ATT&CK Helps Defenders Battle Cyber Invaders within the Perimeter

June 2015
Topics: Cybersecurity, Computer Security, Cyber Threat Intelligence
No matter how strong your firewall or anti-virus software, a determined cyber adversary will find a way into your network. But what if you had a good idea of the intruder's battle plan, so you could detect a threat and implement resilience strategies?
Hand moving cursor on laptop keyboard.

Like generals throughout history, cyber attackers learn from each other's wins and losses how to maneuver through cyber terrain and develop new tactics with every battle—new techniques for getting further into a defender's territory.

MITRE has collected details about a vast array of these methods into a type of battle plan called "Adversarial Tactics, Techniques, and Common Knowledge" (ATT&CK™). It's the first detailed model for identifying and categorizing every move made by a cyber attacker after gaining access to the network.

ATT&CK sheds light on the tactics, techniques, and procedures that adversaries use to make decisions, expand access, and execute their objectives. Armed with these technical insights, defenders can detect cyber threats rapidly enough to limit the damage to the enterprise.

They can also focus their efforts on the most commonly used techniques to identify gaps in their own security. All this information helps organizations determine where to invest their resources to best fill these gaps.

Latest Battlefield Has Moved Inside

"In 2008, while many companies were focused on building firewalls and anti-virus software, MITRE observed that the battlefield had moved from the perimeter of an organization's network to the inside," says Dr. Vipin Swarup, who leads MITRE's corporate research program in cybersecurity. "We redirected our research program to address the challenges posed by cyber threats that had penetrated perimeter defenses. Our researchers began tracking the moves of both successful and unsuccessful hackers to see what they would do next."

"We could see that it wouldn't be a question of if your network would be breached but when it would be breached," explains Gary Gagnon, MITRE's senior vice president, director of cybersecurity, and chief security officer. "Today, organizations are asking 'How long have the intruders been inside? How far have they gone?'"

Once inside, cyber criminals and spies may map your network, steal credentials, download malware, copy files, or use your system as a jumping off point for invading other systems.

Each of these actions leaves a footprint, however, and each of these footprints is a clue that cyber defenders can use. In other words, the ATT&CK model could turn a successful infiltration by an attacker into a significant strategic advantage for defenders.

"ATT&CK is a totally new approach because it provides you with real intelligence that you can act on," says ATT&CK project team leader Blake Strom. "It goes a long way toward filling in the huge gaps in knowledge that have hampered the entire cyber defense community.

"We decided to focus on the post-attack period, not only because of the strong likelihood of a breach and the dearth of actionable information, but also because of the many opportunities and intervention points available for effective defensive action that do not necessarily rely on prior knowledge of adversary tools."

Sponsors Experience a Game-Changing Approach

"The ATT&CK methodology has really resonated with our sponsors—they're already benefitting from it," says Dan Ellis, MITRE task leader. "It's the first time they've seen so much information about what an adversary can do. This helps them know what types of capabilities they need. ATT&CK is a foundational contribution—it's a game changer."

The idea for ATT&CK grew out of MITRE's previous cyber research, including research conducted in our living laboratory—an environment designed for testing cyber defense concepts. Through conducting and analyzing red team/blue team cyber exercises in this environment, we are constantly testing out new adversarial tactics and techniques.

Strom originally led a team that was conducting a systematic assessment of a range of host-based sensors within this environment. These sensors help fend off intrusions to Windows workstations, and they collect unprecedented amounts of host-based data in the process.

Strom and other colleagues soon realized they could use this data to map out an attacker's repertoire of tactics and techniques. Over the next 18 months, he oversaw this mapping effort, testing the emerging model and seeking additional input from other MITRE researchers.

As MITRE's sponsors learned of the effort, they wanted to come aboard. Currently, some 30 sponsor organizations are experimenting with ATT&CK. For example, one of the DoD's cyber-protection teams uses the model to determine which adversarial actions to hunt for in a network, and what to do when the trail leads to the adversary. Another team is using ATT&CK to flush out gaps in network capabilities, and a third is exploring training opportunities.

ATT&CK is both thorough and easy to understand. Organizations can use it in many different ways as part of a balanced security plan that includes classic cyber-defense approaches as well as new cyber resiliency techniques. It can be used to create a blueprint for monitoring and assessment, to build a metrics platform, to determine cyber investments, and for continuous improvement of your battle plan. 

Join the ATT&CK Community of Contributors

While the information in ATT&CK is extensive, it isn't all-inclusive—there is still much to learn about the way an adversary behaves inside a breached network. MITRE hopes that by sharing ATT&CK with the cyber community, we can continue to build on and share cyber battle plan knowledge. Strom hopes this new wiki site will encourage other researchers, analysts, and cyber defenders to form a community of contributors. Contributions could include new techniques, categories of actions, clarifying information, examples, methods of detection or mitigation, and data sources. To get involved or for more information, visit the site's Contribute page or contact the team.

—by Twig Mowatt


Publication Search