What is the MITRE ATT&CK Framework?

Introduction

MITRE describes its framework as “a curated knowledge base and model for cyber adversary behavior, reflecting the various phases of an adversary’s attack lifecycle and the platforms they are known to target.”

The key words here are “phases” and “behavior.” When an adversary has a strategic objective – think data exfiltration or establishing long term command and control – they will use multiple tactics in phases. Each phase consists of behaviors which are simply a set of techniques.

Techniques, in turn, have varying sets of procedures. Therefore, the end goal comprises an initial tactic with one or more techniques, followed by another tactic with its techniques, and so on until the adversary’s objective is met. This layering of general tactics down to specific procedures is where we get TTP: Tactic, Technique, Procedure.

Who is MITRE?

Founded in 1958 as a spin-off of the MIT Lincoln Laboratory, MITRE is a government-backed not-for-profit organization headquartered in Bedford, Massachusetts and McLean, Virginia. MITRE operates federally funded research centers to assist the United States government with research, development and systems engineering in the aviation, defense, healthcare, homeland security and cybersecurity fields.

Notable contributions to the cybersecurity community include the Common Vulnerability and Exposures (CVE) database which publishes public vulnerability information and the Structured Threat Information eXchange (STIX) language that aids in the sharing of threat intelligence information.

MITRE Engenuity was launched in 2019 as a dedicated foundation to “to collaborate with the private sector on solving industry wide problems with cyber defense”. MITRE Engenuity are the developers of the MITRE Engenuity ATT&CK framework and perform MITRE Engenuity ATT&CK evaluations.

What is The Goal of MITRE ATT&CK?

MITRE Engenuity is a not-for-profit research organization whose stated goals are to:

  1. Empower end-users with objective insights into how to use specific commercial security products to detect known adversary behaviors.
  2. Provide transparency around the true capabilities of security products and services to detect known adversary behaviors.
  3. Drive the security vendor community to enhance their capability to detect known adversary behaviors.

The ATT&CK framework brings a common lexicon that enables stakeholders, cyber defenders, and vendors to clearly communicate on the exact nature of a threat and the objective assessment of the cyberdefense plan that can defeat it.

Three benefits of the framework ensue:

  • We gain insight into the adversary’s game plan in terms of combinations of tactics and techniques.
  • We can clearly communicate the exact nature of a threat and respond faster with greater insight.
  • When we understand who our typical adversaries are and how they attack us, we can proactively design defenses to blunt them.

What Does ATT&CK Stand For?

ATT&CK stands for Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK). MITRE Engenuity ATT&CK is a globally-accessible knowledge base of adversary tactics and techniques based on real-world observations.

What are ATT&CK tactics?

An ATT&CK tactic is the highest level objective of an attacker. Tactics give the analyst information on the potential intent of the activity – or answering why an adversary is performing their actions. Tactics represent high-level contextual categories for individual techniques – for example, initial access, execution, persistence.

What are ATT&CK techniques?

An ATT&CK technique is how the attacker meets their objectives and also represents what an adversary seeks to gain with their actions. For example an adversary may seek to encrypt or compress data techniques while attempting to perform the Exfiltration tactic.

The relationship between tactics and techniques is visualized in the ATT&CK matrix. For example, the Persistence tactic may have a series of associated techniques, such as creating a new service or new scheduled task.

How is MITRE ATT&CK Different From Cyber Kill Chain?

At first glance, the MITRE Engenuity ATT&CK framework looks similar to the Lockheed Martin Cyber Kill Chain. Both frameworks offer different models of threat behaviors and objectives.

The Cyber Kill Chain is broken into 7 steps:

  1. Reconnaissance
  2. Weaponization
  3. Delivery
  4. Exploitation
  5. Installation
  6. Command and control
  7. Actions on objectives

The MITRE Engenuity ATT&CK framework has 10 steps:

  1. Initial access
  2. Execution
  3. Persistence
  4. Privilege escalation
  5. Defense evasion
  6. Credential access
  7. Discovery
  8. Lateral movement
  9. Collection and exfiltration
  10. Command and control

Each step in the ATT&CK framework has multiple tactics and techniques, which offer additional granularity and specificity when describing attacker behavior. ATT&CK goes beyond describing the stages of an attack, and instead models specific attacker actions and motivations.

Additionally, the Cyber Kill Chain is read sequentially starting with reconnaissance and ending with actions on objectives. The ATT&CK framework isn’t chronological and assumes attackers may change tactics and techniques over the course of an attack.

MITRE points out that it is a “mid-level adversary model”, meaning that it is not too generalized and not too specific. High-level models like the Lockheed Martin Cyber Kill Chain illustrate adversary goals but aren’t specific about how the goals are achieved.

Conversely, exploit and malware databases specifically define IoC “jigsaw pieces” in a giant puzzle but aren’t necessarily connected to how the bad guys use them, nor do they typically identify who the bad guys are. MITRE Engenuity’s TTP model is that happy medium where tactics are the stepwise intermediate goals and the techniques represent how each tactic is achieved.

How to Use the MITRE ATT&CK Framework

CISOs and security teams can use the following ATT&CK framework best practices to improve their security posture:

1. Plan a Cyber Security Strategy

Use ATT&CK to plan your cyber security strategy. Build your defenses to counter the techniques known to be used against your type of organization and equip yourself with security monitoring to detect evidence of ATT&CK techniques in your network.

2. Run Adversary Emulation Plans

Use ATT&CK for Adversary Emulation Plans to improve Red team performance. Red teams can develop and deploy a consistent and highly organized approach to defining the tactics and techniques of specific threats, then logically assess their environment to see if the defenses work as expected.

3. Identify Gaps in Defenses

ATT&CK matrices can help Blue teams better understand the components of a potential or ongoing cyber attack to identify gaps in defenses and implement solutions for those gaps. ATT&CK documents suggested remediations and compensating controls for the techniques to which you are more prone.

4. Integrate Threat Intelligence

ATT&CK can effectively integrate your threat intelligence into cyber defense operations. Threats can be mapped to the specific attacker techniques to understand if gaps exist, determine risk, and develop an implementation plan to address them.

How Does MITRE ATT&CK Evaluate Security Products?

MITRE Engenuity ATT&CK Evaluations emulations are constructed to mimic an adversary’s known TTPs and are conducted in a controlled lab environment to determine each participating vendor’s product efficacy. According to MITRE Engenuity:

“The (ATT&CK) evaluations use adversary emulation, which is a way of testing ‘in the style of’ a specific adversary. This allows us to select a relevant subset of ATT&CK techniques to test. To generate our emulation plans, we use public threat intel reporting, map it to ATT&CK, and then determine a way to replicate the behaviors.”

The aim is to put together a complete, logical attack that moves through all the stages of a comprehensive, successful attack from initial compromise to persistence, lateral movement, data exfiltration, and so on.

Since MITRE Engenuity collaborates with vendors during the evaluations, MITRE Engenuity is effectively the red team, while the vendor providing detection and response to MITRE Engenuity is the blue team. The result is a “purple team” that helps test security controls in real time by emulating the type of approach that intruders are likely to use in an actual attack based on their known TTPs observed in the wild.

Why Does the MITRE ATT&CK Evaluation Matter?

Testing security solutions has long been problematic and ill-suited to determining real-world capability. From the original EICAR test to the dedicated third-party testing labs that have been around for some years now, there’s always been a strong disconnect between the artificial test and real-world efficacy. Vendors themselves have long been aware that their customers need both reassurance and training with their products, and they naturally set out to showcase their solutions in situations that best suit their own strengths.

What MITRE brings to the table is unique. First, the evaluation provides independent, non-partisan, and open test criteria and results. Importantly, the test does not seek to rank or judge vendor products against one another. The aim is to show how the product responds to specific stages of an attack. This helps enterprise users understand how the product they have adopted or may be considering adopting is likely to perform in the real world.

Second, with some caveats that we’ll note in a moment, it’s as close to a real-world experience as anything else currently available. By chaining together observed, in-the-wild TTPs and applying these in phases that emulate the behavior of an entire attack lifecycle, consumers get a far richer insight into how a product will perform than they can from testing against a compendium of known and unknown malware samples.

What’s The History of the MITRE ATT&CK Enterprise Evaluations?

MITRE Engenuity ATT&CK evaluations first began in 2018. MITRE Engenuity maintains a knowledge base of known advanced threat groups, and each year selects an adversary group (or groups) to emulate for evaluation testing. Detailed results for current and previous evaluations hosted on the MITRE Engenuity ATT&CK evaluation participant comparison tool.

APT 3 (2018)

APT3 is a China-based threat group which first became active in 2010 and is associated with the Chinese Ministry of State Security (China’s Intelligence Services). APT3 goes by various names including Gothic Panda, Pirpi, UPS Team, and Buckeye and has been associated with attacks in the Aerospace, Defense, High Tech, Telecommunications and Transportation industries.

APT3’s motivation is to steal critical information from private organizations or governments and to fulfill Chinese political, economic or military objectives. While initially targeting US-based companies, their focus has shifted to political opposition groups in Hong Kong.

The APT3 testing process was broken into 2 scenarios – the first using CobaltStrike and the second using PowerShell Empire. The attack scenario consisted of the following operational flow:

  1. Command and Control setup
  2. Tool preparation
  3. Initial compromise
  4. Initial discovery
  5. Expand access
  6. Establish persistence
  7. Intellectual property theft

APT29 (2019)

APT29 is a Russia-based threat group which first became active around 2008 and is attributed to Russia’s Foreign Intelligence Service (SVR). APT29 goes by various names including Cozy Bear, The Dukes, StellarParticle and Dark Halo and has been associated with attacks on European and NATO member countries and think tanks.

Cozy Bear is most known for the 2015 hack of the Democratic National Committee and subsequent election interference via social media botnets. APT29’s motivation is to sovereign states and governments that hold opposing political, economic and military  APT29 is a sophisticated and well-funded group known for its stealth and custom malware.

The APT29 testing process was broken into 2 scenarios – the first using a broad ‘smash and grab’ technique (emulating the group’s large-scale spear phishing campaigns) and the second using targeted ‘low and slow’ technique. The attack scenario consisted of the following operational flow:

  1. Command and Control setup
  2. Tool preparation
  3. Targeted initial compromise or broad initial compromise (smash and grab)
  4. Deploy stealth toolkit
  5. Stealth intel gathering
  6. Operational cleanup

Carbanak and FIN7 (2020)

Carbanak and FIN7 are Russian-linked adversaries which both use the Carbanak malware, but are tracked as separate threat groups. Carbanak was first discovered in 2014 and primarily targets banking networks and financial institutions in the US, Germany, China and Ukraine.

Carbanak claimed to have stolen over $900 million from banks and thousands of private customers. FIN7 was first seen in mid-2015 and targets the US retail, restaurant and hospitality industries. FIN7 claims to have stolen over $1B from their victims.

The Carbanak/FIN7 testing process was broken into 2 scenarios – the first targeting a financial institution and the second targeting a hotel manager. The attack scenario consisted of the following operational flow:

  1. Command and Control setup
  2. Tool preparation
  3. Targeted initial compromise
  4. Expand access
  5. Establish persistence
  6. Illicit funds transfer or steal hotel payment information

What’s New in the MITRE ATT&CK 2021 Evaluation?

The results published in April 2021 focus on emulating financial threat groups Carbanak and FIN7.

Both Carbanak and FIN7 have a well-documented history of widespread impact. Carbanak is cited with the theft of a cumulative $900M from banks and more than a thousand private customers. FIN7 is said to be responsible for the theft of more than 15 million customer credit card records from victims spanning the globe.

The main goal behind its malicious activities is to steal financial assets from companies, such as debit card information, or to get access to financial data through the computers of finance department employees to conduct wire transfers to offshore accounts.

2021 ATT&CK Evaluations also introduced two significant evolutions: Testing on Linux environments, as well as the addition of Protection testing. MITRE Engenuity also released the ATT&CK Navigator, a tool to compare and understand relative vendor performance in a given ATT&CK evaluation.

MITRE ATT&CK Tools and Resources

MITRE Engenuity only publishes the raw data results from the evaluations. Interpreting the data and drawing conclusions is up to the reader. The SentinelOne team has provided a whitepaper MITRE ATT&CK Evaluation – Carbanak and Fin7 to help with understanding the results.

Are you ready to learn more? SentinelOne proactively protects your business at every stage of the threat lifecycle. See for yourself – Schedule a demo.