Skip to content

32 - Attack framework

The main purpose of attack framework is to reveal the behavior of cyber responders to help analyze and prevent attacks. Therefore, the main question is why wait for cyber attacks if you can analyze what is coming and make protective measurements. At this moment Mitre ATT&CK is most widely used framework model. There is also other models e.g. Lockheed Martin, the Cyber Kill Chain® and Mandiant Attack Lifecycle, page 27.

Kill Chain

The term kill chain was originally used as a military concept related to the structure of an attack consisting of target identification, force dispatch to target, decision and order to attack the target, and finally the destruction of the target. Conversely, the idea of "breaking" an opponent's kill chain is a method of defense or pre-emptive action. The cyber kill chain model has seen some adoption in the information security community.


Lockheed Martin Cyber Kill Chain

Lockheed Martin Cyber Kill Chain is a model for identification and prevention of cyber intrusions activity. The Lockheed Martin Intrusion Kill Chain includes seven phases: Reconnaissance, Weaponization, Delivery, Exploitation, Installation, Command and Control (C2) and Actions on Objectives. Each phase is explained in the figure below.

image.png


Mitre ATT&CK

MITRE ATT&CK® (Adversarial Tactics, Techniques, and Common Knowledge) is a globally accessible knowledge base of adversary tactics and techniques based on real-world observations. The ATT&CK knowledge base is used as a foundation for the development of specific threat models and methodologies in the private sector, in government, and in the cybersecurity product and service community.

Mitre ATT&CK is divided into three different categories: Tactics, Techniques and Mitigations. There is also the Group and Software viewpoint for Analysis.

  • Tactics - Tactics represent the “why” of an ATT&CK technique or sub-technique. It is the adversary’s tactical objective: the reason for performing an action. Tactics serve as useful contextual categories for individual techniques and cover standard notations for things adversaries do during an operation, such as persist, discover information, move laterally, execute files, and exfiltrate data. Tactics are treated as “tags” within ATT&CK where a technique or sub-technique is associated or tagged with one or more tactic categories depending on the different results that can be achieved by using a technique.
  • Techniques - Techniques represent “how” an adversary achieves a tactical objective by performing an action. For example, an adversary may dump credentials from an operating system to gain access to useful credentials within a network. Techniques may also represent “what” an adversary gains by performing an action. This is a useful distinction for the Discovery tactic as the techniques highlight what type of information an adversary is after with a particular action.
  • Mitigitations - Mitigations in ATT&CK represent security concepts and classes of technologies that can be used to prevent a technique or sub-technique from being successfully executed. There are 41 mitigations in ATT&CK for Enterprise as of March 2020, and they include mitigations such as Application Isolation and Sandboxing, Data Backup, Execution Prevention, and Network Segmentation. Mitigations are vendor product agnostic and only describe categories or classes of technologies, not specific solutions.
  • Groups - Known adversaries tracked by public and private organizations and reported on in threat intelligences reports are tracked within ATT&CK under the Group object. Groups are defined as named intrusion sets, threat groups, actor groups, or campaigns that typically represent targeted, persistent threat activity. ATT&CK primarily focuses on APT groups though it may also include other advanced groups such as financially motivated actors.
  • Software - Adversaries commonly use different types of software during intrusions. Software can represent an instantiation of a technique or sub-technique, so they are also necessary to categorize within ATT&CK for examples on how techniques are used. Software is broken out into two high-level categories: tools and malware.

image.png


Mitre ATT&CK Navigator

The ATT&CK Navigator is designed to provide basic navigation and annotation of ATT&CK matrices, something that people are already doing today with tools like Excel. We have designed it to be simple and generic - you can use the Navigator to visualize your defensive coverage, your red/blue team planning, the frequency of detected techniques or anything else you want to do. The Navigator does not care - it just allows you to manipulate the cells in the matrix (color coding, adding a comment, assigning a numerical value, etc.). We thought having a simple tool that everyone could use to visualize the matrix would help make it easy to use ATT&CK.

The principal feature of the Navigator is the ability for users to define layers - custom views of the ATT&CK knowledge base - e.g. showing just those techniques for a particular platform or highlighting techniques a specific adversary has been known to use. Layers can be created interactively within the Navigator or generated programmatically and then visualized via the Navigator.

Mitre ATT&CK® Navigator can also been found on Github https://github.com/mitre-attack/attack-navigator

Recommended reading material: Finding Cyber Threats with ATT&CK™-Based Analytics


Mitre ATT&CK Use Cases

Adversary Emulation – The process of assessing the security of a technology domain by applying cyber threat intelligence about specific adversaries and how they operate to emulate that threat. Adversary emulation focuses on the ability of an organization to verify detection and/or mitigation of the adversarial activity at all applicable points in their lifecycle.

Red Teaming – Applying an adversarial mindset without the use of known threat intelligence for the purpose of conducting an exercise. Red teaming focuses on accomplishing the end objective of an operation without being detected to show mission or operational impact of a successful breach.

Behavioral Analytics Development – By going beyond traditional indicators of compromise (IoCs) or signatures of malicious activity, behavioral detection analytics can be used to identify potentially malicious activity within a system or network that may not rely on prior knowledge of adversary tools and indicators. It is a way of leveraging how an adversary interacts with a specific platform to identify and link together suspicious activity that is agnostic or independent of specific tools that may be used.

Defensive Gap Assessment – A defensive gap assessment allows an organization to determine what parts of its enterprise lack defenses and/or visibility. These gaps represent blind spots for potential vectors that allow an adversary to gain access to its networks undetected or unmitigated.

SOC Maturity Assessment – An organization’s Security Operations Center is a critical component of many medium to large enterprise networks that continuously monitor for active threats against the network. Understanding the maturity of a SOC is important to determine its effectiveness.

Cyber Threat Intelligence Enrichment – Cyber threat intelligence covers knowledge of cyber threats and threat actor groups that impact cybersecurity. It includes information about malware, tools, TTPs, tradecraft, behavior, and other indicators associated to threats.

Read more: MITRE ATT&CK: Design and Philosophy

Using ATT&CK for Cyber Threat Intelligence Training

If you want to learn how to use Mitre ATT&CK, Mitre offers five training modules at https://attack.mitre.org/resources/training/cti/.


Comparing Lockheed Kill Chain and Mitre ATT&CK

Comparing these two models, the MITRE ATT&CK provides the most comprehensive set of intrusion phases and adversary behaviors. The ATT&CK includes plenty of actionable information about different techniques, such as detection and mitigation methods that can be used, for example, to perform defensive gap analysis, red teaming, or adversary emulation. MITRE also provides additional open source tools based on the ATT&CK information.

image.png