Thursday, September 10, 2020
By Maril Vernon, Fuel User Group Member, (@shewhohacks), featuring Wade Wells (@WadingThruLogs)
The MITRE ATT&CK framework has gained a lot of attention and popularity in recent years. In fact, if you work in IT security, there is a very good chance you have heard MITRE once or twice from a vendor or manager, but you may not be sure what it is or if it applies to you.
“Before explaining what ATT&CK is, let’s say what it isn’t. It is not a checklist or a bingo card. Something for you to fill out to verify you are ‘secure,’” Wade Wells says. Wells is a security engineer at Kyriba and a self-described one-man purple team who specializes in active intelligence, threat hunting and MITRE testing implementation. “It isn’t going to be your silver bullet to protect you from all the living off the land binaries (LoLBins) or Advanced Persistent Threats (APTs) use, and it’s not going to be a cut and paste project to implement in your network.” Now that we’ve got that out of the way, let’s say what it is.
MITRE is an R&D shop doing threat-intel research, mostly for Department of Defense agencies, but with some recent private adoption. The ATT&CK framework, first released in 2013, is a series of matrices which breaks the hacking process down into tactic categories, based on the stages of Cyber Kill Chain. However, it is so new that many companies are still navigating how it is used and what its implementation looks like. Initial questions may include: What is it used for? How is it used? Who uses it? How is testing done according to MITRE?
Being a reference framework, ATT&CK is used to identify the root causes and data sources in an environment that, if prevented, would reduce the likelihood and capability of a successful hack to be accomplished. It’s also a great starting point to get multiple teams on the same page, using the same terminology regarding a security testing outlook. The framework includes information on threat actor groups, successful techniques they have previously executed in real-world breaches, information about software used in hacks, mapping of security vendors’ software back to tactic detection and protection, and ultimately the data source where information on each tactic can be found in a network.
“ATT&CK at its core is a library, a centralized location of well-known attacks that are named and categorized. It’s a great resource for anyone coming up in security to quickly catch up on terms, tools, tactics, techniques and procedures (TTPs),” Wells says.
“Secondly, ATT&CK is a means of communication. It doesn’t just give red and blue teams common terms, but it is also a conduit for other teams to interface with the security team,” he says. “Using ATT&CK, you can easily explain strengths and weaknesses to leadership. Threat intel can provide detailed reports of TTPs for blue teams on what to look out for, or to red teams on what to emulate.”
Taking ATT&CK one step further, how can you protect against something when you don’t know what that thing is? If your security controls are reasonably mature, how do you go about verifying how they would stand up to a real attack scenario?
“[ATT&CK is] a tool to use when threat hunting for the unknown. It helps gauge a baseline to judge your current alerts to bridge the gap on what attackers are using and what the [IDS/IPS] is seeing,” Wells explains. If you know certain techniques should be identified or blocked, you can verify that it is actually happening at that tool.
What’s most important to remember about implementing the MITRE ATT&CK framework is it is not a one-stop security shop. The more squares you have filled in does not equal more protection, and technique visibility should always be verified with testing. A list of tools that can help you accomplish this are also available on attack.mitre.org.
More to Explore
Check out these Fuel blog posts for further reading: