Last Updated: 12th September, 2019
What Is MITRE ATT&CK?
MITRE ATT&CK (Official Website) is an internationally open learning base of adversary tactics and techniques dependent on true perceptions of cyber attacks. They’re shown in pattern frameworks that are masterminded by attack stages, from introductory framework access to information theft and/or machine control. There are different patterns for normal desktop platforms – Linux, Windows and MacOS as well on the various mobile platforms.
What Does ATT&CK Stand For?
ATT&CK simply represents Adversarial Tactics, Techniques, and (&) Common Knowledge. How about we dissect and separate this down.
Tactics and techniques are a cutting-edge method for taking a gander at cyber attacks. As opposed to taking a stroll at the aftereffects of an attack, otherwise known as an indicator of compromise (IoC), security experts should take a glance at the tactics and techniques that demonstrate an attack is in its advancement. Tactics are the why or reasoning of an attack technique. Techniques constitute how an adversary accomplishes a tactical intent by playing out an activity.
Common knowledge is the archived utilization of tactics and techniques by the adversaries. Basically, common knowledge is the documentation of stratagems. Those acquainted with cybersecurity might be comfortable with the phrase “tactics, techniques, and procedures,” or TTP. (The “CK” creates a more sexier abbreviation than the “P” — dependably an unquestionable requirement in government ventures.)
Google Trends conveys us that this peculiar new ampersand-instilled abbreviation is equal to ‘Red Hot Chili Peppers‘. Be that as it may, what is MITRE ATT&CK™ about, and for what reason should cybersecurity experts be concerned?
Who Is MITRE?
MITRE (Official Website) is a government financed research consortium situated in Bedford, MA, and McLean, VA. The organization was strung out of MIT in 1958 and has been engaged with a scope of business and top secret ventures for a sphere of agencies. These incorporated the advancement of the FAA airport traffic control framework and the AWACS airborne radar framework. MITRE has a significant cybersecurity practice supported by the National Institute of Standards and Technology (NIST).
Strikingly, Miter isn’t just an abbreviation, however, some ideate that it represented the Massachusetts Institute of Technology Research and Engineering. The name is the design of James McCormack, and an early board of members, who needed a name that amounted to nothing, however sounded reminiscent.
What Is The Aim Of MITRE ATT&CK?
The objective is to make an extensive rundown of the known adversary tactics and techniques implied amid a cyberattack. Open to education, government, institution, and business associations; it ought to have the capacity to gather a wide, and ideally thorough, scope of attack stages and chronologies. MITRE ATT&CK is expected to make a standard scientific categorization to make correspondences between organizations increasingly precise.
ATT&CK was done out of a need to methodically classify the adversary behaviors as a component of leading organized adversary impersonating practices inside MITRE’s Fort Meade Experiment investigate environs.
How Would You Use The MITRE ATT&CK Matrix?
The MITRE ATT&CK Matrix viewable arrays of every single known tactic and techniques into a straightforward structure. Attack tactics are appearing over the top, and individual techniques are recorded down every segment. An attack chronology would include no less than one technique for every tactic, and a concluded attack sequence would involve at least one technique per tactic, and a completed attack chronology would be forged by moving from left (Initial Access) to right (Command and Control).
It is feasible for various techniques to be utilized for one tactic. For instance, an attacker may attempt both a link and an attachment in a spear phishing abuse.
It’s not obligatory for an attacker to utilize each one of the eleven tactics over the highest point of the matrix. Or maybe, the attacker will utilize the base number of tactics to accomplish their target, as it’s increasingly effective and gives less possibility of disclosure.
In this attack (demonstrated in Figure 3), the adversary executes Initial Access to the testimonials of the CEO’s executive assistant utilizing a spear phishing link conveyed in an email. When they have the administrator’s testimonials, the attacker will search for a remote framework in the Discovery juncture.
Figure 3 demonstrates a precedent attack with techniques from each tactical phase of the attack.
How about we presume that they are after sensitive information in a Dropbox folder to which the administrator additionally has access, so there is no compelling reason to heighten privileges. The collection, which is the final phase, is performed by downloading records from Dropbox to the attacker’s machine.
Make note that if utilizing behavior analysis, a security investigator may distinguish the attack in procedure by recognizing the atypical client behavior. For instance, suppose the administrator clicked any link that nobody in the organization has ever clicked previously, at that point the administrator got to a specific Dropbox folder at an uncommon time.
Amid the last phase of the attack, the attacker’s computer got to the Dropbox folder out of the blue. With behavioral investigation, these exercises would be hailed as suspicious client behavior.
How Does MITRE ATT&CK Contrast To Lockheed Martin’s Cyber Kill Chain?
The Lockheed Martin’s Cyber Kill Chain®? along with, ATT&CK look like each other in that both are models that characterize the moves an attacker utilizes to accomplish their objective. The Lockheed Martin’s Cyber Kill Chain recognizes seven stages in an attack:
- Command and control
- Actions on objectives
ATT&CK has ten stages that forms an attack chain:
- Initial access
- Privilege escalation
- Defense evasion
- Credential access
- Lateral movement
- Collection and xfiltration
- Command and control
Notwithstanding greater diaphanous in the attack chain tactics, ATT&CK portrays the techniques that can be utilized in each phase, whilst the Lockheed Martin’s Cyber Kill Chain doesn’t.
How MITRE ATT&CK Can Be Used By The Organizations?
There are various ways a syndicate can utilize the MITRE ATT&CK. Here are some of the essential use cases.
- Adversary Emulation – ATT&CK can be utilized to make an adversary imitating situations to test and confirm resistances against normal adversary techniques.
- Red Teaming – ATT&CK can be utilized to make red team designs and sort out activities to maintain a strategic distance from a specific defensive measures that might be set up in a network.
- Behavioral Analytics Development – ATT&CK can be utilized to develop and investigate behavioral analytics to recognize adversarial behavior inside environs.
- Defensive Gap Assessment – ATT&CK can be utilized as a typical behavior centered adversary model to survey devices, checking, and alleviations of existing defenses inside an association’s enterprise.
- SOC Maturity Assessment – ATT&CK can be utilized as one estimation to decide how powerful an SOC is at recognizing, analyzing, and reacting to intrusions.
- Cyber Threat Intelligence Enrichment – ATT&CK is helpful for comprehension and cataloging adversary grade profiles from a behavioral point of view that is skeptical of the instruments the category may utilize.
Various security analysts around the globe take an interest in Miter ATT&CK talks and occasions. They have likewise contributed a few new techniques that are pending for publication. Furthermore, analysts have performed broad research on the best way to perform AI based irregularity identification to viably apply MITRE ATT&CK into the security analyst’s discernment armouries.