Research Partnership Matures ATT&CK for Cloud
Written by Jen Burns and Jon Baker
The MITRE ATT&CK® team discussed some upcoming changes to ATT&CK for Cloud at the October ATT&CKcon Power Hour Session, and we’re excited to announce that these and other Cloud developments grew out of a partnership between MITRE ATT&CK and the Center for Threat-Informed Defense (Center).
ATT&CK for Cloud has gone through a few stages of growth since its release in October 2019, including a major revamp to add sub-techniques. In addition to the day-to-day process of adding and improving content as reflected in those updates, the ATT&CK team wanted to take a step back and think more strategically about ATT&CK for Cloud. With the support of Center participants (AttackIQ, Citigroup, JPMorgan Chase, and one other), we assembled a team that investigated Cloud platform coverage, added and refined Cloud data sources, and added new Cloud technique content to ATT&CK.
Cloud Platforms
One of the questions we get most often about ATT&CK for Cloud is why did we break out AWS, Azure, and GCP into individual platforms? The ATT&CK team was unsure how similar or different these platforms would be as they developed the initial ATT&CK for Cloud release, so they decided to keep them separate. But given this opportunity to refine Cloud platforms in ATT&CK and some time since that initial release, we wanted to determine what the right abstraction level is for Cloud platforms in ATT&CK moving forward.
To kick off this work, we began by determining possible levels of abstraction for platforms within ATT&CK for Cloud and then built arguments for each based on user feedback and our own research. Ultimately, we made the decision to consolidate the AWS, Azure, and GCP platforms into a single Infrastructure as a Service (IaaS) platform in the next major ATT&CK update. Community feedback pointed to consolidation being the best path forward, and currently these three platforms share the same set of techniques and sub-techniques. Additionally, we found that an IaaS platform would make for a more inclusive ATT&CK for Cloud, as it will represent Cloud Service offerings beyond AWS, Azure, and GCP.
We also wanted to determine a path forward for the other types of Cloud platforms, including SaaS (Software as a Service), PaaS (Platform as a Service), and FaaS (Function as a Service). For SaaS, we decided to keep the current breakout of SaaS, Azure AD, and Office 365. We realize ATT&CK users are already utilizing these platforms, so we didn’t want to take those away from the community and consolidate into a single platform. Unlike with IaaS, the ATT&CK techniques in these spaces are also more diverse across different products. We also made the decision to continue to add new SaaS platforms as it makes sense to benefit the community. For PaaS and FaaS, since there isn’t enough related content in ATT&CK to generate individual platforms currently, we decided to represent them in the future IaaS platform with the plan to expand into individual platforms if and when there is enough adversarial behavior in these spaces to warrant that breakout.
Cloud Data Sources
The current set of data sources within ATT&CK for Cloud is mainly just log sources (AWS CloudTrail logs, Azure activity logs, etc.) and not very granular or meaningful for Cloud users. With this project, we wanted to ensure that we developed a set of data sources that aligned to the plan for Cloud platforms moving forward and that our approach was consistent with the future of other Enterprise ATT&CK data sources. With these requirements in mind, we worked across ATT&CK to draft an initial set of Cloud data sources that align with events and APIs within IaaS environments.
As we refactored Cloud data sources, we ran into a few unique challenges, including determining how to normalize name and structure of data sources across multiple Cloud vendors and which APIs and events involved in detections across those multiple vendors are relevant to a particular data source. We worked through these challenges, aiming to make decisions that would make the most sense to ATT&CK users, and determined an initial set of data sources for IaaS. As an example, Figure 2 shows a draft of the Instance data source. The ATT&CK team is now working to map those IaaS data sources to techniques and expand coverage to the SaaS, Azure AD, and Office 365 platforms. The new Cloud data sources will be released in a future update to ATT&CK.
Cloud Technique Coverage
Finally, we worked to expand technique coverage in ATT&CK for Cloud. The majority of the Cloud content in the October 2020 release of ATT&CK was developed from this Center partnership, including the creation of the new sub-technique Impair Defenses: Disable Cloud Logs (T1562.008) and the major update to Account Manipulation: Additional Cloud Credentials (T1098.001). This partnership also allowed for the opportunity to clarify scope for IaaS techniques in ATT&CK. After deliberation across the ATT&CK team and conversations with the Cloud community, we decided that IaaS techniques in ATT&CK should generally focus on adversarial behavior in the Cloud control and management plane versus behavior on endpoints, as endpoint behavior is already captured in the Linux, macOS, and Windows platforms. This led to the removal of Network Share Discovery (T1135), Data from Information Repositories (T1213), and Remote System Discovery (T1018) from the AWS, Azure, and GCP matrices.
Overall, we believe this partnership between the ATT&CK team and the Center for Threat-Informed Defense provided an invaluable opportunity to improve one of the newest focus areas for ATT&CK. If you have any feedback on any of these updates to ATT&CK for Cloud, please feel free to reach out to the ATT&CK team at attack@mitre.org.
About the Center for Threat-Informed Defense
The Center is a non-profit, privately funded research and development organization operated by MITRE Engenuity. The Center’s mission is to advance the state of the art and the state of the practice in threat-informed defense globally. Currently comprised of 24 Participant organizations from around the globe with highly sophisticated security teams, the Center builds on MITRE ATT&CK®, an important foundation for threat-informed defense used by security teams and vendors in their enterprise security operations. Because the Center operates for the public good, outputs of its research and development are available publicly and for the benefit of all.
© 2020 MITRE Engenuity. Approved for Public Release. Document number CT0010
