ATT&CK Model: It ain't your mama's kill chain

Who and what is MITRE

MITRE is a non-profit whose mission is to solve problems for a safer world through federally funded research and development centers and public-private partnerships. Their aim is to tackle challenges to the safety, stability, and well being of the United States.

MITRE brings innovative ideas into existence in areas as varied as artificial intelligence, intuitive data science, quantum information science, health informatics, space security, policy and economic expertise, trustworthy autonomy, cyber threat sharing, and cyber resilience.

What is ATT&CK

The ATT&CK is a curated knowledge-base of adversarial behaviors observed in the wild that reflects the various phases of an adversary's attack lifecycle and platforms they are known to target organized into tactical goals. The ATT&CK is a byproduct of exercises MITRE ran under a research project named the Fort Meade Experiment (FMX) created to enumerate and categorize post-compromise adversary tactics, techniques, and procedures (TTPs) against Microsoft Windows. The project emulated adversarial techniques within a cyber war game closely monitored within an isolated enclave to test analytic hypotheses in order to improve post-compromise detection of threats.

The different applications of the ATT&CK model extends across intrusion detection, threat hunting, security engineering, threat intelligence, red teaming, and risk management and is grounded in empirically driven threat information from use cases created by adversary emulation to achieve better measurement of defensive coverage.

Unlike the Lockheed Martin kill chain model (KCM), the ATT&CK does not represent tactics or techniques in a linear order -- rather, adversaries jump around between different techniques in order to achieve their tactical goals.

The relationship between the different elements of the ATT&CK are diagramed below in Figure 1.

Figure 1: The interactions between the elements of the ATT&CK

What ATT&CK is NOT is an exhaustive enumeration of attack vectors. Those are covered under separate MITRE research and are referenced in the techniques of the ATT&CK matrix, these include the CAPEC (Common Attack Pattern Enumeration and Classification) and CWE (Common Weaknesses Enumeration).

The ATT&CK matrix is organized in a tabular format with tactics organized into columns as the short-term adversarial goals during an attack and the cells representing the individual techniques used by the adversaries to achieve those tactical goals.

History of ATT&CK

The first ATT&CK model was created in September of 2013 as a result of the FMX research and publicly released in May of 2015 with 96 techniques organized under 9 tactics. Since 2013, the community has collectively contributed to the project through the creation of a similar knowledge base called the PRE-ATT&CK to focus on "left of exploit" behavior and ATT&CK for Mobile to focus on behavior in the mobile-specific domain.

As of April 2018, Enterprise ATT&CK now includes 219 techniques across Windows, Linux, and Mac.

ATT&CK is organized into technology domains. Think of domains as the battleground adversaries maneuver within to circumvent controls to achieve their objectives. There are two domains currently: Enterprise (Linux, MacOS, Windows) and Mobile (Android, IOS) Within the domains are platforms, the operating system or application.

ATT&CK also tracks APT groups detailing the name of the group; a unique ID; group aliases; a description fo the group; description of group aliases; techniques used by the group and how its used; and list of software that the group has been reported to use.

Software is also decomposed in the model as adversaries commonly use different types of software in the intrusion, which can represent an instantiation of a technique, making it necessary to categorize within ATT&CK for examples on how techniques are used. Software is categorized into tool, utility, or malware. Each software is described with name of the software; a unique ID; alternative names/aliases; type of software (malware, tool, or utility); platform the software can be used on; description of the software; description of aliases; list of techniques that are employed by the software with relevant references; and list of groups that the software has been reportedly used by.

Tactics versus Techniques

Tactics and techniques are fundamentally different things. TTPs were the foundation on which the ATT&CK model was conceptualized. The tactics in the ATT&CK are the categories of objectives the techniques are meant to achieve, while the techniques are the actions the adversary employs to achieve their tactical goals.

The Tactics

Tactics within the ATT&CK represent the "why" of a technique -- ultimately, the adversary's tactical objective or reason for performing the action. Standard notations for things adversaries do during a breach include persistence, discovery, lateral movement, execution, and exfiltration.

Enterprise matrix tactics as of October 2018 include initial access: the vectors adversaries use to gain an initial foothold within a network; execution: techniques that result in execution of adversary-controlled code on a local or remote machine; persistence: any access, action, or configuration change to a system that gives an adversary a persistent presence on that system; privilege escalation: the result of actions that allows an adversary to obtain a higher level of permissions on a system or network; defense evasion: techniques an adversary may use to evade detection or avoid other defenses; credential access: techniques resulting in access to or control over a system, domain, or service credentials; discovery: techniques that allow the adversary to gain knowledge about the system, application, or network; lateral movement: techniques that enable an adversary to access and control remote systems on a network; collection: techniques used to identify and gather information, such as sensitive files from a target network prior to exfiltration; exfiltration: techniques and attributes that result or aid in the adversary removing files and information from a network, and command and control: tactic representing how adversaries communicate with systems under their control within a target network. To see the entire matrix, click here.

The Techniques

The techniques in the ATT&CK represent "how" an adversary achieves the tactical objective by performing an action (E.g. dumping the SAM hive in order to get access to password hashes). Every technique is decomposed into further detail containing the name of the technique; a unique identifier; tactic objectives that the technique can be used to accomplish; description of the technique; what it is, and what it's used for, as well as references of it used in the wild; target OS or application; requirements the adversary needs to meet for the technique to work; permissions required by the adversary to perform the technique; level of permissions the adversary will attain by performing the technique; source of information collected by a sensor or logging system identifying the action being performed; sequence of actions, or results of the actions by an adversary; if the technique can be used to execute something on a remote system; if it can be used to bypass or evade a control, methodology, or process; associated CAPEC ID; contributor; examples of documented use; analytic process, sensors, data, and detection strategies useful for identifying the technique; and configurations, tools, or processes used to prevent the technique from succeeding or achieving the desired effect for the adversary.

The techniques are further detailed describing how they are leveraged and why it may be important for defenders to identify them. The platform and data sources describes the systems to monitor and what to collect to mitigate and or detect abuse of the technique. Techniques also include cited examples of real-world implementations of the techniques used by malware and adversaries, and also contain mitigation and detection descriptions within each technique

Key Takeaways

Begin asking your vendors what coverage their solution has in the ATT&CK matrix. E.g. Tripwire for example, published something similar here.The ATT&CK model is not meant to replace the kill chain model, rather, to study the techniques of adversaries so they can be detected when they happen and ultimately reduce the time to detection and response to an APT attack.Consider your own security controls and what coverage of individual techniques within the ATT&CK is covered in your environment. This is a perfect opportunity to perform a control gap assessment. There are published documents of control frameworks being mapped to the ATT&CK, such as the CIS controls.The ATT&CK provides more color around the KCM, decomposing the steps of the KCM into the actual techniques performed in each step to look at the tactical objectives of adversaries in order to bring to light the different techniques employed to achieve those tactical goals. After all, it was Sun Tzu who said, "to know your enemy, you must become your enemy."Get involved. The ATT&CK can only be maintained and made better through global community involvement. Through cyber intelligence sharing amongst cybersecurity practitioners, we can become more effective through the research we do individually of adversarial actions on objectives by sharing them with our global colleagues so that what we experience and learn from can be used by them to improve their visibility of detecting the same technique. We're all on the same team.


© Copyright 2010-2020 Brier & Thorn, Inc.