What is MITRE ATT&CK™?
MITRE introduced ATT&CK (Adversarial Tactics, Techniques & Common Knowledge) in 2013 as a way to describe and categorize adversarial behaviors based on real-world observations. ATT&CK is a structured list of known attacker behaviors that have been compiled into tactics and techniques and expressed in a handful of matrices as well as via STIX/TAXII. Since this list is a fairly comprehensive representation of behaviors attackers employ when compromising networks, it is useful for a variety of offensive and defensive measurements, representations, and other mechanisms.
Understanding ATT&CK matrices
MITRE has ATT&CK broken out into a few different matrices: Enterprise, Mobile, and PRE-ATT&CK. Each of these matrices contains various tactics and techniques associated with that matrix’s subject matter.
The Enterprise matrix is made of techniques and tactics that apply to Windows, Linux, and/or MacOS systems. Mobile contains tactics and techniques that apply to mobile devices. PRE-ATT&CK contains tactics and techniques related to what attackers do before they try to exploit a particular target network or system.
The nuts and bolts of ATT&CK: tactics and techniques
When looking at ATT&CK in the form of a matrix, the column titles across the top are tactics and are essentially categories of techniques. Tactics are the what attackers are trying to achieve whereas the individual techniques are the how they accomplish those steps or goals.
For example, one of the tactics is Lateral Movement. In order for an attacker to successfully achieve lateral movement in a network, they will want to employ one or more of the techniques listed in the Lateral Movement column in the ATT&CK matrix.
A technique is a specific behavior to achieve a goal and is often a single step in a string of activities employed to complete the attacker’s overall mission. ATT&CK provides many details about each technique including a description, examples, references, and suggestions for mitigation and detection.
As an example of how tactics and techniques work in ATT&CK, an attacker may wish to gain access into a network and install cryptocurrency mining software on as many systems as possible inside that network. In order to accomplish this overall goal, the attacker needs to successfully perform several intermediate steps. First, gain access to the network – possibly through a Spearphishing Link. Next, they may need to escalate privilege through Process Injection. Now they can get other credentials from the system through Credential Dumping and then establish persistence by setting the mining script to run as a Scheduled Task. With this accomplished, the attacker may be able to move laterally across the network with Pass the Hash and spread their coin miner software on as many systems as possible.
In this example, the attacker had to successfully execute five steps – each representing a specific tactic or stage of their overall attack: Initial Access, Privilege Escalation, Credential Access, Persistence, and Lateral Movement. They used specific techniques within these tactics to accomplish each stage of their attack (spearphishing link, process injection, credential dumping, etc.).
The differences between PRE-ATT&CK and ATT&CK Enterprise
PRE-ATT&CK and ATT&CK Enterprise combine to form the full list of tactics that happen to roughly align with the Cyber Kill Chain. PRE-ATT&CK mostly aligns with the first three phases of the kill chain: reconnaissance, weaponization, and delivery. ATT&CK Enterprise aligns well with the final four phases of the kill chain: exploitation, installation, command & control, and actions on objectives.
What can be done with ATT&CK?
ATT&CK is valuable in a variety of everyday settings. Any defensive activities that reference attackers and their behaviors can benefit from applying ATT&CK’s taxonomy. Beyond offering a common lexicon for cyber defenders, ATT&CK also provides a foundation for penetration testing and red teaming. This gives defenders and red teamers common language when referring to adversarial behaviors.
Examples where applying ATT&CK’s taxonomy can be useful:
Mapping defensive controls
Defensive controls can carry well-understood meaning when referenced against the ATT&CK tactics and techniques they apply to.
Tool integrations
Disparate tools and services can standardize on ATT&CK tactics and techniques, lending cohesiveness to a defense that is often lacking.
Threat hunting
Mapping defenses to ATT&CK yields a roadmap of defensive gaps that provide threat hunters the perfect places to find missed attacker activity.
Sharing
When sharing information about an attack, an actor or group, or defensive controls, defenders can ensure common understanding by using ATT&CK techniques and tactics.
Detections and Investigations
The Security Operations Center (SOC) and incident response team can reference ATT&CK techniques and tactics that have been detected or uncovered. This aids in understanding where defensive strengths and weaknesses are and validate mitigation and detection controls, and can uncover misconfigurations and other operational issues.
Tool integrations
Planning, execution, and reporting of red team, purple team, and penetration test activities can use ATT&CK to speak a common language with defenders and report recipients as well as amongst themselves.
Referencing actors
Actors and groups can be associated with specific, definable behaviors.
Using ATT&CK to map defenses and understand gaps
The natural inclination of most security teams when looking at MITRE ATT&CK is to try and develop some kind of detection or prevention control for each technique in the enterprise matrix. While this isn’t a terrible idea, the nuances of ATT&CK make this approach a bit dangerous if certain caveats aren’t kept in mind. Techniques in the ATT&CK matrices can often be performed in a variety of ways. So blocking or detecting a single way to perform them doesn’t necessarily mean that there is coverage for every possible way to perform that technique. This can lead to a false sense of security thinking that because a tool blocks one form of employing a technique that the technique is properly covered for the organization. Yet attackers can still successfully employ other ways to employ that technique without any detection or prevention in place.
The way to address this is the following:
For example, if antivirus detects the presence of Mimikatz, that doesn’t mean that Pass the Hash (T1075) and Pass the Ticket (T1097) are covered as there are still several other ways to perform these techniques that don’t involve the use of Mimikatz. Keep this in mind if trying to use ATT&CK to show defensive coverage in an organization.
Using ATT&CK with cyber threat intelligence
ATT&CK can be useful to cyber threat intelligence as it allows for describing adversarial behaviors in a standard fashion. Actors can be tracked with associations to techniques and tactics in ATT&CK that they have been known to utilize. This gives a roadmap to defenders to apply against their operational controls to see where they have weaknesses against certain actors and where they have strengths. Creating MITRE ATT&CK Navigator entries for specific actors is a good way to visualize the environment’s strengths and weaknesses against those actors or groups. ATT&CK is also available as a STIX/TAXII 2.0 feed which makes it easy to ingest into existing tools that support those technologies.
ATT&CK provides details on nearly seventy actors and groups, including what techniques and tools they are known to use based on open-source reporting.
The intelligence creation process itself can benefit from using the common vernacular of ATT&CK. As mentioned, this can apply to actors and groups but can also apply to observed behaviors as seen from the SOC or incident response activities. Malware can also be referred to in terms of behaviors via ATT&CK. Any threat intelligence tools that have support for ATT&CK help make this process straightforward. Commercial and open-source intelligence that apply ATT&CK to any mentioned behaviors is also helpful in keeping things consistent. Disseminating intelligence to operations or management is ultimately much easier when all parties speak the same language around adversarial behaviors. If operations know exactly what Forced Authentication is and sees it mentioned in an intelligence report, they may know exactly what actions should be taken or what controls are already in place regarding that piece of intelligence. Standardizing on ATT&CK references in intelligence products in this way can dramatically improve efficiency and ensure common understanding.
Adversarial simulation and ATT&CK
Testing the techniques in ATT&CK against the environment is the best way to:
The process of performing adversarial simulation isn’t foreign to many environments. When employing penetration testers to test the environment, organizations are engaging in adversarial simulation testing. The same applies to organizations that have internal red teams or that perform purple team engagements. Applying the activities of these engagements to ATT&CK techniques elevates the understanding of the results by defenders. Instead of reporting failures to detect certain activity, reporting from pen tests and red teams can contain better context to apply their activities directly to operational controls, defensive tools, and procedures. This makes it easier for defenders to take appropriate actions as a result of the reports.
Simulations can be designed to mirror tools and techniques known to be used by specific actors as well. This can be especially useful when trying to assess how successful certain adversaries might be against the controls present in the environment.
Additionally, there are tools available that provide mechanisms for testing certain techniques directly inside the environment and are already aligned with ATT&CK. Commercial tools such as Verodin, SafeBreach, and AttackIQ provide the ability to perform adversarial simulation aligned with ATT&CK. There are some open-source options to do adversarial simulation and also align with ATT&CK as well (listed below). As always, take care when performing adversarial simulations on production networks where the scope of potential ramifications isn’t fully understood.
The process for making use of these tools is straightforward:
- Simulate – Chose simulation criteria based on the desired testing then run the tool or perform the technique manually
- Hunt – Examine logs and tool output for evidence of the simulated activity; note missed expectations with detective or preventive controls
- Detect – Add new detections or mitigations based on the findings; also note any gaps in visibility and any tools used for detection or mitigation
Best Practices for Using MITRE ATT&CK
Following is a list of best practices for ATT&CK:
Use tactics where techniques are ambiguous or difficult to pin down
Share discovered methods of detection and mitigation
Share tactics and techniques of observed attacker behaviors
Leverage ATT&CK integration in existing tools
Follow external research around detections and mitigations
Encourage vendors and service providers to add support for ATT&CK where it would be useful
Challenges When Leveraging ATT&CK
Using ATT&CK doesn’t come without challenges. It’s good to keep these in mind when leveraging ATT&CK.
Not all techniques are always malicious
- Example: Data from Network Shared Drive (T1039)
- Key to detection: How is this technique being invoked?
Some techniques are listed under multiple tactics
- Example: DLL Search Order Hijacking (T1038)
- Shows up under Persistence, Privilege Escalation, and Defense Evasion tactics
- Some techniques, such as this one, can be used for multiple use cases and are useful in multiple stages of attack
Not all techniques are easy to detect
- Example: Spearphishing Link (T1192)
- Key to detection: Other events surrounding email receipt
Some techniques have many possible methods of execution
- Example: Credential Dumping (T1003)
- Key to detection: Build out known methods of evoking the technique and label them all as Credential Dumping
- MITRE will be releasing sub-techniques to help address this
MITRE ATT&CK Tools and Resources
The following is a list of tools and other resources that make use of ATT&CK. Some of these have been mentioned previously but are provided here for easy reference:
ATT&CK Navigator
ATT&CK Navigator is a great tool to use for mapping out controls against ATT&CK techniques. Layers can be added that show specifically detective controls, preventive controls, or even observed behaviors. Navigator can be utilized online for quick mockups or scenarios or it can be downloaded and setup internally as a more permanent solution.
Malware Archeology Windows ATT&CK Logging Cheat Sheet
Trusted professionals at Malware Archeology provide a number of Windows logging cheat sheets to aid defenders in finding malicious activity in logs. They have one dedicated to finding techniques from MITRE ATT&CK.
Uber Metta
Metta is an open source project from Uber that performs adversarial simulation and is aligned with MITRE ATT&CK.
MITRE Cyber Analytics Repository (CAR)
MITRE has a resource called the Cyber Analytics Repository (CAR) which is a reference site to various analytics useful for detecting behaviors in MITRE ATT&CK.
MITRE Caldera
Caldera is an open source, automated adversary simulation tool that is based on MITRE ATT&CK.
ATT&CK Tableau Table by Cyb3rPanda
Cyb3rPanda has loaded ATT&CK into a public Tableau instance for easy pivoting and filtering.
Red Canary Atomic Red Team
Atomic Red Team is an open source tool from Red Canary for simulating adversarial behaviors mapped to MITRE ATT&CK. More info available at: https://atomicredteam.io/
Palo Alto Unit 42 Playbook Viewer
Palo Alto’s Unit 42 group has released a free playbook viewer that shows known adversarial behaviors for a handful of threat groups aligned to MITRE ATT&CK.
Endgame Red Team Automation
Red Team Automation is an open-source tool from Endgame that tests malicious behavior modeled on MITRE ATT&CK.
Anomali Cyber Watch
This free weekly report includes key security and threat developments of the week. The report includes relevant IOCs and ATT&CK techniques for each story included in the briefing.
MITRE ATT&CK Summary
MITRE has made a significant contribution to the security community by giving us ATT&CK and its related tools and resources. It couldn’t have come at a better time. As attackers are finding ways to be more stealthy and avoid detection by traditional security tools, defenders find themselves having to change how they approach detection and defense. ATT&CK shifts our perception from low-level indicators like IP addresses and domain names and causes us to see attackers and our defenses through the lens of behaviors. This new perception doesn’t mean results will come easy though. The easy days of block lists and simple filters are all but gone. The road of detecting and preventing behaviors is a much harder path than the fire-and-forget tools of the past. Additionally, attackers will certainly be adapting as defenders bring new capabilities to bear. ATT&CK provides a way to describe whatever new techniques they develop and hopefully keep defenders in step.