The MITRE ATT&CK Framework & Understanding the State of the Warfare
The history of humankind is the history of warfare, and the history of warfare is the history of deception and improvisation. Starting with stones and arrows, the landscape of warfare evolved into mounted cavalries and sieging equipment, then begun to encompass the land, air, and the open seas, even the space. We created technologies and attack techniques that enable us to fight not only on rough terrains, across the dark skies of the night and under the blue oceans but also in the virtual realm. The warfare has spread to the realm of fiber-optic cables and binary-reading chipsets giving rise to the need to protect our new castles. But the question is what are the best ways to accomplish this goal?
< Potential Unleashed />
A recursive longbow can travel with an average speed of 255 ft per second. A bullet can outdo this arrow ten times in a second with a speed of 2500 ft per second. The speed of the fastest warplane we have ever built, the Lockheed SR-71 Blackbird, can reach up to 3.3 Mach while delivering its deadly payload. What about the internet? How fast can a malicious actor reach you when they decide to? The speed of low-latency fiber internet can reach up to 70% of the speed of light¹, that is roughly 6,8 billion ft per second. Incredible is what we could achieve in such a short period.
What is more? With its immense speed and capabilities, the internet is also introducing new vulnerabilities, hence extending the attack surface. In cyberspace, the velocity of malicious action to cover the distance between the source and the victim is 2,6 million times faster than a bullet can travel in thin air. The threat is distributed, multi-faceted, smarter. The threat is very, very real.
Think of a scenario where state-propelled hackers are developing next-gen exploits to hinder your activities, hacktivists who oppose your conducts are relentlessly coming onto you. Script kiddies, on the other hand, want to satisfy their desires by detonating the deep web-purchased or leaked threats (because why not!) within your system. Or maybe you just got your share from ongoing indiscriminate shelling online. This potential is even scarier when you are on the defending side.
< Changing Intelligently />
The art of fireflies should be performed only after you know everything about the enemy in great detail so that you can construct your deception in accordance with the target’s mindset.²
This shinobi maxim is timeless. Be it in the physical realm or the cyber one, static defense systems and protocols are well-studied and well-documented, hence the fortress approach is getting less relevant and more obsolete each day.
Warring is the intelligent calculation and use of resources at hand. When deployed informedly and intelligently, resources can build up much robust detection & prevention capabilities. However, attackers are playing the game with the same rules. They do study, observe, plan, and then act.
We must realize that there is a glitch in the current war. Because just like shinobis document and analyze everything to conduct plans, defenders can do the same. Just like defense resources are scarce and expensive, so is the attacker’s arsenal and modus Operandi. Thus, their pathways can be ambushed with the given limited resources. But first things first, We must consider dismantling the fortress.
< Liquidifying Defenses With Information/>
Today, defenders are leaving their castles and rigorously studying the attack vectors to better mobilize their resources. Instead of an all-in-defense strategy, a novel threat-informed defense approach is the new trend.
Jonathan Reiber & Carl Wright define this new approach as following:
A threat-informed defense strategy applies a thorough understanding of adversary tradecraft and technology to protect against, detect, and mitigate cyberattacks³.
At the heart of the threat-informed defense is the thorough understanding of the attacks by analyzing each step starting from the preattack phase to the exfiltration, and impact analysis. The attack vector is documented with surgical precision and stripped off of its shell with careful craftsmanship. But why? Because to gauge the posed risk and to better adapt to smart defense, the defender should study the adversary first to the degree where they can recreate the adversary attack and emulate it within defense perimeters.
<What exactly is 'Threat-informed'?/>
Threat-informed defense is accepting the fact that having anti-navy defenses is unnecessary for a landlocked country. In other words, this approach can be described as mobilizing the resources against the most well-known attack vectors that can target your perimeters, performing proactive efforts by focusing on the threats known to target your fields, enacting suitable defenses against them, testing and re-testing the systems against given attack vectors to have a solid understanding how your systems hold up against the most relevant attacks.
This approach is proven to be a minimizing factor to the silent security fails and overall contributor to the security policy optimizations⁴.
MITRE's ATT&CK is the center and driver of this transition. ATT&CK framework divides the attack vector into smaller and more digestible pieces(we will come to that soon) and creates a matrix to further track & visualize these bitesize steps.
MITRE ATT&CK framework constructs this matrix around three main keywords, which are vital for understanding the nature of the framework itself:
Tactics:
Tactics are the technical goals of the adversary. They are the broadest and most generic aims. Thinking in relation to everyday life, tactics can be mapped to aim for graduating from a good college or being a C-Level executive in a particular company. What are some of the defined tactics in MITRE ATT&CK framework? Initial access, persistence, privilege escalation, lateral movement, exfiltration etc.
Techniques:
Techniques are the means through which an adversary can achieve the tactics. As you can already guess, techniques are less generic and more specific than tactics and each tactic can be achieved through several different techniques.
Returning to our real-life mapping, keeping a tidy sleeping pattern, eating nutritious food, exercising can be categorized as techniques for the tactic of having a healthy life. Moreover, techniques can be extended to multiple tactics, just like sleeping well will give you a healthier life and better focus at work.
Procedures:
A procedure is simply the way an adversary carries out a technique to achieve a designated tactic. This is the least generic and more technical & specific unit of the ATT&CK matrix.
<Benefit For One, Benefit For All/>
After analyzing the known threat actor's modus operandi, the defender team can leave the ad-hoc defenses and employ a tailor-suited and holistic approach.
But that is only the welcoming benefit of adopting the MITRE ATT&CK. Since the analysis is effective in both east-west and north-south directions, structuring threat intelligence with ATT&CK framework opens new doors for further analysis.
It allows a comprehensive comparison of group behavior across various groups: how Lazarus and FIN6, for example, behave in a given situation, how they handle the security implications, and how sophisticated they are in each step of the attack.
It allows groups to be compared over time and see how they are enhancing their capabilities, which in return yields invaluable intelligence to CTIs.
It allows groups to be compared to installed defense systems and enables realistic simulations or emulations to be executed. Practice makes perfect, so next time an adversary attacks, they won't find off-guard systems.
Maybe most importantly, it flattens the jargon among cybersecurity personnel, distributes the gathered knowledge, enhances the overall efforts by significantly diminishing the redundancy. So benefit for one becomes a benefit for all.
<Reverse Engineer Your Fate/>
The title here is speaking for itself. Instead of working in the dark, collecting all the data whether relevant or not, by not knowing whether the capacity at hand and tools are enough or whether the system is covered, wider adoption of ATT&CK framework will make an overall more hardened cyber defense mechanism, will make CTIs and Blue Teams spend their times and resources with the more informed manner and make attacker's job even harder.
This is mainly possible if all cyber defense community speaks the same language, share the information they collected, reverse engineer the tactics and techniques of the adversary, and specifically prepare themselves for more possible scenarios. Hence, reverse engineering the adversary approach is actually reverse engineering your current state of defenses, so it is the current state of fate.
<Contribute/>
You can and are more than welcomed to contribute to the ATT&CK framework. It is an open-source repo on Github and waiting for contributions.
Check out the repo 👇🏼:
If you are a programmer, you can help by writing JS or Python scripts to make ATT&CK Navigator more muscular. If you are a researcher, you can notify and write reports about Techniques and Sub-techniques. You can help ATT&CK to enhance its coverage area with your expertise in OSX, Linux, or Industrial Control Systems(ICS).
Please check out this link to learn more about contribution:
<ERRATA/>
I am not an old-fox in cybersecurity. In fact, I am just beginning to begin. It is highly possible that I made mistakes or missed a vital point. In such a scenario, please do not hesitate to contact me via mehmetyavuzyagis@gmail.com so I can fix/edit the content as soon as possible.
Thank you for reading up this far, and wait for PART 2 ✌🏼.
1- Centurylink.com, What is Fiber Internet, URL:https://www.centurylink.com/home/help/internet/fiber/what-is-fiber-internet.html, accessed on: 09/09/2021
2- McCarty, Ben. Cyberjutsu: Cybersecurity for the Modern Ninja, No Starch Press, 2021, p.113
3- Wright, Carl & Reiber Jonathan. MITRE ATT&CK for Dummies, Wiley Pub, 2021, p.4
4- https://attack.mitre.org/ accessed on 9/9/2021
5- Nickels, Katie & Pennington Adam. Using MITRE ATT&CK™ for Cyber Threat Intelligence Training, url:https://attack.mitre.org/docs/training-cti/Module%201%20Slides.pdf, p. 21 accessed on: 09/09/2021