the development and application trend of threat intelligence from att & ck

Posted by santillano at 2020-03-21

Att & CK is a structured and data-based description of network attack tactics. Through the analysis of antagonism, it further promotes the landing of adaptive and elastic defense system. Att & CK provides a consistent standard for attack tactics. It is an important basis for structured cognitive confrontation and an important part of a new generation of data / intelligence driven security system.


At the RSA conference in March 2019, there were more than 10 topics to discuss the research and analysis of ATT & CK used in attack behavior modeling, improving network defense, threat hunting, red and blue counterwork, attack detection. Att & CK became one of the most popular topics in the conference. At the Gartner Security & risk management summit meeting in June 2019, ATT & CK was rated as the top ten hot topics by F-Secure. Att & CK has become a hot technology topic of Cyberspace Security in 2019.

What is att & CK

Mitre att & CK, full name: advanced tactics, technologies, and common knowledge, is a set of models and knowledge base proposed by mitre to reflect the attack behavior in each attack life cycle. Based on the killchain model proposed by Lockheed Martin company, ATT & CK has constructed a set of more fine-grained and more easily shared knowledge model and framework for the attacker's behavior in the last four stages. Through continuous accumulation, ATT & CK has formed a set of network attacker's behavior knowledge jointly participated and maintained by the government, public service enterprises, private enterprises and academic institutions Library to guide users to take targeted detection, defense and response work.

At present, ATT & CK model is divided into three parts: pre-att & CK, ATT & CK for enterprise and att & CK for mobile. Pre-att & CK covers the first two stages of attack chain model, ATT & CK for enterprise covers the last five stages of attack chain, ATT & CK for enterprise Considering the difference of security architecture between traditional enterprise PC and current mobile devices, mobile focuses on the situation of TTPS facing mobile threats in seven stages of attack chain model. There may be the introduction of ATT & CK for cloud model in the future. This paper mainly takes enterprise as an example to describe and analyze att & CK's tactics, technology and application.

Pre-att & CK includes: priority definition, target selection, information collection, vulnerability detection, aggressive use of development platform, establishment and maintenance of infrastructure, personnel development, establishment, testing and segmentation capabilities; att & CK for Enterprise includes the following tactics: access initialization, execution, residency, authorization, defense evasion, access credentials, discovery, horizontal movement, collection, data acquisition, command and control.

Tactics refers to the technical cause of ATT & CK, which is the tactical target of the attacker's execution of the action, covering the standard and higher level representation of what the attacker does during the operation; technology refers to the way the attacker achieves the tactical target by executing the action, or the content obtained by executing the action. In att & CK matrix, we can see the relationship between tactics and technology. There may be many ways or technologies to achieve tactical objectives, so there are many technologies in each tactical category.

Att & CK gives a detailed definition of various tactics and techniques.

Take t1060 as an example, t1060 represents the attack technology: the ID of registry run keys / startup folder, described by att & CK: adding an entry to the "run key" in the registry or startup folder will cause the referenced program to be executed when the user logs in. These programs are executed in the context of the user and have account privileges. T1060 is in the persistence stage of tactics. To use this technology, users and administrators are required. The data sources of detecting the attack technology are: Windows registry and file monitoring.

The detection methods of this attack technology include: 1) monitoring the change of registry unrelated to known software and system patches; 2) monitoring the increase or change of startup folder; 3) tools such as sysinternals AutoRuns (similar to Sysmon) can also be used to monitor the change of registry and startup folder.

The mitigation methods of this attack technology include: using the white list tool to identify and block the potential malware that attempts to persist by running a key or starting a folder.

Att & CK can be used to describe the attacker, and then: 1) find out the interested attacker; 2) the technology used and the traces left by the attacker; 3) trace based on intelligence. Att & CK can describe the attack organization of apt. in the ATP analysis report of some manufacturers, ATT & CK is also used to describe the attack tactics and process.

III. att & CK application

At the application level, the use cases supported by att & CK include:

(1) Simulating the attacker's attack tactics refers to simulating the threat implementation process through the threat intelligence and attack tactics of a specific attacker, and then evaluating the completeness of a certain protection technology. The attack technique of simulated attacker focuses on verifying and detecting or alleviating the attack behavior in the whole attack process. Att & CK can be used as a tool to construct the scene of simulated attack technique of attacker to test and verify the common attack technique of attacker. By decomposing the attack behavior, the dynamic and complex attack activity "dimension reduction" is mapped into att & CK model, which greatly reduces the description and communication cost of attack tactics, and then carries out system security test on the business environment within the controllable range.

In terms of specific simulation of the use of attacker's attack techniques, ATT & CK can be used: 1) to simulate the attack techniques used by the attacker in different attack stages; 2) to test the detection and defense effect of different attack techniques by the protection system; 3) to conduct detailed analysis and Simulation of specific attack events.

(2) Red team means that in the red blue confrontation, without using the known threat intelligence, the ultimate goal of red team is to capture the other party's network and system without detection. Att & CK can be used by red team to make and organize attack plans, so as to avoid possible defense means in the network. In addition, ATT & CK can also be used to study the attacker's attack path and find a new way to bypass the common defense detection means.

(3) Behavior analysis and development refers to the detection and analysis of the attacker's attack behavior, so as to identify the potential malicious activities in the network and system. This method does not rely on the information of the identified attack tool characteristics and attack index IOC, which is more flexible than the traditional method of attack index IOC or malicious behavior signature. Att & CK can be used as a tool to build the attacker's attack behavior to detect the attack behavior in the environment.

In practical application, ATT & CK can be used to compare the attacker's attack methods, and judge whether the attack is launched by the same organization by analyzing the overlap of the attacker's attack methods.

(4) The evaluation of protection gap refers to the evaluation of the deficiency of network protection ability of enterprises. Att & CK can be regarded as a model centered on attacker's attack behavior, which is used to evaluate the existing detection, protection and mitigation systems in the enterprise. After determining the protection gap, it can guide the investment plan of security enhancement, and then improve and upgrade the existing systems.

(5) SOC maturity evaluation refers to the use of ATT & CK to evaluate the effectiveness of detection, analysis and response of the enterprise's security operation center during network intrusion.

(6) The enhancement of Network Threat Intelligence refers to the supplement of ATT & CK as the traditional intelligence application based on the attack index IOC. Network Threat Intelligence refers to the knowledge of network threats and attacker groups that affect network security, including related malware, tools, TTPS, industries, behaviors and other threat related attack index information. Att & CK can understand and describe the attack organization behavior from the perspective of analysis and operation and maintenance personnel can better understand the common behavior of the attack organization to take better defense measures. It can be seen that the detection method of ATT & CK is much more complex than that of traditional IOC.

The relationship between att & CK and intelligence

According to Gartner's definition, Threat Intelligence refers to the knowledge based on evidence, including context, mechanism, indication, impact and actionability suggestions, which is used to help solve threats or hazards and make decisions. According to the definition of iSIGHT, Threat Intelligence refers to the knowledge that has been collected, analyzed and distributed against attackers and their motives, purposes and means to help all levels of security and business employees to protect their core enterprise assets.

The above definitions are academic, not easy to understand, especially to introduce Threat Intelligence business to customers. Therefore, we can introduce Threat Intelligence to customers as follows: I know what you don't know about your security threat information; in addition, from the perspective of attack and defense confrontation, intelligence is an advantage; and from the perspective of closed-loop understanding of security response, threat intelligence is (equipment, system and branch) Collection of safety detection and analysis capabilities of personnel.

According to the description of pyramid of difficulty degree of Network Threat Intelligence, according to the description of attack cost or pain index caused by using Threat Intelligence, Threat Intelligence can be divided into hash value, IP address, domain name, network or host characteristics, attack tools and TTPS.

For attackers, once a specific sample is delivered during intrusion, once the sample is matched and detected by hash, only one bit or several characters need to be changed to change the hash of the sample, thus avoiding the detection based on Hash matching;

Once the attacker's TTPS are identified and responded to, the attacker will be forced to give up the previous attack techniques and learn new ones again, which is a high price for the attacker;

Att & CK is an expression specification for TTPS.

The comparison of threat data models and specifications at various levels is shown in the table.

Stix, capec and att & CK can be used to describe TTPS. Stix 1.0, Stix 2.0, capec and att & CK are compared, as shown in the table.

At this point, the theoretical basis of threat information expression norms at all levels has been completed and completed.

Combined with the requirement of deployment of threat intelligence detection system proposed in level protection regulation 2.0, and the important role of Threat Intelligence in HW operations, it can be predicted that the application and landing of threat intelligence will usher in explosive growth.

In the aspect of judging the development of Threat Intelligence in the future, we can predict the application direction of Threat Intelligence from the aspect of breadth and depth. From the breadth level, the application direction of threat intelligence can be analyzed according to the business use cases supported by Threat Intelligence specification, which can be summarized as: 1) threat detection; 2) event investigation and evidence collection; 3) threat analysis; 4) intelligence sharing; 5) accident management; 6) vulnerability management; 7) risk assessment; 8) red blue confrontation; 9) attacker simulation; 10) SOC maturity assessment, etc., as shown in the table Show.

At the depth level, it can be judged from the type of intelligence supported by the current equipment and system. For example, the currently supported threat intelligence detection mainly focuses on hash, IP address and domain name. Later, it can try to support network or host features, network tools and TTPS.

V. response closed loop

The scene of detection and analysis is described in the front, and the response loop is entered in the back. We know that in an attack and defense confrontation, it usually takes only a few minutes for an attacker to attack and capture the target, as well as from attacking and capturing the target to stealing data; while it takes days, weeks or even months for a defender to move from being attacked to being found to be attacked, and from being found to being attacked to troubleshooting and recovering the system. The asymmetry of attack and defense is the most fundamental problem of cyberspace security protection.

In the process of attack, from the time when the attacker starts to carry out the attack to the time when the defender discovers and identifies the attack, this is the free attack time of the attacker. From identifying attacks to system response and recovery, this is the response handling time of the system. The key point of threat intelligence is to shorten the free attack time of attackers, that is, to quickly detect and identify the attacker's attack behavior; from the perspective of the whole response closed-loop, it also needs to shorten the response processing time of the system.

At present, there are many related models, which are constantly updated iteratively, from PDR to PPDR, then to ipdrr, ipdrdr and OODA, but in essence, they still emphasize the response closed-loop, that is, fast detection and identification, fast response and disposal. This is the focus of soar, which can shorten the detection and response processing time, simplify the process and improve the operation efficiency. Taking IACD as an example, this paper analyzes the position of hotspot security technology represented by Threat Intelligence in the response loop.

IACD is currently the most standardized and complete security automation orchestration specification (see the link for details of IACD). IACD architecture includes:

(1) Sensor / sensing sources: sensors receive and send data to the orchestration service;

(2) Actuators / action points: actuators implement the response behavior to network events;

(3) Sensor / actuator interface (s / a interface): S / a interface enables all kinds of sensors and actuators in the enterprise to communicate with each other;

(4) Meaning construction analysis framework SMAF: SMAF is used to enrich information;

(5) Decision engine DME: DME will decide what kind of response measures are appropriate;

(6) Response behavior controller RAC: RAC transmits response measures to a response behavior queue;

(7) Orchestration management om: om adjusts the access control of information flow and orchestration services;

(8) Orchestration services: a collection of five components (s / a interface, SMAF, DME, RAC, and OM).

Among them, the detection intelligence is mainly used in the sensor / sensor source part; the equipment system control specification represented by openc2 is mainly used in the sensor / actuator interface part; at present, the hot big data analysis technology is discussed and researched, mainly used in the meaning construction analysis framework SMAF and decision engine DME, which is based on the collected and accumulated data for analysis and decision-making; playbook can It is understood as the accumulated and summarized disposal process plan, which is mainly reflected in the response behavior controller RAC; the execution of cumulative intelligence is performed in the actuator / execution point according to the playbook developed by the response behavior controller RAC through the sensor / actuator interface.

In the whole response process of IACD, different business scenarios may be involved, and it is difficult for any manufacturer to build complete tools and product capabilities. IACD abstracts the safety products and capabilities, so that Party A can fully integrate the safety products and capabilities of different manufacturers, shorten the detection and response time, and play the best safety effect.

In the experiment, the implementation effect of IACD is improved obviously, among which, the detection time is reduced by 99%, the concurrent handling ability of events is increased by 10000 times, and the response time is reduced by 98%.

It can be predicted that with the gradual implementation and effect of the security automation layout specifications and technologies represented by IACD in different business scenarios, the response closed-loop will have a profound impact on the development and application of automation security technology and security products.

Vi. outlook and suggestions

With the hype on the concepts of Threat Intelligence and automatic response arrangement in recent years, the initial stage of actual accumulation, application and effect has gradually taken place. For the subsequent technological development and market prospect, the author holds a positive and optimistic attitude. At the same time, the author combs out several suggestions:

(1) Threat Intelligence has become the basic component of the security protection system. Cloud, management and end-to-end security protection, detection and analysis of accumulated equipment and systems need to support the detection and response processing functions of threat intelligence applications at the depth and breadth levels;

(2) Security protection, detection and analysis products need to support interface (not only API), standardization (openc2), cloud and operation;

(3) In the process of analysis and response disposal, the analysis and disposal ability of security analysts try to integrate and precipitate in playbook and knowledge map, improve the degree of automatic analysis and disposal, and reduce the cost of human dependence;

(4) IACD is an important reference for the construction of large-scale defense system, new security ecology and products, an important direction of Cyberspace Security business at present, and the latest important practice of international first-line security enterprises. It is suggested that the planning and practitioners of domestic security enterprises can learn by reference;

(5) Big party a (government, state-owned enterprises, etc.) and big party B (large-scale security manufacturers) try to build a complementary and benign security cooperation ecosystem, so as to avoid the homogeneous competition of security manufacturers in building a full stack of security product lines.

Noun interpretation

(1) Att & CK, advanced tactics, techniques, and common knowledge;

(2) SOC, securityoperations center, security operation center;

(3) TTPS, tactics, techniquesand procedures, tactics, techniques and procedures, also known as attack techniques;

(4) IOC, indicator of competition;

(5) IACD, integrated adaptive network defense, integrated adaptive network security framework;

(6) PDR, protect detect response, protect detect response;

(7) PPDR, predict prevent detect response, predict defense detect response;

(8) Ipdrr, identity protect detect response recover, identity protect detect response recover;

(9) Ipdrdr, identity protect detect respond recover diagnose refine, identify protect detect respond recover diagnose improve;

(10) Soar, security orchestration, automation and response;

(11) OODA cycle, obeserve, Orient, decide, act, observation, adjustment, decision and action;

(12) SMAF, sense making analytical framework, meaning building analysis framework;

(13) DME, decision making engine;

(14) OM, orchestration manager, orchestration management;


Special thanks to Yang Da Lu, Jin Xiangyu, Jiang Zhengwei, Xing Shikang and Duan Yulong for their comments and materials on the content of this article!

Finally, a little bit of powder, official account and reply to "ATT&CK", get the ATT&CK related theory, architecture, application and landing related PPT documents that are updated and combed at any time. Welcome to exchange and discuss at any time!