Blog Post

MITRE ATT&CK Framework

  • Mahdi Daghmehchi Firoozjaei
  • published date: 2021-04-26 14:03:38

Abstract- The MITRE ATT&CK framework is a comprehensive matrix of tactics and techniques used by adversaries to compromise information technology (IT) and operational technology (OT) systems. This framework is used by security engineers to develop analytics to detect possible adversary behaviors. ATT&CK became the practical tool both for the adversary emulation team to plan events and for the detection team to verify their progress. In this blog, brief descriptions of the adversarial tactics used by malicious cyber actors in the IT and OT systems are provided.

The MITRE ATT&CK framework is a comprehensive matrix of tactics and techniques based on real-world observations. It is used by threat hunters and defenders to better classify attacks and analyze attackers’ behaviours. This matrix consists of different adversarial tactics that cover all status of a cyber-incident from initial access to the lateral movements and impact. Each tactic includes several techniques used by an attacker to conduct the attack. In this blog, I briefly describe the adversarial tactics used by malicious cyber-actors on the information technology (IT) and operational technology (OT) systems. MITRE ATT&CK matrix is publicly available at https://attack.mitre.org/.

1.1 Reconnaissance

To gather required information for the future plan, the adversary uses some techniques, such as scanning, Phishing, and identity information gathering. By this information, the adversary will have details of the victim organization, infrastructure, or staff/personnel. This information is used in other phases of the adversary lifecycle, such as plan and execute initial access for evade defence mechanism.

1.2 Resource development

This adversary tactic consists of techniques that involve adversaries creating, purchasing, or compromising and stealing resources (e.g., infrastructure or accounts) that can be used to support targeting. By these resources, the adversary conducts other phases of the attack. For instance, uses the purchased domains to support command and control (C&C) server or steal code signing certificates for defense evasion.

1.3 Initial access

To access a victim’s network and make an initial foothold, adversaries use various entry vectors, including targeted spear-phishing and exploiting weaknesses on public-facing web servers. Adversaries may obtain and abuse credentials of existing accounts (e.g., local or domain accounts) to gain initial access, persistence, or defense evasion. Furthermore, external services can be abused for unauthorized access. For instance, an adversary can connect to a user’s internal network resources with a valid account through a remote service, such as VPNs or Citrix, during a malicious operation.

1.4 Execution

Execution consists of techniques used by adversaries to run malicious code in a local or remote system. The malware execution can be done directly by the user, e.g., by opening a malicious document file or link, or indirectly by a system service or scheduled task/job. For instance, an adversary may abuse command and script interpreters, Inter-Process Communication (IPC) mechanisms, task scheduling functionality, and system services to indirectly run the malicious code. By abusing scheduled tasks, the adversary may facilitate initial or recurring execution of previously delivered malicious code. In some cases, the malware cannot be directly executed and needs additional code, instructions, or data. Carrier or secondary channels are used for this end.

1.5 Persistence

After successfully executing the malicious payload (e.g., dropper), the adversary tries to maintain his/her foothold. To this end, the persistence techniques are used to keep access to systems across restarts, changed credentials, and other interruptions that could cut off adversary’s access. These techniques include any action, or configuration changes that let adversaries maintain their foothold on systems, such as replacing or hijacking legitimate code or adding start-up code.

1.6 Privilege escalation

To run or change system services, adversaries may need to elevate their privileges. For instance, Windows access tokens, which determine the ownership of a running process, can be maliciously manipulated to create a new process with fake properties. To do this, an adversary needs administrator privileges. Basically, adversaries use persistence techniques to gain a higher level of permission on a system or network. Common approaches are to take advantage of system weaknesses, misconfigurations, and vulnerabilities. Examples of elevated access include: • SYSTEM/root level • Local administrator • User account with admin-like access • User accounts with access to specific system or perform specific function.

1.7 Defense evasion

To avoid detection throughout their compromise, adversaries use some techniques like uninstalling or disabling security software or obfuscating malicious data and scripts. They may manipulate the system’s access tokens to operate under a different user or abuse trusted processes to hide and masquerade their malware. For instance, OS hiding features (e.g., hiding system files and administrative task execution) can be abused to hide artifacts of the malicious behaviors (e.g., network activities or file changing). Furthermore, the adversaries may execute their own malicious payloads by hijacking the way OSes run programs.

1.8 Credential access

To access the victim’s system or privilege elevation, adversaries try to steal valid account names and passwords by some techniques, namely inputs capturing, keylogging, credential dumping, and network sniffing. By legitimate credentials, adversaries access to systems, avoid be detected, and provide the opportunity to create more accounts to help achieve their goals.

1.9 Discovery

To figure out the user’s system and network, adversaries use discovery’s techniques to get a list of user’s accounts on the system, open applications, files and directories, network services and configuration, and get information about registered services. By these techniques, adversaries find what they can control and how it could benefit their current objective. For instance, the output of system information discovery (e.g., OS and hardware, version, patches, and architecture) can be used to shape the adversary’s follow-on actions.

1.10 Lateral movement

In a persistent malware (e.g., APT), the executed payload often stealthy remains on victim’s network for a duration before the actual attack. In this phase, the adversary tries to explore the network, finds the target and subsequently accesses to it. To this end, he/she may install remote access tools or use legitimate credentials with native network tools, which is stealthier. Hijacking a legitimate user’s SSH session and using third-party applications to move laterally through the network are some examples of lateral movement techniques.

1.11 Collection

The collection consists of techniques used to gather information related to the targets. The target information (e.g., driver types, browsers, and network configuration) can be stolen and sent to the C&C server. Man-in-the-browser, ARP cash poisoning, and screen/video/audio capture are some example collection techniques, used by adversaries.

1.12 Command and Control

The gathered information is sent to the C&C server to control the compromised system and conduct the cyber-incident. Adversaries use the C&C techniques to communicate with systems under their control. To avoid detection, this communication should be established as normal communications. Adversaries may communicate using application layer protocols to avoid net-work filtering by blending in with existing traffic. To make the content of adversarial traffic more difficult to detect, adversaries use encrypted channel (e.g., Tor network) or change data by encoding, encryption, and obfuscation solutions.

1.13 Exfiltration

Exfiltration tactic consists of techniques for data stealing. An adversary may encode the stolen data into the normal communications channel using the same protocol as C&C communications over different mediums (e.g., Bluetooth, USB, or physical). This can include compression and encryption to avoid detection.

1.14 Impact

Impact tactic includes techniques that are used to disrupt availability or compromise integrity of user’s system and data. To destroy and tamper with user’s data, an adversary inserts or manipulates the stored or transmitted data. By deleting or locking the user’s account, data availability is compromised. Disk wiping and resource hijacking are used to interrupt system and network DoS attacks are used to degrade or block the availability of the system (e.g., service exhausting flood).