Using MITRE ATT&CK to defend against Advanced Persistent Threats
Nowadays, new techniques are invented on a daily basis to bypass security layers and avoid detection. Thus it is time to figure out new techniques too and defend against cyber threats.
Before diving into how to use MITRE ATT&CK framework to defend against advanced persistent threats and protect critical assets, let's explore some important terminologies
By definition, a threat is a potential danger for the enterprise assets that could harm these systems. In many cases, there is confusion between the three terms Threat, Vulnerability and Risk; the first term, as I explained before, is a potential danger while a Vulnerability is a known weakness or a gap in an asset. A risk is a result of a threat exploiting a vulnerability. In other words, you can see it as an intersection between the two previous terms. The method used to attack an asset is called a Threat Vector.
Advanced Persistent Threats
Wikipedia defines an "Advanced Persistence Threat" as follows:
"An advanced persistent threat is a stealthy computer network threat actor, typically a nation-state or state-sponsored group, which gains unauthorized access to a computer network and remains undetected for an extended period"
To discover some of the well-known APT groups you can check this great resource from FireEye: Advanced Persistent Threat Groups
The Cyber Kill Chain
The Cyber Kill Chain is a military inspired model to describe the required steps and stages to perform attacks. The Cyber Kill Chain framework is created by Lockheed Martin as part of the Intelligence Driven Defense model for identification and prevention of cyber intrusions activity. While a kill chain in military refers to: Find, Fix, Track, Target, Engage and Assess, cyber kill chain refers to: reconnaissance, Initial attack, Command and control, Discover and spread and finally Extraction and exfiltration. Knowing this framework is essential to have a clearer understanding about how major attacks occur.
Threat intelligence is an important operation in cyber-security and especially in security operations and incident response. Because as Sun Tzu said:
Security operation analysts should be proactive when it comes to gathering information and intelligence about the external threats and adversaries to achieve faster detection.
MITRE ATT&CK Framework
MITRE ATT&CK is a framework developed by the Mitre Corporation. The comprehensive document classifies adversary attacks, in other words, their techniques and tactics after observing millions of real-world attacks against many different organizations. This is why ATT&CK refers to "Adversarial Tactics, Techniques & Common Knowledge".
But wait, what is a tactic and what is a technique?
To understand tactics and techniques we need to understand the pyramid of pain first. The pyramid of pain shows the relationship between the types of indicators found when dealing with adversaries. By indicators, I mean Hash values, IP addresses, Domain names, Network/host artefacts, tools and Tactics, techniques and procedures (TTPs).
Tactics, Techniques and procedures (TTPs) are how the attackers are going to achieve their mission. A tactic is the highest level of attack behaviour. MITRE framework present the tactics as the following:
- Initial Access
- Privilege Escalation
- Defense Evasion
- Credential Access
- Lateral Movement
- Command and Control
Techniques are used to execute an attack successfully. For example, this is information about the "AppCertDLLs" technique
Let's suppose that security analysts receive a report about a new APT group that threats middle east and Africa. We can take "Muddy Water APT" as an example.
And highlight all the techniques used by Muddy Water APT Group
Export the techniques as SVG
If you are dealing with many APT groups at the same time highlight the techniques using colorful shades depends on how often the technique is used by the APT groups (brightest color = The technique is used by many groups)
Image Courtesy_ _
Now you know your adversaries. It is time to prepare the mitigations (tools and techniques) and discover the gaps in our defenses.
Create a roadmap to improve the defense gaps and update the map accordingly
Mitigations for every technique can be found on https://attack.mitre.org/mitigations/enterprise/
In this module, we learned many important terminologies and how to use MITRE ATT&CK framework to detect advanced persistent threats.