we desire to analyze .Now , after landing onto the groups page https://attack.mitre.org/groups/ we go ahead selecting APT 18 .
Finally after landing at https://attack.mitre.org/groups/G0026/ which contains a detailed overview of the APT 18 group , we now have quite a few info about it like as follows :
1.[The suspected country of origin of the threat group] :
2. Associated group descriptions :
3. Tactics & Techniques , Procedures(TTPs) used by them
- Aerospace and Defense, Construction and Engineering, Education, Health and Biotechnology, High Tech, Telecommunications, Transportation
5. Software and various in- depth details of the threat group.
10: Getting hands onto technique used by APT 18 i.e Hijack Execution flaw
To understand way better we pick up a certain technique from the list of techniques used by APT 18 . Let us pick up Hijack Execution flaw technique . Our first step would be selecting the technique from the column Heading over to the technique https://attack.mitre.org/techniques/T1574/ , we can scrap details about the technique , the detection techniques , its further sub techniques and various other procedure examples and resources for more .
The various information about the threat groups can be collected and analyzed further customization can create a pseudo description of how the attack might have taken place and further knowledge of the adversary’s behavior can help to shape the security architecture of the landscape and prevent the propagation of threat attackers and their malicious intent .
Therefore , this blog just demonstrates a small overview of how MITRE ATT&CK can be an excessively valuable and important for threat researchers to level up their game . The upcoming blogs will contain info about various insights on purple team and how helpful MITRE ATT&CK is to the purple team .
Blog by nerds at AX1AL .
Accompany us at our discord server . Till then happy defending :)