understand att & ck framework and use case

Posted by barello at 2020-04-12

Google trends show that at & CK, a word with a strange "&" sign, is very popular. However, mitre att & CK Gamma What is the connotation of? Why should network security experts focus on att & CK?

Search heat for mitre att & CK has increased significantly in the past 12 months

1、 Background of ATT & CK framework

Mitre is a U.S. government funded research organization. It was separated from MIT in 1958 and participated in many commercial and top secret projects. It includes the development of FAA air traffic control system and AWACS airborne radar system. Mitre is engaged in a large number of network security practices with the support of the National Institute of standards and Technology (NIST).

In 2013, mitre launched att & CK model, which describes and classifies confrontation behaviors based on real observation data. Att & CK transforms the known attacker's behaviors into structured list, summarizes these known behaviors into tactics and techniques, and expresses them by several matrices, Stix and taxii. This list is very useful for a variety of offensive and defensive measures, representations, and other mechanisms, because it fairly comprehensively presents the behaviors of attackers when attacking the network.

The goal of mitre att & CK is to create a detailed list of known counter tactics and techniques used in cyber attacks. In the past year, the mitre att & CK framework has been popular in the security industry. In short, ATT & CK is a "confrontation tactics, technology and common sense" framework provided by mitre. It is a selected knowledge base composed of 12 tactics and 244 enterprise technologies that attackers will use when attacking enterprises.

Att & CK will detail how each technology is used and why understanding this technology is important for defenders. This greatly helps security personnel to understand unfamiliar technologies more quickly. For example, for Party A's enterprise, the platform and data source are very important. The enterprise security personnel need to know which systems should be monitored and what content should be collected from them, so as to reduce or detect the impact caused by the abuse of intrusion technology. At this point, the att & CK scenario example comes in handy. There are specific scenario examples for each technology, which show how attackers can use the technology through a certain malware or action plan. Att & CK uses Wikipedia's style for each example, citing many blog and security research team articles. So if there's no direct content in att & CK, it's usually found in these linked articles.

Therefore, many enterprises have begun to study att & CK. In this process, they usually see that there are two methods adopted by enterprise organizations. The first is to check the safety tools and let the safety manufacturer provide a mapping map against the coverage of ATT & CK. Although this is the simplest and fastest method, the coverage provided by the vendor may not match the way the enterprise actually deploys the tools. In addition, some enterprise organizations are evaluating enterprise security capability item by item according to tactics. In the case of persistence tactics, these techniques can be very complex, and just alleviating some of them does not mean that attackers cannot abuse this technique in other ways.

2、 Comparison between mitre att & CK and kill chain

Generally speaking, ATT & CK model is based on the killchain model proposed by Lockheed Martin company, which constructs a set of more fine-grained and easier to share knowledge model and framework. At present, ATT & CK model is divided into three parts: pre-att & CK, ATT & CK for enterprise and att & CK for mobile. Pre-att & CK covers the first two stages of the kill chain model, including tactics and techniques related to attackers' attempts to exploit specific target network or system vulnerabilities. Att & CK for enterprise covers the last five stages of kill chain. Att & CK for enterprise consists of technical and tactical parts applicable to windows, Linux and MacOS systems. Att & CK for mobile includes tactics and technologies for mobile devices.

However, ATT & CK's tactics are different from Lockheed Martin's network kill chain, and they do not follow any linear order. Instead, attackers can switch tactics at will to achieve their ultimate goal. No tactic is more important than others. The enterprise organization must analyze the current coverage, evaluate the risks faced by the organization, and adopt meaningful measures to close the gap.

In addition to the tactical refinement of kill chain, ATT & CK also describes the technologies that can be used in each stage, while kill chain does not.

3、 Use of ATT & CK framework

From a visual point of view, the mitre att & CK matrix arranges all known tactics and techniques in an easy to understand format. Attack tactics are shown at the top of the matrix, with separate techniques listed below each column. An attack sequence is tactical and contains at least one technique, and a complete attack sequence is constructed by moving from the left (initial access) to the right (impact). A tactic may use a variety of techniques. For example, an attacker may try both the phishing attachment and the phishing link in a spear phishing attack.

At the top of the att & CK matrix are attack tactics, each column contains multiple technologies

Att & CK tactics are logically distributed in multiple matrices and begin with the "initial access" tactics. For example, sending a spear phishing email with malicious attachments is one of the techniques in this strategy. Each technology in att & CK has a unique ID number, for example, technology t1193 used here. The next tactic in the matrix is execution. Under this strategy, there is "user execution / t1204" technology. This technique describes malicious code that is executed during a specific operation by a user. In the later stages of the matrix, you will encounter tactics such as "elevate privileges," "move sideways," and "infiltrate.".

Attackers do not need to use all 12 tactics shown at the top of the matrix. Instead, attackers use the fewest number of tactics to achieve their goals, as it improves efficiency and reduces the chance of detection. For example, the adversary uses the harpoon phishing link passed in the email to "initial access" the credentials of the CEO Executive Assistant. Once the administrator's credentials are obtained, the attacker will look for the remote system in the discovery phase. The next step may be to find sensitive data in the Dropbox folder, which the administrator has access to, so there is no need to upgrade the permissions. The attacker then completes the collection by downloading the file from Dropbox to the attacker's computer.

Attack example (techniques in different tactics are used in the attack)

Att & CK navigation tool is a very useful tool for mapping control measures for att & CK technology. Different layers can be added to show specific detection controls, preventive controls, and even observed behaviors. The navigation tools can be used online to quickly build models or scenes, or downloaded for internal settings as a durable solution.

In the following, the author will interpret the central idea of 12 tactics in att & CK framework and how to mitigate and detect some techniques in tactics.

01. Initial visit

Although att & CK is not arranged in any linear order, the initial access is the foothold of the attacker in the enterprise environment. For enterprises, this strategy is an ideal transition point from pre-att & CK to att & CK. Attackers use different techniques to implement initial access techniques.

For example, suppose an attacker uses a spearphishing attachment. The attachment itself will exploit some type of vulnerability to achieve this level of access, such as PowerShell or other scripting techniques. If the execution is successful, the attacker can use other strategies and techniques to achieve its ultimate goal. Fortunately, because these technologies are well known, there are many technologies and methods that can be used to mitigate and detect the abuse of each technology.

In addition, safety personnel can also combine att & CK and CIS control measures, which will play a greater role. For the initial visit strategy, I think three of the CIS controls can play a significant role.

(1) Control measure 4: control the use of administrator authority. If an attacker can successfully use a valid account or have an administrator open the spelling attachment, subsequent attacks will become easier.

(2) Control measure 7: email and web browser protection. Because many of these technologies involve the use of e-mail and web browsers, the sub controls in control 7 will be very useful.

(3) Control measure 16: account monitoring and control. Fully understanding the operation that the account should perform and locking the permission will not only help to limit the damage caused by data leakage, but also play the role of detecting the abuse of effective account in the network.

Initial access is where the attacker will be in the enterprise environment. If you want to terminate the attack as early as possible, then "initial access" will be a suitable starting point. In addition, it will be useful if the enterprise has adopted CIS control measures and is starting to adopt att & CK method.

02, implementation

Of all the tactics adopted by the opponent in the attack, the most widely used one is "execution". When an attacker considers an out of the box malware, ransomware, or apt attack, they all choose to "execute.". Because malware has to run, defenders have an opportunity to block or detect it. However, not all malware can easily find its malicious executable files with antivirus software.

In addition, for command-line interfaces or PowerShell, it is very useful for attackers. Many file less malware specifically utilizes one of these technologies or a combination of both. The power of these types of technologies to attackers is that the above technologies have been installed on the terminal and are rarely deleted. System administrators and advanced users rely on some of these built-in tools every day. The mitigation controls in att & CK even state that these controls cannot remove the above technologies and can only be audited. The attacker relies on these technologies installed on the terminal, so in order to gain the advantage of the attacker, we can only audit these technologies, and then collect their relevant data to the central location for audit.

Finally, the application of white list is the most useful control measure to mitigate malware attacks. But like any technology, it's not a panacea for all problems. However, the application of white list will slow down the speed of attackers, and may also force them to escape the comfort zone and try other strategies and technologies. When attackers are forced out of their comfort zone, they can make mistakes.

If an enterprise is currently applying CIS critical security controls, this tactic matches control 2, the list of authorized and unauthorized software. From the perspective of mitigation, enterprises can't protect what they don't know, so the first step is to understand their property. To make the right use of ATT & CK, enterprises need not only a deep understanding of the installed applications. Also be aware of the additional risks that built-in tools or add ons pose to your organization. In this link, you can use some asset inventory tools of security vendors, such as ivy and other host security vendors can provide a detailed list of software assets.

03. Persistence

In addition to ransomware, persistence is one of the most sought after technologies for attackers. An attacker wants to minimize the amount of work, including the time it takes to access the attack object. Even after the operation and maintenance personnel take measures such as restarting and changing credentials, persistence can still make the computer infect the virus again or maintain its existing connection. For example, the registry run key and startup folder are the most commonly used technologies. These registry keys or file system locations are executed every time the computer is started. As a result, attackers start to get persistence when launching common applications such as web browsers or Microsoft office.

In addition, there are also technologies such as "image hijacking (IFEO) injection" to modify the opening mode of files, create a registry key of auxiliary functions in the registry, and add key values according to the principle of image hijacking, so that the system can run its own programs through shortcut keys when it is not logged in.

Among all att & CK tactics, the author thinks that persistence is one of the most important tactics. If the enterprise finds malware on the terminal and deletes it, it is likely that it will reappear. This may be because the vulnerability has not been fixed, but it may also be because the attacker has established persistence in this or other places on the network. Compared with some other tactics and techniques, using persistent attack should be relatively easy.

04. Authority promotion

All attackers can't let go of raising rights. Using system vulnerability to achieve root level access is one of the core goals of attackers. Some of these technologies require system level calls to work properly, and hooking and process injection are two examples. Many of the techniques in this strategy are designed for the underlying operating system under attack, which may be difficult to mitigate.

Att & CK puts forward that "we should focus on preventing the adversary tools from running in the early stage of the activity chain, and on identifying subsequent malicious behaviors." This means that defense in depth is needed to prevent infection of viruses, such as peripheral defense of terminals or application whitelist. A good way to prevent privilege escalation beyond the scope of ATT & CK recommendations is to use a hardened baseline on the terminal. For example, the CIS baseline provides detailed step-by-step guidance on how to strengthen the system and resist attacks.

Another way to deal with such attack tactics is to audit logging. When attackers adopt some of these techniques, they will leave clues and reveal their purpose. Especially for the logs on the host side, if all the operation and maintenance commands of the server can be recorded, certificates can be stored and real-time audit can be performed. For example, the real-time audit of operation and maintenance personnel's operation steps on the server can be used for real-time alarm or as post audit certificate once non-compliance is found. It can also connect data information to SOC, situational awareness and other products, or to orchestration system.

05. Defense bypass

So far, this tactic has the most techniques in the tactics described in the mitre att & CK framework. One interesting aspect of the tactic is that some malware, such as ransomware, doesn't care about defense bypassing. Their only goal is to perform once on the device and be discovered as soon as possible.

Some technologies can trick anti-virus (AV) products into not being able to check them at all, or bypass the application of white list technology. For example, disabling security tools, deleting files, and modifying the registry are all techniques available. Of course, the defender can monitor the changes on the terminal and collect the logs of the critical system, which will make the invasion impossible.

06. Credential access

There is no doubt that the most desired credentials for an attacker, especially administrative credentials. If an attacker can log in, why use 0day or take the risk to exploit the vulnerability? It's like a thief entering a house. If you can find the key to open the door, no one will be willing to break the window to enter.

Any attacker who enters the enterprise wants to remain invisible to a certain extent. They will want to steal as many credentials as possible. Of course, they can crack it violently, but this kind of attack is too noisy. There are also many examples of stealing hash passwords and hash passing or offline cracking of hash passwords. Finally, the attacker's favorite way is to steal the plaintext password. Plaintext passwords can be stored in plaintext files, databases, or even in the registry. It is not uncommon for attackers to invade a system, steal local hash password and crack local administrator password.

The easiest way to deal with credential access is to use complex passwords. Case, number, and special character combinations are recommended, with the goal of making it difficult for attackers to crack passwords. The final step is to monitor the usage of valid accounts. In many cases, data leakage occurs through effective accounts.

Of course, the safest way is to enable multi factor verification. Even if there is an attack against double authentication, it is better to have double authentication (2fa) than not. By enabling multifactor authentication, you can ensure that an attacker who breaks a password still encounters another obstacle when accessing critical data in the environment.

07. Discover

"Discovery" is a difficult strategy to defend. It has many similarities with the reconnaissance phase of the Lockheed Martin network kill chain. If an organization wants to operate its business normally, it will certainly expose certain aspects.

The most commonly used is the application of white list, which can solve most of the malware. In addition, deception defense is a good way. Put some false information for the attacker to discover, and then detect the opponent's activity. Monitoring enables you to track whether users are accessing documents that should not be accessed.

Since users usually perform many operations described in various technologies in their daily work, it can be very difficult to filter out malicious activities from various interferences. Understanding which operations are normal and benchmarking expected behavior can help when trying to use this tactic.

08. Lateral movement

After exploiting a single system vulnerability, attackers usually try to move horizontally in the network. Even ransomware, which usually only targets a single system at a time, tries to move around the network to find other targets. Attackers usually find a foothold first, and then start to move in various systems, looking for higher access rights, in order to achieve the ultimate goal.

In terms of mitigating and detecting abuse of this particular technology, appropriate network segmentation can mitigate the risk to a large extent. Putting key systems in one subnet, general users in another subnet, and system administrators in the third subnet will help to quickly isolate the lateral movement in the smaller network. Setting up firewalls at both the terminal and switch levels will also help limit lateral movement.

Follow CIS control 14 - knowing controlled access based on need is a good entry point. In addition, control measure 4 - control the use of administrator authority should be followed. The attacker is looking for administrator credentials. Therefore, it will be more difficult for the attacker to steal administrator credentials by strictly controlling the usage and location of administrator credentials. Another part of this control is recording the use of administrative credentials. Even if administrators use their credentials every day, they should follow their normal pattern. The discovery of unusual behavior may indicate that an attacker is abusing valid credentials.

In addition to monitoring the authentication log, the audit log is also important. Event ID 4769 on the domain controller indicates that the Kerberos Gold Ticket password has been reset twice, which may indicate a ticket delivery attack. Or, if an attacker abuses the remote desktop protocol, the audit log will provide information about the attacker's computer.

09. Collection

Att & CK's "collect" strategy outlines techniques that attackers use to discover and collect data needed to achieve a goal. Many of the techniques listed in this tactic do not have practical guidance on how to mitigate them. In fact, most are vague, calling for the use of application whitelists, or suggesting that attackers be prevented at an early stage of the life cycle.

However, businesses can use various techniques in this tactic to learn more about how malware processes data in an organization. An attacker will try to steal information about the current user, including what is on the screen, what the user is typing, what the user discusses, and what the user looks like. In addition, they will look for sensitive data on the local system and data elsewhere on the network.

Understand where sensitive data is stored in the enterprise and protect it with appropriate controls. This process follows CIS control measures 14 - based on the need to understand controlled access, it can help prevent data from falling into the enemy's hands. For extremely sensitive data, see more logging to see who is accessing the data and what they are doing with it.

10. Command and control

Most malware now has a certain degree of command and control. Hackers can use command and control to penetrate data and tell malware what to do next. For each command and control, the attacker accesses the network from a remote location. So understanding what's happening on the network is crucial to solving these technologies.

In many cases, the correct configuration of the firewall can play a role. Some malware families will try to hide traffic on unusual network ports, and some malware will use ports such as 80 and 443 to try to mix in network noise. In this case, enterprises need to use boundary firewall to provide threat intelligence data, identify malicious URL and IP address. While this won't stop all attacks, it helps filter out some common malware.

If the boundary firewall is unable to provide Threat Intelligence, the firewall or boundary log should be sent to the log service processing center, and the security engine server can conduct in-depth analysis of this level of data. Tools such as Splunk provide a good solution for identifying malicious commands and controlling traffic.

11. Data leakage

After gaining access, the attacker will search around for relevant data, and then start data penetration. But not all malware can reach this stage. Extortion software, for example, often has no interest in the gradual seepage of data. As with the "collect" strategy, it provides little guidance on how to mitigate an attacker's access to company data.

In the case of data leakage through the network, the establishment of network intrusion detection or prevention system helps to identify when to transmit data, especially when the attacker steals a large number of data (such as customer database). In addition, although DLP is expensive and complex, it can determine when sensitive data will be leaked. IDS, IPS and DLP are not 100% accurate, so deploy a defense in depth architecture to ensure that confidential data remains confidential.

If an enterprise organization wants to deal with highly sensitive data, it should focus on limiting the access rights of external drives, such as USB interface, limiting its access rights to these files, so as to disable their ability to mount external drives.

To properly address this strategy, you first need to know where your organization's key data is located. If the data is still there, data security can be ensured in accordance with CIS control measure 14 - based on the need to understand controlled access. Then, follow the instructions in cis control 13, data protection, to learn how to monitor users who are trying to access data.

12, influence

Attackers attempt to manipulate, disrupt, or destroy enterprise systems and data. Techniques used for impact include destroying or tampering with data. In some cases, the business process may look good, but it may have changed to a goal that benefits the adversary. These technologies may be used by adversaries to accomplish their ultimate goals or to provide cover for confidential leaks.

For example, an attacker may destroy specific system data and files, thus interrupting the availability of system services and network resources. Data destruction may make stored data unrecoverable by overwriting files or data on local or remote drives. Consider implementing an it disaster recovery plan for this type of disruption, which includes the process of performing regular data backups that can be used to restore organizational data.

4、 Att & CK usage scenario

Att & CK is valuable in a variety of everyday environments. When conducting any defense activities, ATT & CK classification can be applied to refer to attackers and their behaviors. Att & CK not only provides a general technology library for network defenders, but also provides a foundation for penetration testing and red team. When it comes to confrontational behavior, this provides a common language for defenders and red team members. Enterprise organizations can use mitre att & CK in many ways. Here are some common main scenarios:

(1) Adversary simulation

At & CK can be used to create adversary simulation scenarios, test and verify defense solutions for common adversary technologies.

(2) Red team / penetration test activity

Att & CK can be used for the planning, execution and reporting of red team, purple team and penetration testing activities, so that there is a common language between the defender and report receiver as well as between them.

(3) Develop behavior analysis plan

Att & CK can be used to build and test behavior analysis programs to detect confrontational behavior in the environment.

(4) Defense gap assessment

Att & CK can be used as a common behavior centered adversary model to evaluate tools, monitoring and mitigation measures in existing defense solutions within an organization. When studying mitre att & CK, most security teams tend to try to develop some detection or preventive control measures for each technology in the enterprise matrix. Although this is not a bad idea, the techniques in the att & CK matrix can usually be implemented in many ways. Therefore, a method of preventing or detecting the execution of these technologies does not necessarily mean that all possible methods of executing the technology are covered. Since one tool prevents the adoption of this technology in another form, and the organization has properly adopted this technology, this may lead to a false sense of security. However, the attacker can still successfully adopt the technology in other ways, but the defender does not have any detection or preventive measures.

(5) SOC maturity assessment

Att & CK can be used as a measure to determine the effectiveness of SOC in detecting, analyzing, and responding to intrusions. SOC teams can refer to technology and tactics that att & CK has detected or not covered. This helps to understand where the defense strengths and weaknesses are, and to validate mitigation and detection controls, as well as identify configuration errors and other operational issues.

(6) Network Threat Intelligence Collection

Att & CK is very useful for Network Threat Intelligence, because att & CK is describing Countermeasures in a standard way. The attacker can track the attack subject according to the technology and tactics in att & CK known to be utilized by the attacker. This provides a roadmap for defenders to compare their operational controls to see where they have weaknesses and strengths for certain attackers. It is a good way to observe the advantages and disadvantages of these attacking subjects or groups in the environment by creating the contents of mitre att & CK navigation tool. Att & CK can also provide content for Stix and taxii 2.0, making it easy to incorporate existing tools that support these technologies.

Att & CK provides details of nearly 70 attackers and groups, including the technologies and tools they are known to use, according to the open source report.

The general language of ATT & CK is used to facilitate the information creation process. As mentioned earlier, this applies to the subject and group of the attack, but also to the behavior observed from SOC or event response activities. You can also introduce the behavior of malware through att & CK. Any threat intelligence tool supporting att & CK can simplify the intelligence creation process. The application of ATT & CK to commercial and open source intelligence for any of the actions mentioned also helps to maintain intelligence consistency. When all parties use the same language around confrontation, it is much easier to spread information to the operation and maintenance personnel or management personnel. If operators know exactly what is mandatory verification and see this information in intelligence reports, they may know exactly what measures should be taken or what controls have been taken on the intelligence. In this way, the standardization of information product introduction by att & CK can greatly improve efficiency and ensure consensus.

Written in the end

Mitre has provided att & CK and related tools and resources for you, and has made great contributions to the security community. Its appearance is just in time. Because attackers are looking for more covert methods and avoiding the detection of traditional security tools, defenders have to change the detection and defense methods. Att & CK has changed our understanding of low-level indicators such as IP address and domain name, and let us view attackers and defense measures from the perspective of behavior. Compared with the "once and for all" tools in the past, the way to detect and prevent behavior is much more difficult. In addition, as defenders bring in new features, attackers are bound to adjust accordingly. Att & CK provides a way to describe the new technologies they have developed and hopes that defenders will follow the new pace of technology development.