Cybersecurity Tools - ATT&CK
A strong candidate for being the single best resource available to cybersecurity teams
MITRE ATT&CK is a best in class, unique resource for cybersecurity teams. A treasure trove of data on how cyber attacks are carried out, from their initial planning phases through to their final phases where damaging impact is the goal. MITRE’s home page for it calls it a globally-accessible knowledge base of adversary tactics and techniques based on real-world observations.
Understanding how adversaries create and run attacks is invaluable in efforts to understand our capabilities to detect, prevent, and respond to attacks. ATT&CK provides just that, with its deep dive into the tactics, techniques, and procedures - TTPs - used by adversary groups around the world.
As I mentioned in a post on TTPs a few weeks back, understanding these, threat modeling and building our defenses against them, makes life significantly harder for attackers. This is perfectly illustrated in the Cyber Pyramid of Pain, from David J. Bianco:
Here’s a quick walk through of just some of the types of TTP and adversary data that ATT&CK provides:
Tactics
There are 14 tactics covered in ATT&CK - starting with Reconnaissance, then moving through subsequent and sometimes overlapping phases including Initial Access, Persistence, and Defense Evasion, and finishing with Command and Control.
Techniques, Sub-Techniques, and Procedures
Each tactic in ATT&CK has associated techniques. Many of the techniques have associated sub-techniques and procedures. There are dedicated sections for Enterprise, Mobile, and ICS (industrial control systems) tactics, and the same three sections for techniques.
Below is a look at some of the techniques and sub-techniques used in the Initial Access and Execution phases of attacks, where we can see the heavy use of phishing to gain initial access to a target environment. We also see the use of some built-in components of Windows (PowerShell, the Windows command shell, and Scheduled Tasks) under the Execution tactic. These are stealthy, living off the land, techniques.
Drilling down further, here are some of the procedures used in the Windows command shell (the command line interface we get when we run CMD on a Windows machine):
Detection and Mitigation
ATT&CK offers a wealth of guidance on how to detect and (in many cases) mitigate attack techniques. If we look at the Create or Modify System Process technique used in Persistence and Privilege Escalation tactics (because system processes run with elevated privileges), ATT&CK shows us 6 ways to detect these efforts and 7 recommended mitigations:
Groups
ATT&CK also offers a rich amount of data on adversary groups. Some of these are identified as cyber crime groups, others are nation state level groups. Some of the biggest cybersecurity companies and also government agencies are quite creative when it comes to naming adversary groups. A few examples are Aquatic Panda, Darkhotel, Ferocious Kitten, and Volatile Cedar - seriously, I did not make those up :)
The description of Cobalt Group is a good example of the information we can get about adversary groups. In addition to sections covering the techniques and software used by the group, we see overview text that includes the industry sector and geographic locations the group is known to target:
Cobalt Group is a financially motivated threat group that has primarily targeted financial institutions since at least 2016. The group has conducted intrusions to steal money via targeting ATM systems, card processing, payment systems and SWIFT systems. Cobalt Group has mainly targeted banks in Eastern Europe, Central Asia, and Southeast Asia. One of the alleged leaders was arrested in Spain in early 2018, but the group still appears to be active. The group has been known to target organizations in order to use their access to then compromise additional victims.[1][2][3][4][5][6][7] Reporting indicates there may be links between Cobalt Group and both the malware Carbanak and the group Carbanak.[8]
While Cobalt Group appears to be a cyber criminals level group, Sandworm is another story. They are a nation state level group with some of the most damaging cyber attacks we’ve seen in recent history attributed to them, including the cyber warfare level attacks on the electric grid in Ukraine:
Sandworm Team is a destructive threat group that has been attributed to Russia's General Staff Main Intelligence Directorate (GRU) Main Center for Special Technologies (GTsST) military unit 74455.[1][2] This group has been active since at least 2009.[3][4][5][6]
In October 2020, the US indicted six GRU Unit 74455 officers associated with Sandworm Team for the following cyber operations: the 2015 and 2016 attacks against Ukrainian electrical companies and government organizations, the 2017 worldwide NotPetya attack, targeting of the 2017 French presidential campaign, the 2018 Olympic Destroyer attack against the Winter Olympic Games, the 2018 operation against the Organisation for the Prohibition of Chemical Weapons, and attacks against the country of Georgia in 2018 and 2019.[1][2] Some of these were conducted with the assistance of GRU Unit 26165, which is also referred to as APT28.[7]
Software
The Software section of ATT&CK is a huge listing of software used in some of the most successful one-off and ongoing real world cyber attacks. TrickBot is just one well-known and very much still in use example. In addition to the slew of techniques detailed for TrickBot, here is the overview of it in ATT&CK:
TrickBot is a Trojan spyware program written in C++ that first emerged in September 2016 as a possible successor to Dyre. TrickBot was developed and initially used by Wizard Spider for targeting banking sites in North America, Australia, and throughout Europe; it has since been used against all sectors worldwide as part of "big game hunting" ransomware campaigns.[1][2][3][4]
There is much more to ATT&CK then I’ve outlined here - including sections for Data Sources and Campaigns; and ATT&CK Navigator - which allows cybersecurity teams to map the TTPs of a specific adversary group, and even color code and compare the TTPs of multiple adversary groups.
Regardless of which area of cybersecurity you’re interested in, I would suggest that any amount of time you spend getting to know ATT&CK will be time very well spent.