Mitre Corporation is a not-for-profit organization based in the USA. It manages federally funded research and development centers supporting several U.S. government agencies. MITRE started the ATT&CK project in 2013 to document common tactics, techniques, and procedures (TTPs) that advanced persistent threats use (APTs); in this manner, security threats are easier to identify once they are properly defined.
ATT&CK was created due to the need to document adversary behaviors; its objective was to investigate the use of endpoint telemetry data and analytics to improve post-compromise detection of adversaries operating within enterprise networks.
What is ATT&CK?
ATT&CK stands for Adversarial Tactics, Techniques, & Common Knowledge. It is a globally accessible knowledge base of adverse tactics and techniques based on real-world observations; its goal is helping to detect malicious activity that can lead to a compromise within a network.
This knowledge base is used as the basis for the development of models and methodologies of specific threats in the private sector, government, and the community of cybersecurity products and services.
These reflect the various phases of the life cycle of the adversary's attack and the platforms to which it is known to be directed. The techniques in the model describe the actions adversaries take to achieve their tactical objectives. Within each tactic category, there are a finite number of actions that will accomplish that tactic's goal.
ATT&CK is not limited and does not claim to enumerate all possible techniques in a tactic, but it is based on a community of knowledge about actions that adversaries have used for a particular purpose and about how those actions relate to one another to form identifiable sequences of behavior.
You can play around with the Matrix in the following link:
Traditional method vs. current
When we talk about what we were doing and what we should start doing if not already, it is essential to mention that to detect threats based on what has already happened is not sufficient anymore, chasing notables such as signatures is no longer adequate for cybersecurity.
For reference, detection based on signatures is where a unique identifier is recognized against a known threat; in that way, it can be identified each time the same threat is seen. In the case of a virus scanner, it may be a unique piece of code attached to a file, or it may be the hash of a known corrupt file. If that specific code, or signature, is discovered again, the file can be flagged as being infected or malicious.
The problem with this is that malware and adversaries are becoming more sophisticated, they are using new techniques, therefore being almost impossible to detect based on signatures.
The current method goes towards what has not happened yet, analyzing behaviors to anticipate and detect intrusions before it is too late.
Signatures are reactive. You have to start with a case of a virus or know phases of a network attack to write a signature to detect them. This means signatures are not able to identify unknown and/or emerging threats; signatures only identify threats that have already happened.
We already knew this, we made CyberEasy thinking in the present and the future, implementing these technologies we are able to detect TTPs that could represent a threat. Don't get me wrong, we still use detection based on signatures but it is not the only way our tool works, detecting TTPs as you might guess is hard, but not impossible when you really propose it, also by incorporating the MITRE ATT&CK framework we are able to make the threat intelligence and threat hunting more fruitful.
Behavior analysis is not searching for unique identifiers of a threat, on the contrary, it's opposite of signature-based detection, what behavior analysis does is looking for unusual conduct and actions.
For example, if a police officer sees a person with a ski mask and a gun in hand, they are going to stop it, this would be signature-based detection, but how about the secret service that protects the president, they are looking something else, they are looking for behaviors, if they see a person with a suspicious behavior, looking everywhere instead of looking at the conference, or hands in the pockets or a hat and sunglasses on a cloudy day, or a sweater in a hot day, those are clues that something could happen and potentially represents a threat and they will go after this person.
Pyramid of pain
You have probably heard about the above Pyramid Of Pain, as its name suggests, it's quite painful to implement, the higher you are in the pyramid, the harder the functionality is to implement, but the greater the reward.
Starting from the bottom the hash values are useful sometimes, however, it is signature-based, and as explained above, this isn't the best scenario to hunt threats, they are really susceptible to change, for example, an application can metamorphose and therefore change the hash it had, making it harder to detect. This is why most of the time, hashes are not that useful.
Following the next step, I.P. addresses, again, these are signature-based detection, malicious persons usually don't use their own I.P.s. They use VPNs, or Tor, or previously compromised machines, making the IP an uncertainty. Sometimes it's better to use a bad reputation list so you can know whether a device from your network is trying to establish a connection towards a bad host or to create new rules on a firewall, however, blacklists are not the most reliable solution and they require significant effort to maintain.
Next, we have domain names; this is almost as easy to change as we mentioned in the case of the I.P. addresses. They have pretty much the same pros and cons.
Then the 4th step in the pyramid, network & host artifacts, the same as Edmond Locard's principle, "Every contact by a criminal, leaves behind a trace." It's tough to perform activities without leaving some traces.
On hosts, you can perform forensics, looking for files and directories, registry objects, logs, and memory strings. At a network level, you can check for a particular transaction, capture, record, and analyze the network packets to determine the source of network security attacks and so to collect evidence.
Now we are on the 5th floor, tools; this is the software used by the adversary to accomplish their mission.
If you can spot the tools they are using, you are now affecting their ability to operate; you would be able to stop them sooner.
Then here is where things get hairy, TTPs, in a concise way to explain it; it is how the adversary is going to accomplishing the mission, from reconnaissance through data exfiltration (objectives).
When you are at this level, detecting and responding to threats, you are operating directly on adversary behaviors, not against their tools, which once again is signature-based detection, which is not bad, but things can go under the radar due to the lack of consistency and foresight.
We are targeting how attackers operate and penetrate. We want to take away their ability to hide, their ability to spread, and their ability to maintain access. There have been companies that have been compromised, and they didn't know for months. They gave the adversaries the ability to operate for a long time. The more time they are in, the more damage they can do.
ATT&CK, in conjunction with its collaborators, try to specify any preventative controls that can be used by defenders for each numbered technique. Bear in mind that some mitigations aren't practical for some techniques.
In one way or another, the MITRE ATT&CK framework must be implemented by cybersecurity companies and their tools to improve security posture if they want to stay in the game. This framework is used in several ways to improve security, by gathering efforts from contributors. It also serves as a real technical framework for classifying the current detection efforts a company has and identifying gaps where there might be blind spots to certain types of attack and its behaviors.