Introduction MITRE ATT&CK Framework (Part 1) — English
For information, this article is the same article that I published in Cyber Defense Community Indonesia Magazine in the 6th Edition. For those of you who want to read the whole CDEF Community Bulletin, you can download the Magazine at the following link (https://cdef.id/6th-edition-bulletin-released/)
MITRE ATT&CK (Adversary Technique Tactic & Common Knowledge) is a framework developed by MITRE, a non-profit organization, where this framework discusses tactics, techniques and information about threat actors that can be developed as a methodology for modelling a cyber security threat that occurs.
Tactic and Technique is a modern method used to understand threat actors in cyber security attack activities. Tactic discusses the method that will be carried out by an attacker in carrying out an attack, while the technique discusses how tactics are carried out, and the common knowledge is a collection of information and documentation on the use of tactics and techniques by certain adversaries.
If you visit the official page of the MITRE ATT&CK Framework, you will see this matrix of tactics and techniques in a large matrix (https://attack.mitre.org/matrices/enterprise/). The following is a matrix of MITRE ATT&CK:
MITRE ATT&CK Top Horizontal Matrix column describes Tactic, which starts from Initial Access, Execution, Persistence, and others. Each Tactic has a lot of techniques drawn from each of its vertical columns. Based on MITRE presentation at a conference, Technique in the table above is the result of hard work over the past 5 years from various Adversary Groups based on findings from cyber security researchers or from threat intelligence reports.
MITRE ATT&CK Framework can be used for many use cases, among them are as follows :
- Make improvements to existing detection technology in an organization
- Conduct an Assessment of the visibility of an organization against attacks that occurs
- Use MITRE ATT&CK to improve the capabilities and capabilities of the threat intelligence possessed by the current organization
- Conduct an adversary simulation between the Red Team and the Blue Team to see each other’s weakness
- Helps improve the maturity of the Threat Hunting Program in an organization
The Use Case above will be discussed in detail in the next article (Part 2).
With the MITRE ATT&CK Framework, an organization can make improvements in many sectors, whether it’s in the Cyber Defense Team (Blue Team), or also in the Offensive Area (Red Team), or even to develop the capability of the Purple Team.
But it must be realized, that what displayed in the MITRE ATT&CK Matrix both Tactic and Technique, is a way that is already known by many people in the cyber security community. Maybe out there are a lot of tactics and techniques that have not been explored by “good guys” that are still utilized by “bad guys”. Therefore, as time goes by, MITRE ATT&CK Matrix will continue to develops over time with the possibility of new tactics and techniques.
At the 8th CDEF meetup, I also had an opportunity to give a presentation on “Why Should Blue Team Love MITRE ATT&CK”, where readers can download it on the CDEF Github page. In this presentation, I am trying to describe how MITRE ATT&CK can be utilized by many organizations with a key point is how an organization can make continuous improvement, especially in the protection mechanism in their organization.
The main purpose of MITRE itself when creating the ATT&CK Framework is to get to know more about the characteristics of adversary / threat actors in carrying out their actions. What tactics, techniques and tools are used by the adversary in carrying out its mission. The hope is that stakeholders and system owners are able to understand the workings of the threat actors, and then each increase awareness by increasing the capability of protection and detection mechanisms in their respective organizations.
In addition, the main purpose of MITRE is also to create a standard taxonomy standard to identify / label threat actors based on the way they work and the modus operandi they use in launching cyber security attacks. This is so that between communities, and between organizations can provide information to each other.
As many readers already know, that beforehand the public first know about the Cyber Kill Chain Framework which was popularized by Lockheed Martins. Where Lockheed Martins also describes the stages / stages of cyber security attacks carried out by the Threat Actor in the chart above, starting from:
Recon -> Weaponize -> Deliver -> Exploit -> Install -> Control -> Objective
ATT&CK Framework when compared to the Cyber Kill Chain, there are 2 parts, where there is the term PRE-ATT&CK which describes the Recon and Weaponize phases in the Cyber Kill Chain (Green Chart). PRE-ATT&CK is a term in which this condition is a pre-compromise condition. Pre-compromise here means conditions where when an organization has not been compromised by threat actors.
In the PRE-ATT&CK conditions, usually the time used by threat actors to learn the target. Look for a way in, and look for weaknesses and critical points which can be used by Threat actors as a way to enter. There are a lot of activities in PRE-ATT&CK which are carried out by threat actors. The picture above illustrates the methods employed by threat actors before compromising targets.
Whereas the ATT&CK Enterprise matrix describes the phases of : Deliver, Exploit, Install, Control and Objective of the Cyber Kill Chain Phase (Blue Chart). If wesee in more detail for each technique in each tactic in ATT&CK, then we can find a less striking difference between cyber kill chains and ATT&CK Enterprise. The difference is that MITRE provides a detailed description, accompanied by Technique for each tactic used, and provides information about the tactic and the technique in each of the Adversary Group case study examples.
If you notice from the picture above about Tactic Technique and Common Knowledge, MITRE provides details on a technique used by the adversary, and also provides information that this technique can be used by any tactic, and also provides information about the platform, permission required, and Data Source what must be owned and that can be used by stakeholder / system owner to detect the technique. In addition, MITRE also provides Common Knowledge information in the form of any adversary group that has used the technique in its Examples information.
From this Part 1 article, the authors hope that more readers will find out about the MITRE ATT&CK Framework, so that more people and organizations are aware of the many tactics and techniques used by threat actors, with the hope that each of us can make improvements to each other especially in terms of protection, detection, and also response to cyber security threats.
Thus writing this Part 1 edition, hopefully useful, and see you in the next issue.
Happy Hacking!
