MITRE Matrix: Going on the ATT&CK
Published 08/19/2015
By TK Keanini, Chief Technology Officer, Lancope
Most cybersecurity work is geared towards finding ways to prevent intrusions – passwords, two-factor authentication, firewalls, to name a few – and to identify the “chinks in the armor” that need to be sealed. The characteristics of malware are shared publicly, to give everyone from system administrators through users a heads up to guard against an attack.
Little has been done, however, to identify the characteristics of an adversary after they are already inside a network, where they have ways to hide their presence.
Now the MITRE Corporation is working to remedy that. The government-funded, non-profit research and development center has released ATT&CK™ - the Adversarial Tactics, Techniques & Common Knowledge matrix. We recently sat down with the folks at MITRE to discuss the new matrix and the impact that it will have on the industry.
“There are a lot of new reports [of] new threat action groups…We want to find the commonality across incidents [and] adversary behavior,” Blake Strom told us. Strom is MITRE’s lead cybersecurity engineer heading up the project. “We want to focus on behaviors at a technical level.”
In the Cyber Attack Lifecycle, attention has been paid mostly to the opening rounds – reconnaissance, weaponization, delivery and exploitation. The ATT&CK wiki addresses the later stages – control, execution and maintenance – when the malware is already resident on the network.
According to Strom, ATT&CK further refines these three stages into a collection of nine different tactics: persistence, privilege escalation, credential access, host enumeration, defense evasion, lateral movement, execution, command and control, and exfiltration. Under these categories, the matrix identifies numerous adversarial techniques, such as logon scripts (characterized by their persistence), or network sniffing (a way to gain credential access).
“Some techniques require very specific [diagnostic tools], like BIOS implant,” Strom said. “It’s harder to detect because there aren’t a whole lot of tools.” Others might be very intricate, requiring several tools, he said.
A major purpose of developing the matrix is to give cybersecurity professionals signposts for what security tools need to be created, Strom said. System administrators that have seen some kinds of attacks and exploits may not have seen others yet, so the matrix also might provide guidance about what attackers might try in the future.
ATT&CK might also prove useful in addressing insider threats, since the matrix focuses on how attackers perform their actions once inside a system. “There’s some overlap between what an insider could do and what attack vector groups are doing,” Strom said.
As for gathering the information, MITRE invites contributions to the database of tactics and techniques. Strom said the organization is serving as curator of the wiki; contributors can’t modify the ATT&CK matrix on their own, but can submit the information to his group.
Strom said MITRE is working to bring the matrix to the attention of the broader IT community. It was presented at the NSA Information Assurance Symposium at the end of June, and will be presented again at the CyberMaryland conference in October.