Ever wondered how a cybercriminal or a hacker carries out their devious plans to cause a cyberattack within an organisation? Companies have developed a few frameworks, such as the Cyber Kill Chain, NIST cybersecurity framework and the MITRE ATT&CK framework, to help organisations understand the tactics and techniques cybercriminals use to plan and execute a cyberattack.
The MITRE ATT&CK framework studies real-life attack methods and observations by cyber security analysts to map tactics and techniques used by cybercriminals or threat actors — an individual or a group of people who use one of many cyberattack methods, including malware and phishing, to harm devices owned by other people or organisations.
History of the MITRE ATT&CK framework
Created by MITRE in 2013, the MITRE ATT&CK framework is a publicly available knowledge base of real-world cyberattack tactics and techniques. ATT&CK stands for Adversarial Tactics, Techniques, and Common Knowledge.
The framework is represented through matrices where the columns specify tactics corresponding to the various stages of an attack lifecycle. The rows cover techniques and sub-techniques that show the various methods used by threat actors to fulfil the goals of a particular tactic or stage.
Advantages of MITRE ATT&CK
The framework serves as a unified language to describe attacker behaviour and a reference point to design threat models and methodologies. Threat modelling identifies potential threats, vulnerabilities and risks to an organisation’s environment and recognises security gaps to protect its systems and resources better.
MITRE ATT&CK provides a benchmark for an organisation’s security controls and defence measures and empowers professionals to carry out security gap assessments against the attack tactics and techniques used by threat actors outlined in the framework as per the nature of their organisation’s infrastructure and environment.
The 14 Tactics for Enterprises
The MITRE ATT&CK matrix varies for enterprise, mobile and ICS (Industrial Control Systems) environments. In this article, we will cover the tactics used by enterprises. Here, the threat actors are referred to as adversaries.
- Reconnaissance – The adversary starts with gathering details about an enterprise/organisation, its infrastructure and employees or personnel that can be used for targeting.
- Resource Development – The adversary collates tools to be used for the attack. This includes creating, stealing or gathering necessary tools that may aid in further steps of the attack, like purchasing domains and creating spoofed email accounts.
- Initial Access – This stage consists of various entry vectors to gain initial access into the target enterprise’s network. Techniques include spear phishing attachment, a highly targeted phishing attack that uses a malicious attachment to allow the adversary access to the compromised system.
- Execution – Malicious code is run on the enterprise’s local or remote systems. For instance, adversaries may abuse PowerShell commands and scripts for execution. PowerShell is an interactive command line interface and scripting environment in the Windows operating system (OS).
- Persistence – Organisations often have security measures like password cycles, which may cause adversaries to lose their footing in the environment. To ensure that they maintain access despite disruptions like password changes or system shutdowns, adversaries use techniques for persistence.
- Privilege Escalation – This stage includes techniques that enable adversaries to gain higher-level permissions on a system or network. Attackers commonly use system weaknesses like misconfigurations or vulnerabilities for elevated access. One of the techniques used is domain Policy Modification, where adversaries may modify the configuration settings of a domain to escalate privileges in the domain environment.
- Defence Evasion – Adversaries use techniques to avoid being detected throughout their attack. Techniques may include disabling or uninstalling security software. Adversaries can use exploitation for defence evasions, exploiting a system or application vulnerability to gain access or circumvent defence security software. Once adversaries gain privileged access, they can hide user accounts they have created or modified.
- Credential Access – Credentials include usernames, account IDs, and passwords for various platforms used in the enterprise environment. Common methods used for credential access are keylogging and credential dumping. Keylogging uses malware deployed on the victim’s system to map their activity, log keystrokes and identify credentials. Credential dumping includes stealing cached credentials from a computer’s OS.
- Discovery – This tactic involves an attacker using techniques to gain knowledge about the target enterprise’s system and internal networks. Adversaries may try to find information about accounts to assess valid usernames and email addresses to determine which can aid in further actions like brute-forcing, spear phishing attacks, or account takeovers.
- Lateral Movement – Once the adversary gains persistent access, they might want to move further along the environment to target multiple touch points within the enterprise. Lateral movement techniques aim to gain remote access to systems on a network. Enterprises often use tools to enable users to establish remote services such as telnet, SSH, and RDP. Adversaries can hijack remote service sessions to move laterally into the environment.
- Collection – The adversaries try to collect data and information that can help them with further steps like exfiltration, which is stealing data. Data collected can vary from browsers, audio input, video input and emails. Methods for data collection include capturing screenshots, keyboard strokes, accessing cloud storage, and audio captures using a device’s webcam or microphone to record sensitive information.
- Command and Control – Adversaries may need to communicate with systems under their control within a compromised enterprise environment. They try to mimic the usual traffic to avoid detection. A connection proxy can direct traffic networks between systems or act as an intermediary for network communications to a command and control server to bypass direct connections to the infrastructure.
- Exfiltration – Exfiltration techniques are used to steal/exfiltrate data from the enterprise environment. Adversaries often use data compressing and encrypting to avoid the detection of the removal of data. They can use the established command and control channel for this tactic.
- Impact – This is the stage where the attackers attempt to cause damage to the compromised systems by either disrupting or manipulating business and operational processes. Techniques used involve data encryption to disable users from accessing important information. A ransomware attack can be considered as an impact on data encryption.
How organisations can use the framework to improve their security posture
There are several ways in which enterprises can make use of the MITRE ATT&CK framework to combat cyber threats and improve their security posture:
- Threat hunting – Traditionally, security teams take a reactive approach by focusing on Indicators of Compromise (IOCs) such as IP addresses, file hashes, and domain names to detect threats. With the ATT&CK knowledgebase, security teams can look for patterns in attacker behaviour called TTPs (Tactics, Techniques, Procedures) to engage in threat hunting, a proactive cybersecurity approach.
- Security gap analysis – Security teams can utilise tools like the MITRE ATT&CK navigator to conduct a gap assessment and find loopholes in their current security posture to understand where and how improvements can be made.
- Attack simulation – Enterprises can use red team assessments to simulate how their defences will hold up after an actual cyberattack. Using the MITRE ATT&CK framework, red teams can emulate TTPs to plan and execute a realistic cyberattack simulation to test the enterprise’s defence systems and security response capabilities.