ATT&CK

Last updated

The Adversarial Tactics, Techniques, and Common Knowledge or MITRE ATT&CK is a guideline for classifying and describing cyberattacks and intrusions. It was created by the Mitre Corporation and released in 2013. [1]

Contents

Rather than looking at the results of an attack (aka an indicator of compromise (IoC)), it identifies tactics that indicate an attack is in progress. Tactics are the “why” of an attack technique.

The framework consists of 14 tactics categories consisting of "technical objectives" of an adversary. [2] Examples include privilege escalation and command and control. [3] These categories are then broken down further into specific techniques and sub-techniques. [3]

The framework is an alternative to the cyber kill chain developed by Lockheed Martin. [3]

ATT&CK Matrix for Enterprise

The ATT&CK Matrix for Enterprise is a comprehensive framework that is presented as a kanban board-style diagram. [4] It defines 14 categories of tactics, techniques and procedures (TTPs) used by cybercriminals with the associated techniques and sub-techniques.

CategoryDescriptionTechniques
Reconnaissance Gathering information about a target.10
Resource DevelopmentIdentifying and acquiring resources for the attack.8
Initial AccessGaining initial access to a system or network.10
Execution Running malicious code on a system.14
Persistence Maintaining access to a system or network.20
Privilege Escalation Obtaining elevated privileges within a system or network.14
Defense Evasion Disabling or evading security measures.43
Credential AccessObtaining credentials to access systems or data.17
DiscoveryIdentifying additional systems or information within a network.32
Lateral Movement Moving laterally within a compromised network.9
CollectionCollecting data from compromised systems.10
Command and Control Establishing communication with compromised systems.17
Exfiltration Transferring stolen data from a compromised system.9
ImpactTaking actions to achieve the attacker's objectives.14

Reconnaissance

Reconnaissance is the initial stage of information gathering for an eventual cyberattack. [5]

There are 10 techniques – including the use of network scanning, social engineering and Open-source intelligence (OSINT).

MITRE IDTechniquesSummary
T1595 Active Scanning Active reconnaissance by scanning the target network using a port scanning tool such as Nmap, vulnerability scanning tools and wordlist scanning for common file extensions and software used by the victim.
T1598 Phishing for Information Using social engineering techniques to elicit useful information from the target. Using a communication channel such as e-mail, including generic phishing and targeted spearphishing which has been specifically created to target an individual victim
T1592Gather Victim Host InformationDiscover the configuration of specific endpoints such as their hardware, software and administrative configuration (such as Active Directory domain membership). Especially security protections such as antivirus and locks (biometric, smart card or even a Kensington K-Slot).
T1590Gather Victim Network InformationDiscover the target network's configuration such as the network topology, security appliances (network firewall, VPN), IP address ranges (either IPv4, IPv6 or both), fully qualified domain names (FQDN) and the Domain Name System (DNS) configuration.

Related Research Articles

An exploit is a method or piece of code that takes advantage of vulnerabilities in software, applications, networks, operating systems, or hardware, typically for malicious purposes. The term "exploit" derives from the English verb "to exploit," meaning "to use something to one’s own advantage." Exploits are designed to identify flaws, bypass security measures, gain unauthorized access to systems, take control of systems, install malware, or steal sensitive data. While an exploit by itself may not be a malware, it serves as a vehicle for delivering malicious software by breaching security controls.

<span class="mw-page-title-main">Brute-force attack</span> Cryptanalytic method for unauthorized users to access data

In cryptography, a brute-force attack consists of an attacker submitting many passwords or passphrases with the hope of eventually guessing correctly. The attacker systematically checks all possible passwords and passphrases until the correct one is found. Alternatively, the attacker can attempt to guess the key which is typically created from the password using a key derivation function. This is known as an exhaustive key search. This approach doesn't depend on intellectual tactics; rather, it relies on making several attempts.

Information warfare (IW) is the battlespace use and management of information and communication technology (ICT) in pursuit of a competitive advantage over an opponent. It is different from cyberwarfare that attacks computers, software, and command control systems. Information warfare is the manipulation of information trusted by a target without the target's awareness so that the target will make decisions against their interest but in the interest of the one conducting information warfare. As a result, it is not clear when information warfare begins, ends, and how strong or destructive it is.

The Mitre Corporation is an American not-for-profit organization with dual headquarters in Bedford, Massachusetts, and McLean, Virginia. It manages federally funded research and development centers (FFRDCs) supporting various U.S. government agencies in the aviation, defense, healthcare, homeland security, and cybersecurity fields, among others.

Network security consists of the policies, processes and practices adopted to prevent, detect and monitor unauthorized access, misuse, modification, or denial of a computer network and network-accessible resources. Network security involves the authorization of access to data in a network, which is controlled by the network administrator. Users choose or are assigned an ID and password or other authenticating information that allows them access to information and programs within their authority. Network security covers a variety of computer networks, both public and private, that are used in everyday jobs: conducting transactions and communications among businesses, government agencies and individuals. Networks can be private, such as within a company, and others which might be open to public access. Network security is involved in organizations, enterprises, and other types of institutions. It does as its title explains: it secures the network, as well as protecting and overseeing operations being done. The most common and simple way of protecting a network resource is by assigning it a unique name and a corresponding password.

<span class="mw-page-title-main">Space warfare</span> Combat that takes place in outer space

Space warfare is combat in which one or more belligerents are in outer space. The scope of space warfare includes ground-to-space warfare, such as attacking satellites from the Earth; space-to-space warfare, such as satellites attacking satellites; and space-to-ground warfare, such as satellites attacking Earth-based targets. Space warfare in fiction is thus sub-genre and theme of science fiction, where it is portrayed with a range of realism and plausibility. In the real world, international treaties are in place that attempt to regulate conflicts in space and limit the installation of space weapon systems, especially nuclear weapons.

<span class="mw-page-title-main">Winlogon</span> Component of Microsoft Windows operating systems

Winlogon is the component of Microsoft Windows operating systems that is responsible for handling the secure attention sequence, loading the user profile on logon, creates the desktops for the window station, and optionally locking the computer when a screensaver is running. The roles and responsibilities of Winlogon have changed significantly in Windows Vista and later operating systems.

A red team is a group that pretends to be an enemy, attempts a physical or digital intrusion against an organization at the direction of that organization, then reports back so that the organization can improve their defenses. Red teams work for the organization or are hired by the organization. Their work is legal, but can surprise some employees who may not know that red teaming is occurring, or who may be deceived by the red team. Some definitions of red team are broader, and include any group within an organization that is directed to think outside the box and look at alternative scenarios that are considered less plausible. This can be an important defense against false assumptions and groupthink. The term red teaming originated in the 1960s in the United States.

Secureworks Inc. is an American cybersecurity company. The company has approximately 4,000 customers in more than 50 countries, ranging from Fortune 100 companies to mid-sized businesses in a variety of industries.

An advanced persistent threat (APT) is a stealthy threat actor, typically a state or state-sponsored group, which gains unauthorized access to a computer network and remains undetected for an extended period. In recent times, the term may also refer to non-state-sponsored groups conducting large-scale targeted intrusions for specific goals.

A cyberattack occurs when there is an unauthorized action against computer infrastructure that compromises the confidentiality, integrity, or availability of its content.

Lazarus Group is a hacker group made up of an unknown number of individuals, alleged to be run by the government of North Korea. While not much is known about the Lazarus Group, researchers have attributed many cyberattacks to them since 2010. Originally a criminal group, the group has now been designated as an advanced persistent threat due to intended nature, threat, and wide array of methods used when conducting an operation. Names given by cybersecurity organizations include Hidden Cobra and ZINC or Diamond Sleet. According to North Korean defector Kim Kuk-song, the unit is internally known in North Korea as 414 Liaison Office.

Lateral movement refers to the techniques that cyber attackers, or threat actors, use to progressively move through a network as they search for the key data and assets that are ultimately the target of their attack campaigns. While development of more sophisticated sequences of attack has helped threat actors develop better strategies and evade detection as compared to the past, similar to planning a heist, cyber defenders have also learned to use lateral movement against attackers in that they use it to detect their location and respond more effectively to an attack.

<span class="mw-page-title-main">2017 Ukraine ransomware attacks</span> Series of powerful cyberattacks using the Petya malware

A series of powerful cyberattacks using the Petya malware began on 27 June 2017 that swamped websites of Ukrainian organizations, including banks, ministries, newspapers and electricity firms. Similar infections were reported in France, Germany, Italy, Poland, Russia, United Kingdom, the United States and Australia. ESET estimated on 28 June 2017 that 80% of all infections were in Ukraine, with Germany second hardest hit with about 9%. On 28 June 2017, the Ukrainian government stated that the attack was halted. On 30 June 2017, the Associated Press reported experts agreed that Petya was masquerading as ransomware, while it was actually designed to cause maximum damage, with Ukraine being the main target.

Stealth Falcon is a cybercrime group affiliated to the United Arab Emirates (UAE) which is associated with Project Raven.

Berserk Bear is a Russian cyber espionage group, sometimes known as an advanced persistent threat. According to the United States, the group is composed of "FSB hackers," either those directly employed by the FSB or Russian civilian, criminal hackers coerced into contracting as FSB hackers while still freelancing or moonlighting as criminal hackers. Four accused Berserk Bear participants, three FSB staff and one civilian, have been indicted in the United States and are regarded by the United States Department of Justice as fugitives.

Conti is malware developed and first used by the Russia-based hacking group "Wizard Spider" in December, 2019. It has since become a full-fledged ransomware-as-a-service (RaaS) operation used by numerous threat actor groups to conduct ransomware attacks.

<span class="mw-page-title-main">Cyber kill chain</span> Process of carrying out a cyberattack

The cyber kill chain is the process by which perpetrators carry out cyberattacks. Lockheed Martin adapted the concept of the kill chain from a military setting to information security, using it as a method for modeling intrusions on a computer network. The cyber kill chain model has seen some adoption in the information security community. However, acceptance is not universal, with critics pointing to what they believe are fundamental flaws in the model.

Breach and attack simulation (BAS) refers to technologies that allow organizations to test their security defenses against simulated cyberattacks. BAS solutions provide automated assessments that help identify weaknesses or gaps in an organization's security posture.

Pentera is a cybersecurity software company, specializing in automated security validation solutions. Originally founded as Pcysys in 2015, the company later rebranded as Pentera in 2021. The company is led by Amitai Ratzon (CEO) and Dr. Arik Liberzon. Pentera has entities in the US, Germany, UK, Israel, Dubai, and Singapore.

References

  1. "What is the MITRE ATT&CK Framework?". Rapid7. Retrieved 2024-07-30.
  2. "Tactics in the ATT&CK Framework". Exabeam. 2022-08-03.
  3. 1 2 3 "What is the Mitre Attack Framework?". crowdstrike.com. Retrieved 2022-04-18.
  4. "MITRE ATT&CK". mitre.org. MITRE. Retrieved 1 March 2024.
  5. "Reconnaissance". attack.mitre.org. MITRE. Retrieved 1 March 2024.