Defending Infrastructure-as-a-Service with ATT&CK®
Written by James Ross and Adrian Garcia Gonzalez
Organizations rely on information systems that span multiple platforms and technology domains, making it difficult to determine which threats apply to a business. Defending IaaS with ATT&CK helps organizations understand and defend against the ATT&CK techniques that might be used against that environment and, perhaps more importantly, establishes a methodology with supporting tooling for teams to create and share their own customized collections of ATT&CK techniques.
We developed the Defending IaaS with ATT&CK project in partnership with Center Participants including AttackIQ Inc., Center for Internet Security, Citigroup Technology, Inc., Crowdstrike, Inc., JPMorgan Chase, N.A., and Verizon Business Services. Research participants played a critical role in defining our methodology, applying it to create a collection of ATT&CK techniques that target Infrastructure-as-a-Service (IaaS), and ensuring that the work is accessible with supporting tools and documentation.
Defending IaaS with ATT&CK includes:
- A collection of 277 unique ATT&CK (sub)-techniques that apply to IaaS use cases
- A methodology for building your own custom collections of ATT&CK techniques
- Tools and documentation to support building, sharing, and exploring these custom ATT&CK technique collections
What does the methodology look like?
We created a methodology that describes a repeatable process to combine sets of information across the structure of the ATT&CK knowledge base. The procedure establishes a straightforward and tailorable approach to identify, build, and share collections of techniques to provide a comprehensive view of adversary behavior for complex environments.
We applied the methodology to identify the attack surface of IaaS as systems that comprise on-premise, public cloud, hybrid, or any combination of shared service model where hardware and underlying physical components are managed — keeping platforms, applications, data, and services in focus. We then specified the ATT&CK platforms to include, defined selection criteria to determine applicable techniques, built the combined set of techniques into a collection, and visualized the results in an ATT&CK matrix to enable exploring and creating custom views using ATT&CK Navigator layers.
Applying the methodology to IaaS
- Identify your attack surface
The IaaS attack surface is defined as adversary activities targeting the cloud management layer, container technology, or hosted infrastructure.
2. Compile source information
ATT&CK techniques applicable to our representative IaaS architecture are spread across Cloud (IaaS), Container, and Linux platforms. The ATT&CK techniques from these three platforms establish our source information. The Cloud and Container platforms in ATT&CK for Enterprise describe adversary techniques at the cloud management and container technology layers, but do not include techniques that apply to the system being hosted. Similarly, while the Linux platform captures all techniques that can be used on Linux systems, not all are applicable to cloud-hosted Linux servers or to Linux containers.
The final collection of techniques that encompass the adversary activity targeting IaaS is a combination of techniques in the Cloud (IaaS) platform, the Container platform, and a subset of the techniques in the Linux platform.
3. Define selection criteria
Selection criteria provide guidelines for including and excluding techniques applicable to an environment. For IaaS, the focus areas are techniques affecting the cloud and container-based instances of Linux, elements such as applications, runtime, middleware, and operating systems, and include management and orchestration applications and utilities available from service providers. The criteria used to select techniques applicable to IaaS was refined into three areas of focus: physical, operational, and environmental.
Physical criteria are used to determine if the collection will include techniques based on physical characteristics of the system. Techniques in this section exclude attacks that target the underlying physical technology. Examples of these components include physical servers, firmware, hypervisor, and some elements of networking.
Operational criteria are used to determine if the collection will include techniques based on functional characteristics such as how the system is intended to operate. For example, techniques specific to workstations, or that apply to end-users, including Virtual Desktop Infrastructure (VDI), or similar workspace-as-a-service offerings are excluded; while 3rd party applications and runtimes (e.g., SQL server or Java) are included with the condition that the underlying technology is present.
Environmental criteria are used to define exceptional aspects or characteristics that are specific to the environment. This section intends to address nuances of adversary behavior that may vary, depending on the environment’s technology deployment or operations. For example, techniques that do not align with common best practices in IaaS — automated provisioning, scaling, and data recovery, are excluded.
4. Review applicable techniques
We loaded the combined set of techniques into the ATT&CK Workbench, applying selection criteria to add or remove applicable techniques into the collection, and added notes to document the rationale behind each technique.
5. Build custom collection
The final step is to publish the techniques in a collection. We exported the collection as a STIX bundle — a format compatible with ATT&CK Navigator — to easily organize and display IaaS techniques in a matrix. You can use Navigator to visualize defensive coverage, highlight and prioritize tactics and techniques, assist in security assessment and planning, and much more.
Our results: IaaS technique collection
The diagram above reflects the 510 total (sub-)techniques from four ATT&CK domains, including Linux, Cloud (IaaS), Containers, and PRE. We then included The Center’s insider threat framework to provide context for threat sources based on approved users. After analyzing all techniques and filtering through our established selection criteria, 373 (sub-) techniques were included in the collection, with 137 remaining. Due to the overlap in ATT&CK techniques across different domains, the final count of unique (sub)-techniques for IaaS is 277.
The collection of 277 IaaS techniques and analyst notes are available as a STIX bundle or spreadsheet on GitHub and can be viewed using the latest version of ATT&CK Workbench.
IaaS Technique Navigator
To make the collection more accessible for the community, we built a customized ATT&CK Navigator within the Center’s GitHub that provides an interactive matrix view to navigate techniques and define custom views using layers.
Tooling: ATT&CK Workbench
ATT&CK Workbench is a tool to explore, create, annotate, and share extensions of a local version of the ATT&CK knowledge base. It is primarily used to create new techniques or extend existing techniques with new content. Workbench served as a repository to compile adversary behavior across multiple domains and platforms, apply selection criteria, and export the resulting collection and related data into a STIX bundle. A few features and improvements were added to make this possible:
- Added links and quick looks between matrices, tactics, and techniques
- Automatically include related tactics in a collection
- Export technique annotations
- Enhanced filtering and search (e.g., by platform)
Applying our methodology to other domains
One of our motivations is to enable team to create and share their own collections of ATT&CK techniques for other domains like Industrial Control Systems (ICS) or Operational Technology (OT). Our methodology offers a straightforward approach for organizations to specify adversarial techniques applicable to their environment and details the process used to define a security boundary, select techniques that share a common theme across multiple platforms, and combine the results into an extensible ATT&CK matrix. As a result, organizations are better equipped to create their own curated sets of techniques to match the broad variety of technology in use.
Getting involved
There are several ways that you can get involved with this project and help advance threat-informed defense:
- Review the collection using ATT&CK Navigator or ATT&CK Workbench. Navigator is the easiest way to get started, using the resource link above. If you are already a Workbench user, you will find that the latest version includes new capabilities that are helpful for creating custom collections.
- Read the methodology. The Defending IaaS collection is helpful in its own right, but the methodology is provided so that organizations can create tailored collections to meet their own needs.
- Build and share your own collections! This project provides the methodology and tools needed to build collections tailored to any need. You can build proprietary collections to use within your organization, or you can publish collections to benefit the community.
We welcome your feedback and contributions to help advance Defending IaaS with ATT&CK. Please see the guidance for contributors if are you interested in contributing or simply reporting issues.
Please submit issues for any technical questions/concerns or contact ctid@mitre-engenuity.org directly for more general inquiries.
About the Center for Threat-Informed Defense
The Center is a non-profit, privately funded research and development organization operated by MITRE Engenuity. The Center’s mission is to advance the state of the art and the state of the practice in threat-informed defense globally. Comprised of participant organizations from around the globe with highly sophisticated security teams, the Center builds on MITRE ATT&CK®, an important foundation for threat-informed defense used by security teams and vendors in their enterprise security operations. Because the Center operates for the public good, outputs of its research and development are available publicly and for the benefit of all.
© 2022 MITRE Engenuity. Approved for Public Release. Document number CT0059.
