Understanding the MITRE ATT&CK Framework and Evaluations – Part 1
MITRE ATT&CK helps security teams across industries secure their organizations against known and emerging threats. Here’s how it works — and how it can help you.
The world as we know it is changing around us. The pandemic has acted as a major driver for digital adoption, and the need to increase the risk barrier has kept security teams on their toes. As traditional security techniques and methods evolve, there is a need to re-evaluate the way we think about detecting and reacting to a security incident.
At SonicWall, we are enthusiastic supporters of the work on the MITRE Engenuity ATT&CK framework, which seeks to define and continually expand a common cybersecurity language that describes how adversaries operate. This matters to you because ATT&CK Evaluations are both a unifier and a force multiplier for the people on security’s front line.
What Is the ATT&CK Framework?
The cyber adversaries we deal with today exhibit complex behaviors while trying to evade the defenses we have implemented. They develop increasingly sophisticated methodologies and approaches to achieve their objectives. They weave legitimate and atypical behaviors into different attack tapestries. And they all know what they’re after.
ATT&CK stands for Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK). MITRE Engenuity ATT&CK is a globally accessible knowledge base of cybercriminal behavior based on real-world observations. Its purpose is to be a common language whose components are used in endless combinations to describe how threat actors operate.
Consider this generic example for an attack methodology targeting exfiltration:
Tactics represent the “why” of an ATT&CK technique or sub-technique. We can describe the attack methodology as employing five Tactics — step 1: initial access through to step 5: exfiltration. The MITRE Engenuity ATT&CK framework currently consists of 14 tactics as seen in the Enterprise navigator tool.
The second key concept is the Techniques or Sub-Techniques employed within each tactical phase. For example, to achieve initial access, the adversary may send a phishing email with a link to a compromised website that takes advantage of an unpatched browser flaw. The ATT&CK framework currently consists of 200+ techniques and sub-techniques organized under the 14 tactics.
Procedures are the specific ways the adversary implements the techniques or sub-techniques. For example, a procedure could be an adversary using PowerShell to inject into lsass.exe to dump credentials by scraping LSASS memory on a victim. Procedures are categorized in ATT&CK as the observed-in-the-wild use of techniques. The ATT&CK framework has a documented list of 129 threat actor groups that cover a very broad set of procedures (using software or otherwise).
For more details, we recommend you take the guided tour from the ATT&CK website.
Why Do MITRE Engenuity ATT&CK Evaluations Matter?
MITRE Engenuity ATT&CK Evaluations emulations are constructed to mimic an adversary’s known TTPs. The emulations are conducted in a controlled lab environment to determine each participating vendor’s product efficacy. The aim is to put together a complete, logical attack simulation that moves through all the stages of a comprehensive, successful attack — from initial compromise to persistence, lateral movement, data exfiltration and so on.
Doing so offers three main benefits:
- We gain insight into the adversary’s game plan in terms of combinations of tactics and techniques.
- We can clearly communicate the exact nature of a threat and respond faster with greater insight.
- When we understand who our typical adversaries are and how they attack us, we can proactively design defenses to blunt them.
MITRE Engenuity points out that it is a “mid-level adversary model,” meaning that it is not too generalized and not too specific. High-level models like the Lockheed Martin Cyber Kill Chain illustrate adversary goals, but aren’t specific about how the goals are achieved. Conversely, exploit and malware databases specifically define IoC “jigsaw pieces” in a giant puzzle but aren’t necessarily connected to how the bad guys use them, nor do they typically identify who the bad guys are.
ATT&CK Evaluations focus on how detections occurred as each test moves through its steps. In its evaluation guide, MITRE Engenuity points out that not every detection is of the same quality. It’s pretty clear that, while a “Telemetry” detection is minimally processed data related to an adversary behavior, a “Technique” detection sits at the other end of the quality spectrum — it’s information-rich and orients the analyst at a glance. Consistent technique-driven detections are ideal for organizations that want more out of their tools.
In general, vendor tools ideally should automate real-time context creation related to adversary moves and bubble that up into the tool with as few alerts as possible. The more Techniques a tool can automatically provide and then aggregate into single incident alerts, the more the tool is automating the security function. This is critical for driving mean time to respond to as close to zero as possible.
In Part 2, we’ll take a look at the value the ATT&CK framework delivers to security leaders and decision-makers, and how SonicWall’s Capture Client powered by SentinelOne’s technology delivers capabilities that epitomize the ATT&CK framework.