Faced with the proliferation of complex attacks, cyberdefense needs to switch to Tactics, Techniques, and Procedures (TTPs) focused strategies.
Defined as the toughest obstacle to overcome in Bianco’s pyramid of pain, TTPs based defenses force attackers to desist from simply using available attack vectors and tools, compelling them to continuously invent new behaviors. MITRE ATT&CK is the most advanced taxonomy of TTPs available today and provides cyber defenders with interactive matrices invaluable in to defining effective defensive strategies.
The MITRE ATT&CK framework:
Tactics: the goal of the attacker
Techniques and sub-techniques: the methods used by attackers
Procedures: technical details or directions used by attackers
MITRE ATT&CK is an interactive knowledge base documenting TTPs for cyberdefense purposes. It is the brainchild of the MITRE Corporation, a Federally Funded Research and Development Center (FFRDC)., MITRE assists US government partners ranging from the Department of Defense to the IRS in research and development of advanced technologies. In cyberspace, MITRE is known for helping maintain the Common Vulnerabilities and Exposures (CVE) list, an invaluable input for managing vulnerabilities worldwide. In 2013, MITRE launched the Ford Meade eXperiment (FMX) experiment: a red team attack against a living lab of over 200 hosts on a corporate network, manned by live users behaving routinely. The red team head, Blake Storm, uncovered the attackers’ Achilles heel. Unlike the number of offensive tools available to hackers, the variations in attackers’ behavior once they breach an environment are limited and slow to evolve. This realization led to the creation of the ATT&CK framework. Since 2015, ATT&CK is open to the public and enriches its database through information from MITRE corporation research center and community-generated information. Regularly updated, it provides comprehensive information about new attack vectors and attackers’ behavior. Today, MITRE ATT&CK discloses adversarial Tactics, Techniques, and Procedures (TTPs), empowering cyber defenders to understand and integrate attackers’ behavioral patterns in their defense strategy.
The MITRE ATT&CK framework is organized into three matrices: Enterprise – covers the attack tactics and techniques targeting any organization environment, on-premise, hybrid, and cloud-native
|! Enterprise !! Mobile !! ICS|
|Impair Process Control|
Each tactic pillar lists the techniques and sub-techniques used by attackers.
Threat hunters can map specific threat groups’ escalation paths and visualize the attack’s predictable targets at different stages by selecting a threat group or malicious software or identifying an optimal mitigation path to follow for specific actions.
Threat hunters can either select or view each element. Viewing redirects to an information page, and selecting maps the attack path.
Selecting APT28, for example, and applying a red color code, will display the threat access vectors and potential escalation path.
The threat hunter can dig further down each technique to pinpoint sub-techniques used.
MITRE ATT&CK is built on shared threat intelligence combined with a powerful matrice. Sharing threat intelligence collected globally in real-time is invaluable to hamper the progress of attackers, as it discloses new tactics and tools as they unfold and enables defenders to rapidly integrate preventive and defensive strategies. This forces malicious actors to constantly create new attack vectors.
When the shared intelligence includes attack strategies in addition to the tool, as the ATT&CK matrices do, the cost of creating new effective attack schemes rises considerably, and the rate of new effective attack vector creation shrinks accordingly. It also adds a layer to the now dominating zero-trust security dogma “Trust no-one, always verify,” by locking potentially vulnerable entry points even before an attempted intrusion is detected. By its very nature, though, ATT&CK’s framework is comprehensive and aims at providing actionable information to all cyber defenders working on all platforms. This encompassing overview’s downside is that cyber defenders need to sort through a number of techniques that are not relevant for their environment. Additionally, ATT&CK is a knowledge base and not a cyber defense tool. This means its effectiveness is dependent on the cyber defense team’s ability to utilize it. Ideally, the ATT&CK matrice is integrated into organization defense tools, either on a custom base or through a vendor solution that integrates the ATT&CK framework.
Developed primarily for Linux, Windows, and macOS platforms and cloud based attacks, the ATT&CK framework needs to be calibrated specifically for K8s to elaborate on the different security checks and exploit information in a K8s security context. Cisco Cloud Native Security Solution integrates the recently published Microsoft Threat Matrice for Kubernetes and ATT&CK’s threat-based model into a matrice tailored for Kubernetes. The Cisco Cloud Native Security Solution framework displays attack risks and their applicability to deployed clusters in an interface similar to the ATT&CK matrice. It shows at a glance how your environment is affected by known attack vectors and what actions to take to strengthen your defense in real-time. You can watch it in action on our MITRE ATT&CK Framework for Kubernetes and Container Runtime Security webinar.