In the first article, we briefly explored what MITER ATT&CK is and its importance in cybersecurity. Like a map tracing routes through a maze, MITER ATT&CK provides a guide to the techniques and tactics used by cybercriminals. Now, we'll dive deeper to discover how this framework can be used to defend against advanced persistent threats (APTs) and improve the operations of RedTeams.
Detailed breakdown of MITER ATT&CK
ATT&CK Matrix
The ATT&CK matrix is a type of tactical map, which provides a detailed view of the tactics, techniques and procedures (TTPs) that cybercriminals can use in an attack. Each tactic represents a stage in the “life cycle” of an attack, while the associated techniques represent the different ways an adversary can achieve that tactic. For example, under the “Initial Access” tactic, we could find techniques such as “Spearphishing” or “Public Vulnerability Exploitation.”
Techniques and tactics
Techniques are the specific methods that adversaries use to achieve their objectives. These are the specific steps that an attacker could follow. On the other hand, tactics are the high-level objectives that an adversary seeks to achieve, such as gaining initial access, lateral movement, or data exfiltration. Each technique is associated with one or more tactics, creating a comprehensive picture of how an attack could unfold.
Procedures
Procedures are specific implementations of the techniques, and provide additional details on how attacks are carried out. For example, under the “Spearphishing” technique, a procedure could be “Send an email with a malicious attachment.” Procedures help contextualize techniques, and can be useful in identifying the specific behaviors of an adversary or threat group.
Application of MITER ATT&CK for APT analysis
MITER's ATT&CK matrix provides a solid foundation for the analysis of APTs. With their help, defenders can identify the tactics and techniques that a specific APT may use, helping to effectively anticipate, detect, and counter their attacks. The ATT&CK matrix can also be useful to threat researchers, allowing them to classify and track the activities of APT groups, providing a common language for sharing information about these threats.
Use of ATT&CK in Red Teaming operations
In the context of Red Teaming, ATT&CK can be an invaluable tool. Red Team teams can use the matrix to plan and execute attack drills, selecting techniques and tactics based on those that are most relevant to their organization. By doing so, they can uncover and highlight vulnerabilities in the organization's security posture, allowing corrective action to be taken.
Case study: Mapping a specific APT to ATT&CK
APT28
Now, let us consider the case of APT28, also known as “Fancy Bear” or “Sofacy”. This threat group, allegedly sponsored by the Russian government, has been active for more than a decade and is famous for its involvement in several high-profile cyberattacks. APT28 has employed a variety of techniques and tactics over the years, which can be mapped to MITER's ATT&CK matrix.
For example, they have used the “Spearphishing Attachment” technique (T1566.001) for Initialization. This involves the use of targeted phishing emails containing malicious attachments.
Another technique frequently used by APT28 is “Command and Scripting Interpreter: PowerShell” (T1059.001). This involves using PowerShell to execute malicious commands and scripts.
APT29
Consider the case of APT29, also known as “The Dukes” or “Cozy Bear.” This threat group, allegedly associated with the Russian government, has been active for more than a decade, and is known for its sophisticated and highly targeted attacks. Using the ATT&CK matrix, we can map APT29's known techniques and tactics, allowing us to better understand their operations and develop effective defense strategies.
One technique that APT29 has employed is “User Execution: Malicious Link” (T1204.001). This involves the use of malicious links that the end user must open.
Additionally, APT29 has used the “Exploitation for Privilege Escalation” (T1068) technique, which involves using vulnerabilities in software to gain higher privileges on a system.
It is important to note that these advanced threat groups are constantly evolving, so the techniques and tactics they use may change over time. MITER's ATT&CK matrix provides a useful framework for understanding and tracking these techniques and tactics as they evolve.
Conclusion
A deep understanding of MITER ATT&CK can provide great value to organizations. It allows for better preparation against APTs, improves the effectiveness of Red Teams, and provides a common framework for sharing threat information. At the end of the day, ATT&CK is a tool that can help organizations navigate the cybersecurity maze.
References
- https://attack.mitre.org/
- https://attack.mitre.org/matrices/enterprise/
- https://attack.mitre.org/tactics/enterprise/
- https://attack.mitre.org/groups/G0016/
Train yourself at the leading Employability School and make a place for yourself in the Cybersecurity sector through the best training on the market!