ATT&CK Makes Defenders Stronger by Dissecting Cyber Adversary Behavior

March 2019
Topics: Cybersecurity, Computer Security, Data Analytics, Cyber Threat Intelligence
What do Russian spies, an organized crime gang, and North Korea have in common? One: they've carried out high-profile network intrusions. Two: MITRE ATT&CK™ is helping companies analyze intrusions like these to improve their defenses.
globe with connected dots

Cyber attacks have no geographical boundaries. They can come from anywhere in the world, targeting anywhere in the world. It's no wonder computer networks can be so hard to protect. 

But some organizations are finding ways to close the gaps in their defenses—thanks in part to a knowledge base and threat defense framework known as MITRE ATT&CK™ available to the world. Today, it’s getting easier for cyber defenders to analyze how adversaries behave once they’ve infiltrated a network. They can then construct better defenses and acquire security products that prevent, detect, or mitigate those behaviors.

Want to know more? Let's start with one of the most prominent recent cases—the one where Russian operatives took aim at U.S. democracy.

According to several published reports, John Podesta, then chairman of the Democratic National Committee (DNC), received a spoofed Google notification in March 2016 asking him to change his password because his current one had been stolen. He was tricked by "spearphishing," a well-known but effective technique. His new password was captured by the Main Intelligence Directorate of the Russian General Staff, known as the GRU. 

Soon, according to this timeline, WikiLeaks was posting Podesta's emails to the public.

In July 2018, Robert Mueller, the special counsel investigating Russian interference in the 2016 presidential election, issued an indictment of 12 Russian intelligence officers in the attack on the DNC and the Hillary Clinton campaign. The indictment revealed how the GRU used network intrusions to break into the DNC and the Democratic Congressional Campaign Committee (DCCC.)

Although the GRU scheme took advantage of flaws in the victims' defenses, breaking down how the intrusion might have happened also offers clues to improving those defenses. That's one of the roles for the MITRE ATT&CK framework,which offers a way for defenders to understand the behaviors behind cyber incidents, as well as criminal intrusions and other foreign-government-backed schemes. (See "What Is ATT&CK?" below.)

At RSA 2019, one of the world's largest conferences for cybersecurity professionals, MITRE ATT&CK team members Katie Nickels and Richard Struse discuss the framework in the event's "broadcast alley."

Breaking Down Worldwide Criminal Activities

Threat intelligence firm Digital Shadows produced both a blog post and a podcast—featuring MITRE's Katie Nickels and Digital Shadows' podcast host, Dr. Richard Gold—about using the framework to play back the tactics, techniques and procedures (TTPs) the GRU employed in the attack.

The company also deconstructed other recent prominent cyber attacks, such as those related to the FIN7 cybercrime gang and the massive North Korean-backed scheme that included the notorious Sony Pictures hack.

According to the firm's report on FIN7, with ATT&CK, their cybersecurity specialists were able to break down and analyze the criminal group's actions systematically. Meanwhile, the Digital Shadows assessment of the North Korean scheme revealed that the attackers "demonstrated a deep understanding of the business processes in place in the specific environments and used several techniques that were heavily customized for their targets. They were able to not only achieve their goals but also deploy several defense evasion techniques to mask their activities."

Each of these cases—three out of the many occurring around the world every year—varied in apparent motive. From political disruption to payback to plain old cash, there are many reasons why networks become victims. 

Despite the disparities in targets and motive, there are commonalities. And that's why more and more organizations are using MITRE ATT&CK to understand intruders' behavior—so they can build better defenses.

During the GRU-focused podcast, Gold and Nickels talked about how effective ATT&CK was in providing a framework for playing back the GRU's episode. Gold said he considered other frameworks to analyze the indictment but chose ATT&CK because it's comprehensive.

"ATT&CK is very complete," he said. "We wanted to get to the reality of what the attackers did and [determine how to] prevent, mitigate, and detect their behavior. For instance, 'spearphishing with attachment' and 'spearphishing with a link,' are different. If you want to mitigate against these things the approaches are different—and the training is different."

When Defenders Collaborate for Good

Digital Shadows is just one of many cybersecurity firms that are using the MITRE ATT&CK framework to analyze and improve their products and systems. 

For example, CrowdStrike's 2019 Threat Report: Adversary Tradecraft and the Importance of Speed, notes that "the cybersecurity industry saw the rapid adoption of the MITRE ATT&CK framework to describe the tactics and techniques—from initial access to exfiltration—in a standardized manner." The company uses the framework "extensively" in its reporting "to more completely understand and describe cyber threats."

But MITRE ATT&CK is much more than just a technical encyclopedia. In a recent article in, Cody Cornell—CEO and founder of Swimlane, a cybersecurity response firm—called the framework "a collaborative community project that has had a huge impact on the practical side of cybersecurity."

Cornell also noted this kind of public-private cooperation must happen if the good guys are to win. As a not-for-profit that solves problems for a safer world, MITRE released the framework to the world to spark this combined effort. 

In addition to making the ATT&CK framework available to the public and convening a users' conference, MITRE has launched a round of commercial cybersecurity product evaluations. The goal is to help our government community and industry make more informed decisions to combat security threats and advance industry threat detection capabilities. 

Additional organizations are welcome to participate in ATT&CK evaluations through a rolling admissions process.  

Helping Defenders Think Like Their Adversaries

"Because the private sector controls the vast majority of the world’s critical infrastructure systems, government security will depend on effective, global collaboration with industry security professionals using resources like the MITRE ATT&CK framework," Cornell said. 

This is particularly important because, as organizations learn every day, intruders will get in, one way or another. As Richard Gold noted in the GRU podcast, too often cyber defenders don't think enough about the threat model and instead create their security in a vacuum. But there are ways to improve your ability to detect and eliminate intrusions—by thinking like the enemy.

"I ask, 'What are you defending against?' You shouldn't think in terms of defensive security, but counter-defensive security. ATT&CK goes a long way to helping you focus your defense on adversary behavior." 

—by Bill Eidson

Explore more at MITRE Focal Point: Cybersecurity.


Publication Search