ATT&CK™ Gaining Ground

November 17, 2016
Cyber Threat Intelligence: Post by Blake Strom
Blake Strom

Are you feeling the ripple of the changing threat landscape? Adversary infrastructure is continually changing, their methods blend into what is normal, campaigns are increasingly customized to specific targets and, as an industry, we're adopting an assume-breach mentality. It's possible the adversary is already "in" and we're on the hunt for evidence. Indicator-based defense alone has become a thing of the past. Because persistent threats keep morphing and adapting to defenses, our hunting also needs to keep pace with what adversaries are employing on our networks and end-points. Last summer MITRE expanded the Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK™) framework to address recent changes in the threat landscape and improve usability for cyber defenders.

A little back history: years ago hunting was more boutique than common practice, but with recent changes in the threat landscape, there has been a growing need to characterize adversarial behavior on the network and end-points in a standard way. In response, last year we released ATT&CK as a reference framework of adversary post-compromise techniques; it describes patterns for the chain of tactics and techniques used by adversaries to get in, stay in, and achieve their objectives.

One of the more significant updates we made was to the threat model, which included incorporating and establishing standardization to better enable cyber defense, tool comparison, and threat sharing. This includes the use of a technique ID as a standard reference, which is more exacting than referencing its name. Besides precision, it makes comparison easier. For example, technique ID T1055 refers to "DLL Injection," which describes the same technique used in both the Defensive Evasion and Privilege Escalation tactics. Same technique, but at two different points in the attack chain.

It seems obvious that the phases of an attack include patterns prior to exploit and that these too can also be characterized. As it turns out, Common Attack Pattern Enumeration and Classification (CAPEC) enumerates a range of attack patterns across the entire cyber attack lifecycle, not just techniques used during post-compromise. It made sense then to add CAPEC ID references to the attack pattern descriptions in ATT&CK that are also described by CAPEC. Doing so contributes to the normalization of attack patterns, thus creating a common and meaningful categorization for cyber defense.

Threat Groups, sometimes referred to as threat actors, campaigns, or adversary groups, also have multiple names depending on which vendor's report or news story you're reading. We've revamped how we represent them. Here, too, we associate IDs to make common reference possible. Although it's possible to use Groups as a lightweight Rosetta Stone (to see all names associated with one group), you should consider your organization's threat landscape and look at a specific threat group to find the techniques associated with them and for which you might want to develop detection measures. Using the recent newsworthy activity of APT28 (or Fancy Bear), we look at Group G00007 to find seven different techniques and four different code structures (i.e., software). We might then use this information to develop detection measures as to where and when to look for possible adversary activity on end-points or the network.

In order to look legitimate, sophisticated adversaries know what is most commonly used by end-users, but they also try to find poorly understood and obscure ways to persist during an intrusion to evade detection. Defenders must hunt for never-before-seen artifacts by looking for commonly used adversary techniques and patterns, and also investigate anomalies that might indicate an active intrusion. ATT&CK is meant to show how techniques fit together to form sequences of actions adversaries are likely to take. So it's not just about using the framework as a means to detect, but also to identify the scope of a breach by tying chains of activity together.

We expect ATT&CK to continue developing just as we expect adversaries to continue sharpening their techniques. Since public release, ATT&CK has grown from 96 to 122 techniques, including 13 techniques that have been created or enhanced by community contributions of information.

Consider this an open invitation to contribute new techniques, categories of actions, clarifying information, examples, methods of detection or mitigation, and data sources.

To learn more about how to get involved, please view Contribute.