WHAT IS MITRE ATT&CK?

June 2019

Presented by Brent Jones, Senior Systems Engineer (brent@exabeam.com)

AGENDA

•Who is MITRE?
•Why do we need ATT&CK?
•What is ATT&CK?
•How can I get ATT&CK?
•What can I use ATT&CK for?
•Additional tools
2 Copyright © 2019 Exabeam, Inc. All Rights Reserved.
Who is MITRE
• Started life as a Collaboration with US Airforce and MIT in the 1940s
• MITRE was established in 1958
• Private, not-for-profit company
• Mission: dedication to solving problems for a safer world
• Currently Federally Funded Research and Development Centers (FFRDC)
Defence & Intelligence U.S. Courts
Cybersecurity Healthcare
Aviation Homeland Security
Civil Agency Modernisation

3 Copyright © 2019 Exabeam, Inc. All Rights Reserved.

Why do we need ATT&CK?
• Security has relied on IOC from the earliest days
• Indicators of Compromise (IOC) is an artifact observed on a network or in an
operation system that with high confidence indicates a computer intrusion. (from
Wikipedia)
• AV signatures
• Hashes
• Files Names
• IPs
• ULRs/Domains
*GRIZZLY STEPPE IOCS (911)

• IOCs lack context and difficult to determine intent from a single IOC
Copyright © 2018 Exabeam, Inc. All Rights Reserved..
What about TTPs?

• Tactics, Techniques, and Procedures (TTP)

• Tactics: The why. These are the steps the adversary takes to complete their mission.
• Techniques: The how. Defines the action to complete a step.
• Procedures: Detailed repeatable steps required to implement a technique.
• No single repository for TTP data
• Lots of data held privately or in public reports.
• Not easy to extract TTP from public reports. Mostly concerned with IOC data.

Copyright © 2018 Exabeam, Inc. All Rights Reserved.

Pyramid of Pain
• David Bianco 2013
• Public reports into APT1
• People largely focused on the IOCs
• The pain is relative to the attacker
• As the disruption goes higher
the pain it causes the attacker
increases
• The bottom layers are trivial
for the attacker to change
http://4.bp.blogspot.com/-EDLbyYipz_E/UtnWN7fdGcI/AAAAAAAANno/b4UX5wjNdh0/s1600/Pyramid+of+Pain+v2.png

6 Copyright © 2019 Exabeam, Inc. All Rights Reserved.

Lockheed Martin Cyber Kill Chain
• Well referenced
• Gets you thinking about the adversary and their goals
• Can map IOCs and TTPs to get a view of the attack progression
• No meat to it. It isn’t helpful for teams on the ground
• How do I know what the adversary is going to do at each step.

Lockheed Martin Cyber Kill Chain

Command Actions and
Reconnaissance Weaponization Delivery Exploitation Installation
and Control Objections

7 Copyright © 2019 Exabeam, Inc. All Rights Reserved.

What is MITRE ATT&CK?

• Adversarial Tactics, Techniques and Common Knowledge

• A globally-accessible knowledge base of adversary tactics and techniques
• Open and available to any person or organization for use at no charge
• Collaborative. Anyone, companies, individuals, researchers can contribute.
• Released in 2015, mostly attributed to Blake Strom but many other contributors
• Based on real-world observations of attacker behavior
• Data from collected from public reports, private reports and teams experience
• What happened to the P, probably marketing, ATTP&CK isn’t as cool.

8 Copyright © 2019 Exabeam, Inc. All Rights Reserved.

Why You Should Care: Growing Interest in MITRE ATT&CK
100

90

80

70

60

50

40

30

20

10

Worldwide
Google Trends

9 Copyright © 2019 Exabeam, Inc. All Rights Reserved.

Nuts and Bolts of ATT&CK
• Organised into technical domains, also know as a matrix
– Enterprise, Mobile, PRE-ATT&CK

• Each technical domain has a set of platforms the adversaries use:

– Enterprise has Windows, Mac and Linux
– Mobile has Android and iOS

• Tactics represent “Why” of a technique.

• Techniques represent ”How” they achieve a tactic.
• Groups represent Adversaries tracked by public or private organisations
– Typically called out in a reports. APT1, APT28, Grizzly Steppe etc.
• Software represents a tool, utility or malware that can instantiate a technique
10 Copyright © 2019 Exabeam, Inc. All Rights Reserved.
 / Field software with a field to describe details on how the
technique is implemented or used. Each technique
should include a reference.
Groups Relationship List of groups that the software has been reported to
The ATT&CK Model / Field be used by with a field to describe details on how
the software is used. This information is populated
from the associated group entry.

3.7 ATT&CK•Object
Defines a taxonomy
Model Relationships for thinking and communicating knowledge of campaigns
Each high-level component of ATT&CK is related to other components in some way. The
• Publishes a data model
relationships described in the description fields in the previous section can be visualized in a
diagram:

Figure 2. ATT&CK Model Relationships Figure 3. ATT&CK Model Relationships Example

An example as applied to a specific persistent threat group where APT28 uses Mimikatz for
credential dumping: MITRE ATT&CK: Design and Philosophy (2018) PG 12,13
11 Copyright © 2019 Exabeam, Inc. All Rights Reserved.
12
 Enterprise Matrix
Tactics
Techniques

12 Copyright © 2019 Exabeam, Inc. All Rights Reserved.

Mobile and PRE-ATT&CK tactics
• Mobile

• PRE-ATT&CK

13 Copyright © 2019 Exabeam, Inc. All Rights Reserved. .

Techniques

• Has some of the following

– Name
– ID
– Tactic
– Description
– Platform
– Detection
– Mitigation
– Examples
– References
14 Copyright © 2019 Exabeam, Inc. All Rights Reserved.
ATT&CK By The Numbers
• Original Release 2015
– Windows only. 9 Tactics 96 Techniques
• As of the April 2019
– Enterprise: 12 Tactics 214 Techniques
– Mobile: 13 Tactics 67 Techniques
– Pre-ATT&CK: 15 Tactics 174 Techniques
– Groups: 86
– Software: 377

15 Copyright © 2019 Exabeam, Inc. All Rights Reserved

MITRE ATT&CK vs. Lockheed Martin Cyber Kill Chain

Command Actions and

Reconnaissance Weaponization Delivery Exploitation Installation
and Control Objections

PRE-ATT&CK ENTERPRISE and MOBILE

• ATT&CK resembles Kill Chain, can be used to describe the adversary lifecycle
• Higher-fidelity insight to behavior in post-exploit phases, Enterprise Matrix. 12 vs 5
• Practical information for offensive and defensive security teams
• Iterative updates

16 Copyright © 2019 Exabeam, Inc. All Rights Reserved..

How can I get ATT&CK?
• A human readable version is published online https://attack.mitre.org/
• MITRE created ATT&CK Navigator for human usable interrogation of the data
– https://mitre-attack.github.io/attack-navigator/enterprise/
– More on this later
– Can export from navigator
– Can run your own on premise version. https://github.com/mitre-attack/attack-navigator

• Data has been translated into STIX 2 format and published to a MITRE TAXII server.
– Good for machines and for custom uses. STIX 2 uses JSON so lots of options to parse.
– https://github.com/mitre/cti
– https://medium.com/mitre-attack/att-ck-content-available-in-stix-2-0-via-public-taxii-2-0-
server-317e5c41e214
17 Copyright © 2019 Exabeam, Inc. All Rights Reserved.
What can I use ATT&CK for?
• Assessment and Engineering
– Assess your organization’s capabilities and drive engineering decisions like what tools or
logging you should implement.
• Detections and Analytics
– Help cyber defenders develop analytics that detect the techniques used by an adversary.

• Adversary Emulation and Red Teaming

– Common language and framework that red teams can use to emulate specific threats and
plan their operations.
• Threat Intelligence
– Analysts have a common language to structure, compare, and analyse threat intelligence.

18 Copyright © 2019 Exabeam, Inc. All Rights Reserved.

Assess your organization’s capabilities
• What does any organisation wants to know.
– Are we secure
– Do I have too many tools that don’t provide enough value or do the same thing
– Where are our blind spots, data collection, detection products, analytics
– Will this new product improve my defences?

• Do I really know what adversaries are capable of?

• ATT&CK can give you the data to build a heat map
– You have to do the work, no free lunch
– Use ATT&CK Navigator to help

• The heat map should help with funding for new projects

19 Copyright © 2019 Exabeam, Inc. All Rights Reserved.

ATT&CK Navigator – Heat map
• Use colours, can use risk score
– Risk 0 – Got it covered – Green
– Risk 50 – Needs work – Orange
– Risk 100 – No coverage – Red
– Unknown leave blank - White

• There will be lots of red/white. Don’t panic

• Iterate and improve
• Start with the most common techniques
• https://github.com/TravisFSmith/mitre_atta
ck for some useful layers

20 Copyright © 2019 Exabeam, Inc. All Rights Reserved.

Assess vendor capabilities
• Do they cover techniques you don’t detect, or can they consolidate detections
• Look at products that can also tag behaviours, IOC, TTPs with ATT&CK tactic and
technique IDs. Expect this in SIEM technology.
• MITRE is starting to provide vendor evaluation and testing against ATT&CK
– https://attackevals.mitre.org
– Current evals include Carbon Black, Crowdstrike, Windows Defender ATP, RSA,
CounterTack, Endgame, SentinelOne.
– Palo Alto, FireEye, Cyberreason on the next eval
– No scoring or ranking. Up to you to decide.

21 Copyright © 2019 Exabeam, Inc. All Rights Reserved.

Finding Cyber Threats using ATT&CK
• Paper published by MITRE team.
Include post-
• https://www.mitre.org/sites/default/files/publ compromise
ications/16-3713-finding-cyber- detection

threats%20with%20att%26ck-based-
analytics.pdf Develop/test
Focus on
in a realistic
behavior
environment
• Contains Five principals

Iterate by Use a threat-

design based model

22 Copyright © 2019 Exabeam, Inc. All Rights Reserved.

Adversary Emulation
• It’s essentially what Red teams do
• Emulate an adversary group
• Used to train Blue teams
• MITRE has a sample emulation plan for the
APT3 group that you can use as a starting
point.
• List objectives, tools, methods and styles.
• These should be detailed enough that the
plan can be used as the blueprint for
execution.

23 Copyright © 2019 Exabeam, Inc. All Rights Reserved.

Additional Tools
• MITRE Red Team Adversay Emulation Plans
– https://attack.mitre.org/resources/adversary-emulation-plans/

• MITRE CAR (Cyber Analytics Repository) – Analytics techniques to run against data
• MITRE CASCADE – Automate investigation work for Blue Team
• Atomic Red Team by Red Canary – Test routines
– https://github.com/redcanaryco/atomic-red-team

• SIGMA builds rules for SIEMs based on ATT&CK

– https://github.com/Neo23x0/sigma

• Exabeam Advanced Analytics – Small plug, will start tagging anomalies with
techniques. DGA Technique was added to ATT&CK by Exabeam. Behaviour Analytics
24 Copyright © 2019 Exabeam, Inc. All Rights Reserved.
References
• MITRE ATT&CK™ : Design and Philosophy
– https://www.mitre.org/sites/default/files/publications/pr-18-0944-11-mitre-attack-
design-and-philosophy.pdf
• Finding Cyber Threats with ATT&CK-Based Analytics
– https://www.mitre.org/sites/default/files/publications/16-3713-finding-cyber-
threats%20with%20att%26ck-based-analytics.pdf
• MITRE ATT&CKcon 2018: How Did We Get Here?
– https://www.youtube.com/watch?v=u8Fnwb-
1kMg&list=PLkTApXQou_8JrhtrFDfAskvMqk97Yu2S2&index=2
• BG - ATT&CKing the Status Quo: Improving Threat Intel and Cyber Defense with
MITRE ATT&CK
– https://www.youtube.com/watch?v=p7Hyd7d9k-c
25 Copyright © 2019 Exabeam, Inc. All Rights Reserved.
More References
• MITRE Attack Navigator
– https://github.com/mitre-attack/attack-navigator
– https://mitre-attack.github.io/attack-navigator/enterprise/

• Adversary Emulation Plans

– https://attack.mitre.org/resources/adversary-emulation-plans/

• ATT&CK 101
– https://medium.com/mitre-attack/att-ck-101-17074d3bc62

• ATT&CK CON
– https://attack.mitre.org/resources/attackcon/

• The Pyramid of Pain

– http://detect-respond.blogspot.com/2013/03/the-pyramid-of-pain.html
26 Copyright © 2019 Exabeam, Inc. All Rights Reserved.
THANK YOU