ATT&CK Matrix: The Enemies Playbook

In the cybersecurity world, we rarely get a chance to know our enemies. Our attackers are smart, faceless, and come from all walks of life. Security professionals have to defend against everything, while attackers only need to exploit one weakness in your whole network to get in.

According to a report by the Ponemon Institute in IBM, the average time an attacker is active inside your network is 191 days.

As most security professionals will tell you, it’s not a matter of if they get inside, but when. This is why more and more security programs are shifting their resources to detecting and responding to threats as quickly as possible.

So how do we build an effective detect and response plan? One way is the Att&ck Framework by MITRE, and as we’ll see here, the framework provides the world’s best public database of attackers’ playbooks recorded to date. So now we can know our enemies and anticipate their next move.

MITRE’s ATT&CK Framework

In one of my previous posts entitled, Breaking the Kill Chain, we took a look at the steps an attacker commonly takes to carry out a successful attack. Understanding these seven steps are foundational to any organization of cybersecurity design and defense. The Att&ck framework developed by MITRE expands on the last three steps of the kill chain by giving us twelve more granular categories to replace the installation, command and control, and actions and objectives phase of the kill chain.

These twelve categories are based on the research of millions of real-world attacks, the Att&ck Matrix fills up the framework with over 290 techniques that are used to carry out the respective categories.

 

What is the ATT&CK Matrix?

Put simply: it’s the attacker’s playbook. And for cybersecurity teams, it’s a goldmine of information we can use to find gaps in our security and test our networks. Up to this point in the kill chain, we’ve been focused on prevention, and our tools and processes have been about stopping the attack from ever getting inside, but once an attack is successful and the attacker is inside, we need to focus on detecting and responding to those threats.

 

Categories Within the Matrix

Following the attack matrix allows us to look at the steps and techniques an attacker would commonly take once they’ve successfully exploited a vulnerability.

• Initial access: This is the attacker’s first footprint into your network, be at some vulnerability that has been exploited.
• Execution and persistence: running malicious code and trying to maintain their foothold so they can continue their access, even if a system reboots.
• Privilege escalation: trying to get root or administrative access on the box.
• Defensive evasions: are all the tricks an attacker would do to avoid gettings caught, like disabling logging or encrypting payload so they don’t trigger any IDS or antivirus programs.
• Credential access:  stealing account names of passwords.  While this may not be the end goal for the attacker, it’s still a very common step for them to take once they’ve gotten this far inside your network.
• Discovery: the process of trying to understand the environment or the network; in this phase, an attacker will typically see what else they have access to via pot scans or port sniffing.
• Lateral movement: involves the attacker trying to bounce to another system from the compromised host, and more often than not, an attacker will penetrate the network through the weakest link, and often have to pivot or jump through multiple machines to get to their end objective.
• Collection: gathering any kind of data, this could be screen captures, keystrokes, or just data needed for another objective.
• Command and control: setting up the system to be controlled remotely. Oftentimes, this is disguised to look like normal HTTP traffic.
• Exfiltration:  where the adversary is stealing or exfiltrating data. Usually via encrypted tunnels or encrypting the file.
• Impact: result of the system based off of what the attacker is trying to achieve. For example, ransomware’s goal is to get money from the attack; the impact to the system is that the data is encrypted, and possibly the service has been stopped.

The MITRE ATT&CK Matrix for enterprises can be found at Att&ck.Mitre.org.

 

How The Matrix Can Be Understood

The Matrix is made up of tactics, techniques, and procedures, also known as TTP. The tactics are the twelve columns at the top which are the different categories of what the attacker is trying to accomplish. The techniques appear below the tactics and they show specific techniques an attacker would use during this stage of the attack.

For example, the attacker may have achieved initial access by using the technique “exploiting a public-facing application.” In some cases, an attacker can use multiple techniques to accomplish a given tactic. The sum of the techniques a given attack uses is known as a behavior profile given for a specific attack. And when we look at it in its entirety, it breaks down the steps an attacker took to accomplish their goal.

How To Dissect The ATT&CK Matrix

With over 290 techniques and counting, the Att&ck Matrix can look a little daunting a first. So if you’re asking yourself, where do I even begin? Here’s one suggestion:

1. Find the top left tactic on the Matrix. From left to right, these are the steps the attacker will normally take from the moment they’ve gained access into your system or network, all the way through to the final completion of their goal, which is the impact.
2. Work your way backward by first looking at the end objective an attacker might have in targeting your organization.
3. Use threat modeling basics to identify the objectives any attacker might have in targeting your business. Could it be bringing down your servers for any given amount of time? Could it be stealing PII or proprietary information? Maybe you have servers in the cloud that an attacker could use to mine Bitcoin. This is a popular option for public and cloud systems because of the available compute power these servers typically have.
4. Whatever your risks are, write them down and prioritize which ones to focus on.
5. MITRE has an interactive matrix called the “Att&ck Navigator” on GITHUB, once you’re there, you’ll notice a matrix available as an interactive table.
6. From here, you can search, filter, and correlate between different types of attacks and follow trends.
7. Under selective controls, you’ll notice you can select different attacks based on either the threat group or software.
8. Once you’ve chosen your attacks, assign it a color by going to color setup and give it a score value. This allows you to color-code the matrix based on the attack. You can then see the attacker’s various steps on the way to their end goal.
9. If you want to add multiple attacks and do advanced correlation, you will want to add another layer. Select the “+” sign at the top and select “create new layer.”
10. Modify the second layer with a background color, and give it a score value.
11. Merge both layers by selecting “create layer from the other layers.” You may notice that the other tabs you created now have a value of “A” and “B.” Select “A+B” under the score expression and select “create.”
12. Lastly, select your color set up to show the colors you selected for both layers.

What we have here is very valuable information about the attacker’s behavior, and ultimately, that is what the Att&ck framework is trying to show us: to get into the mindset of an attacker and understand their step-by-step process so we can defend against it.

This is a very difficult but highly effective approach in building out our cybersecurity threat and response programs. IPS, domains, malware, and tools change all the time, but the behavior of an attacker is much harder to change.

 

The Pyramid of Pain

To illustrate that point, there’s a concept called the Pyramid of Pain, and the Pyramid shows how easy it would be for an attacker to go around the particular method that has been taken away from them. For example, blocking a file or an IP address is very easy for an attacker to circumvent. Blocking a domain name is slightly more of a burden because the attacker might have to change some lines of code on their programs.

Network or host artifacts could be a safeguard on the target that is preventing them from carrying out a mission. This can be something like blocking FTP outbound on your network, and it may prevent an attacker from grabbing data, but they can just circumvent that by tunneling the data out through another encrypted tunnel. Taking away an attacker’s tool is challenging because it would require them to come up with a new way of their end objective.An example of this would be disabling PowerShell on Work Station. Taking away this tool from them and having other safeguards in place may prove to be quite challenging.

At the top of the Pyramid are the tactics, techniques, and procedures, or TTP, that the MITRE attack framework is showing us. This is the behavior profile we were talking about earlier. When you’re defending at this level, you’re not going after tools which constantly change, but the attacker’s behavior, which is much more difficult to change.

 

Defending Against Attacker Tools vs. Behavior

To illustrate that point, let’s take a look at the credential dumping technique. An attacker has several well-known tools that can be used to retrieve Windows sam database file.

MimiKat, for example, is a popular tool that can be used, so we have alerts that go off if MimiKatz is ever detected on an end host or a domain controller. When an attacker does eventually gain access into the system and tries to run MimiKatz, they might fail because they were blocked or the endpoint alerted that someone was trying to use it.

So the attacker instead decides to use GSECDump or PWDump to accomplish the same goal. Defending against the tools can be effective, but it’s like playing whack-a-mole. New tools come out daily which can be hard to block, and these tools can also be customized to avoid detection altogether.

But, knowing the behavior of an attacker allows us to fend against the end goal the attacker is trying to accomplish, and ultimately, MimiKatz and GSECDump are tools to accomplish the goal of grabbing credentials.

If we’re going to defend against credential dumping, regardless of the tool, we can start to take measures to defend against the behavior. So instead, we’ll disable settings that store credentials in memory. We’ll lower admin debug levels and disable password cashing altogether. These are all common techniques that these popular tools use to grab credentials.

This is an example of defending against the behavior instead of the tool, and you don’t have to go very far to figure out how to protect against the various behaviors. In fact, each technique on the Att&ck Matrix has a page that includes mitigations for detecting and possible defending against each of these attacks.

 

How To Use The ATT&CK Framework

So you may be thinking, well this is great, but how can I start defending against these different behaviors? Just like every other security safeguard, there is no silver bullet, but the attack framework can be used in a number of different ways across your network. Here are just a few examples:

Red Team Testing. Enhance your red team testing by incorporating the Att&ck Framework into your testing. In cybersecurity, you have the concept of red team vs. blue team. By definition, the blue team is your cybersecurity staff, while the red team is the white hat hackers who are simulating an attack. Whether your red team is an internal entity or third-party contractor, the attack framework is a foundational blueprint to use, so make sure any red team is incorporating the framework into their testing.

Ultimately, the goal of the red team vs. blue team testing is to find gaps in your network, which in turn leads to better detection. This cycle should be repeated and quantified to make sure you’re always trending in the right direction.

Automated Att&ck Simulator. Another way to utilize the attack simulator is by utilizing a tool that MITRE has also developed called Caldera. This tool automates and tests systems against various techniques in the Att&ck Matrix. It works by installing Caldera on your network and installing service agents on your network that you want to test. Then configuring the type of attack you want through the Caldera GUI. Once the test is run, Caldera will go through the techniques you have selected and even compromise other systems it finds through the enumeration phase. Be careful on any production system because some of this can get pretty dangerous. It’s also worth mentioning that a few other third-party tools, like Red Team Automation from Canary, offer complimentary features from Caldera that you can use both together or separately.

Implementing Into Your SIEM. The third way you can implement the Att&ck Framework is via your favored SIEM appliance. Many SIEM vendors now have adopted the attack model in their SIEM logic or are offering it as a third-party add-on. These will ingest the logs from the various data sources and correlate the appropriate TTP for a given event. Of course, make sure you have the appropriate visibility from your SIEM by logging from all the appropriate data sources. That means having visibility and logging from all of your endpoints, EDRs, firewalls, authentication servers, and anything else on your network that could be a target for a given attack.

Training. While this last point may sound a bit obvious, it may be possibly the most important because before you can even being to implement the Att&ck Framework into any processor tool, you need to have a real understanding of the different techniques and what they actually mean to your network.

This is important because not only do you always need a human element to make the final decision on the legitimacy of a potential threat, but you also need to discern an attack from a false positive. To illustrate this point, Travis Smith fat Tripwire organized the att&ck matrix into a really good chart by difficulty and presented it at Att&ck Con. You can find his chart here.