Towards the end of this previous post, I mentioned the ATT&CK framework. Straight from their site, "MITRE ATT&CK™ is a globally-accessible knowledge base of adversary tactics and techniques based on real-world observations. The ATT&CK knowledge base is used as a foundation for the development of specific threat models and methodologies in the private sector, in government, and in the cybersecurity product and service community." ATT&CK stands for Adversarial Tactics, Techniques, and Common Knowledge. It can be used in a couple of ways, which I'll detail below. Being new to this process, I might be a little off in my explanation but I thought there would be value in us exploring ATT&CK together.
Before we can see how to use and implement ATT&CK, we should take a look at how it is set up. MITRE has it broken down into Matrices, Tactics, Techniques, Groups, and Software. The information within is organized in such a way that you can gather all the information you need, no matter where you start.
For example, lets start at the Enterprise Matrix. Matrices are the cross sections between Tactics and Techniques. For each tactic across the top, there is a list of techniques. Each technique is linked to a page which consists of a summary, examples, mitigation, and detection. The examples given link to the specific groups and software listed. Each of the Group pages have a summary, which techniques the group uses and what software they use. The same can be said of the Software pages. So as you can see, the pages are all inter-linked to ensure all the relevant information is gained.
ATT&CK For Attack
One of the most powerful uses of ATT&CK is to serve as a guideline for adversary simulations. In a first hand example, I went through each tactic and selected a technique or two. Then I had some direction on what tools I should use. It is worth pointing out that things might not always go to plan and it might be necessary to deviate from the selected techniques. The important part is that it can be an excellent resource for planning out an exercise. This plan can make the difference between a Red Team activity and a poorly scoped pen test.
Another method is emulate a specific threat group. For example, if you (or a client) work in the banking industry, you might want to emulate APT38. Their page lists techniques that have been seen by the threat group. In this example, you could use Drive-by Compromise as your technique for initial access. Then you can collect keystrokes with a tool such as Cobalt Strike You obviously would not want to emulate all of their techniques as several of them involve Data Destruction. This can train the Blue Team to know what indicators of compromise are often seen in their industry. In the end, that's really what an exercise is about, isn't it?
ATT&CK For Defense
Despite most of our posts being focused on offensive security, it is also worth understanding how to use ATT&CK for defense.
As a defender, ATT&CK can be used a couple of ways. For example, attribution, where defenders can map out the tactics and techniques they are seeing and connect them back to a threat group. From there it can be used to determine where analysts' defensive resources should be aimed as far as which technique is most commonly seen in their network. This direction can come from reviewing the threat groups that most commonly target their sector. From there, they can review which techniques are commonly used by those groups and plan accordingly.
Along similar lines, it could also be useful to set up alerting or mitigation. Each technique offers a snippet about how to detect or mitigate against it. The mitigation information can help increase security proactively while the alerting can help with reactive actions.