LINEARSTACK
March 23, 2023

Exploring MITRE ATT&CK for Threat Detection

A brief introduction to the MITRE ATT&CK Framework and how to get started using it

The MITRE ATT&CK Framework is an organised knowledgebase of cybercriminals' tactics, techniques and behaviour patterns that can be used by threat detection teams to look for malicious activity in an enterprise environment*. The framework, created by the US-based MITRE Corporation, facilitates post-compromise threat detection based on attackers' behaviour and interaction with target systems, rather than standard IoCs like hashes, domains, IP addresses, etc. It can be leveraged both by adversary emulation teams (or red teams) to plan attack simulations, and by detection teams (or blue teams) to verify if the rules set up in detection tools are generating alerts as intended.  

*MITRE maintains a separate a set of tactics for mobile devices, but the enterprise version is better known and more widely used.

Before going into the ATT&CK Framework itself, we briefly describe the two threat detection methods commonly used today, and how they relate to the Framework. MITRE ATT&CK is focused on behaviour-based detection, as already mentioned, and modern detection tools use a combination of both signature-based and behaviour-based detection.  

Signature-based threat detection  

Signature-based detection uses known Indicators of Compromise (IoCs) and signatures associated with files, IP addresses and domains known to be malicious to find threats. These IoCs (like blacklisted file hashes, subject lines, byte sequences, malicious IP addresses, domain names, etc.) are usually drawn from threat intel feeds and fed into intrusion detection, antivirus and other tools so they can throw alerts when malicious activity or an infected file is detected. While signature-based detection is an efficient, consistent and time-tested way to find known threats, it is not enough on its own to find the fast-evolving and advanced threats that organisations face today.  

Behavioural-analytics based threat detection  

The reason traditional signature-based detection methods don't always work is because attackers are constantly evolving their tactics and use a variety of obfuscation techniques to evade detection.  Signature-based detection methods cannot catch threats that exploit new, unknown vulnerabilities not yet picked up by threat intel feeds, or ones that masquerade behind legitimate apps and live off the land, in addition to other advanced persistent threats (APTs).  

This is where behaviour-based detection can help. Security professionals over the years have observed that attackers tend to "exhibit consistent patterns of behavior while interacting with endpoint or victim systems". Setting up systems to detect these behaviours can help organisations find advanced, unknown threats that evade signature-based detection.  

To apply behavioural analytics to threat detection, security teams start by baselining the normal behaviours of systems and users. This usually involves employing machine learning to observe and define how a system is expected to behave in the normal course and setting up detection rules to throw alerts when deviations from this baseline (signs of malicious activity) are observed.  

The ATT&CK Framework was created to make this process easier for security teams by giving them access to an easy-to-understand resource detailing attacker tactics and techniques that they could draw on.  

How the ATT&CK Framework is organised  

The ATT&CK Framework is made up of attacker Tactics, Techniques, and Procedures (TTPs).  

Tactics  

Tactics are the highest-level category in the knowledgebase and denote the underlying goals behind specific adversary actions. Initial Access - TA0001, for instance, includes all the ways in which an attacker can gain access to a target network. Other tactics routinely used by attackers during the threat lifecycle are Execution - TA0002, Persistence- TA0003, Privilege Escalation - TA0004, Defense Evasion - TA0005, Lateral Movement - TA0008, Collection - TA0009, Exfiltration - TA 0010, and Command and Control - TA 0011.  

ATT&CK covers a total of 14 tactics as of today, but because the framework continues to evolve, this number may change as new tactics become important and are added to the list.    

Techniques  

Techniques are the methods used by attackers to attain specific goals. There are multiple techniques listed under each tactic. For example, the popular techniques covered under the Initial Access tactic are Phishing, External Remote Services, Supply Chain Compromise, Drive-by Compromise, and Exploit Public-Facing Application.  

Procedures  

Procedures include examples of how techniques are implemented by threat actors in the real world. The section contains important information about adversary group operations and the specific techniques used and preferred by different groups. Threat hunting teams can use procedures to delve deeper into attack execution specifics, accurately design attack simulations, and finetune detection.  

The 14 Adversary Tactics defined in the Framework  

  1. Reconnaissance - During the reconnaissance stage the attacker tries to gather information about the targeted organization that will be useful to them to plan and execute other stages of the attack.  
  2. Resource Development - This involves the attacker collecting, creating and organizing the resources to be used during attack execution.  
  3. Initial Access - The initial access stage is when the attacker first attempts to get access into the targeted network using techniques like phishing, credential harvesting or exploiting public-facing server vulnerabilities.    
  4. Execution - Execution includes all the techniques used by attackers to run malicious code on targeted systems. These are often used in conjunction with other techniques to achieve larger goals.  
  5. Persistence - Persistence covers the ways in which attackers maintain their presence within the network or on a system when credentials are changed, the system is restarted or other interruptions occur.  
  6. Privilege Escalation - Privilege Escalation occurs when attackers gain admin-level, elevated or privileged access to a system or network after having entered with lower-level permissions.  
  7. Defense Evasion - Defence evasion includes techniques that help attackers stay undetected for long periods. They can do this by tampering with security software, hiding behind legitimate apps, or other methods.  
  8. Credential Access - Credential Access covers the techniques for stealing login and access information like account names and passwords. These credentials can then be used for access, evasion and to create additional accounts.  
  9. Discovery - In the discovery phase, the attacker tries to learn more about the environment after gaining initial access. This helps them plan next steps and figure out the best route to get to their end goals.  
  10. Lateral Movement - Lateral Movement includes techniques used to explore the network and pivot between interconnected systems to reach the final target.  
  11. Collection - The collection phase includes the techniques that threat actors use to gather all the relevant data present on compromised systems that can be stolen or encrypted to cause damage at later stages.  
  12. Command and Control - Attackers use Command and Control (C&C) techniques to communicate with compromised systems while trying to remain undetected. They often do this by trying to blend in with regular traffic.  
  13. Exfiltration - Exfiltration includes the techniques used by attackers to steal the data collected from compromised networks. Attackers often encrypt or compress data before pulling it out through their C&C channel.  
  14. Impact - Impact is the final stage of the attack when the attacker tries to achieve the end goal. This could be destroying, defacing or encrypting data, disrupting availability or shutting down systems.  

Threat hunting and detection using the ATT&CK Framework  

While a detailed description of threat hunting and detection based on the MITRE ATT&CK Framework is beyond the scope of this article, and is covered extensively by MITRE here, we touch upon ATT&CK-based hunting very briefly in the following section. The framework is used extensively by threat hunting teams to look for post-compromise threats in enterprise environments.  

Prioritising threats  

Because there are too many threats that could possibly exist in an organisation's IT environment, hunting teams need to decide what to look for first. They need to pick from a multitude of possible attack scenarios. This can be done by asking the right questions -  

  • Which tactics would pose the biggest risk to the organisation?  
  • Which APT groups have targeted a given industry in the past and what techniques did they use?  
  • Which techniques do not need additional tool deployment and information to detect?  
  • What can be done right now?  
  • Which techniques are most likely to evade preventive controls, making them more dangerous?  

Teams that are just starting out can plan hunts based on adversary groups. They can choose a group based on who they've previously targeted, look at their TTPs more closely, and share this information with defenders.  

Hunting teams operating at a more advanced level can use data collected from past incidents and events and map this information to ATT&CK. This may include "incident response data, reports from OSINT or threat intel subscriptions, real-time alerts, and (the) organization’s historic information".  

Setting up detection rules and testing them

Security teams can set up automated monitoring rules for the specific threats they zero in on based on the assessment/prioritization exercise. These rules can then be tested by the adversary emulation and detection teams by executing a technique as an attacker would, and then checking to see if the SIEM tool or other detection tools are throwing alerts and responding as expected.  

Further reading  

The MITRE ATT&CK Framework is an excellent resource for cyberdefence teams and can be used in a variety of creative ways.  

  • The technical reports available at MITRE's website – TTP-based Hunting and Finding Threats with ATT&CK-based Analytics - can be good starting points for teams that are new to working with the framework.  
  • Another resource worth exploring at is the ATT&CK Navigator. The Navigator is a web-based tool that can be used to explore the ATT&CK matrix and "visualize defensive coverage, red/blue team planning, the frequency of detected techniques, and more."  

In future posts, we will be covering the individual tactics included in the ATT&CK Framework in greater detail, along with examples of how we, at LinearStack, leverage the framework for threat detection and hunting.  

LinearStack's MDR Service

We provide a wide range of cyber security services to businesses in New Zealand and Australia, with threat hunting based on ATT&CK techniques forming a critical part of our Extended Managed Detection and Response (XMDR) service. Read more about the service here.  

Get in touch with us to book a free consultation.  

  • Phone: 0800 008 795  
  • Email: info@linearstack.co.nz
Blogs

Start Reading

Our latest blogs and news are here for you

Security Awareness

Workforce Security Awareness is an Investment in your business
Read More

Ransomware Trends 2021 - CISA, ACSC, NCSC Joint Advisory

Cyber security agencies in the US, UK and Australia release joint advisory on increasing threat of ransomware
Read More

Ransomware - Prevention and Mitigation

Understanding ransomware and how to build a strong defensive net to protect your data from cybercriminals
Read More
Are you experiencing a security issue? Call us now.