In 1958, a non-profit organization was created to advise and provide the US Department of Defense with technical assistance during the Cold War. The first project undertaken was SAGE (Semi-Automatic Ground Environment), the country’s first connected air defense system. This system was made up of large computers and networks that coordinated data from radar stations. This organization still exists, but is now called MITRE.
These days, the MITRE Corporation is involved in multiple areas of national defense and security, but, as the SAGE project demonstrated, the organization has always had strong links to systems and network projects. This is why they created the country’s only public-private partnership R&D center exclusively dedicated to cybersecurity: the National Cybersecurity FFRDC. Using this broad experience, the MITRE teams developed ATT&CK (Adversarial Tactics, Techniques, and Common Knowledge), a tool that is now widely used by the community of cybersecurity experts.
What is ATT&CK?_
ATT&CK is a framework that is used to identify common tactics, techniques and procedures (TTPs) employed by advanced persistent threats to attack IT platforms such as Windows systems in companies. This framework is based on FMX, a MITRE project that aimed to develop analysis and telemetry from cyberattack data. The organization used the research from this project to develop ATT&CK, whose differential value lies in the following four points:
- Adversary behaviors: by focusing on cyberattacker tactics and techniques, the experts and MITRE were able to gather enough analysis data to detect their most common behaviors. In this regard, MITRE emphasizes the fact that traditional indicators, such as IP addresses, files names or code logs, are easily changed by cyberattackers, and therefore do not truly represent how they interact with systems.
- Ruling out other cybersecurity models: MITRE also highlights how other existing cybersecurity models based on adversary lifecycles are too abstract and unhelpful when it comes to establishing TTPs and adjusting to new kids of cyberthreats.
- Applicable to real environments: TTPs must be based on observable and measurable incidents in order to show that they work in real environments.
- Common taxonomy: TTPs must be comparable, even if they are based on different kinds of adversaries. This is why the framework uses a common terminology in all its categories.
How the ATT&CK matrix works_
ATT&CK is a vast database of cyberattacker techniques and tactics. However, MITRE always aimed to present it more simply and intuitively so that CISOs and cybersecurity professionals could use it more easily. With this in mind, they developed a way to visualize this data, known as ATT&CK Matrix™. This matrix shows the relationship between two concepts:
- Tactics: represent the “why” of an ATT&CK That is, the tactical goal of a cyberattacker when carrying out an action. The tactics display contextual categories of things carried out by cyberattackers during an operation, such as discovering information, executing files, or extracting data.
- Techniques: these are the “how”, the methods used by cyberattackers to achieve their goal by carrying out an action, such as using credentials. They can also indicate what the cyberattacker achieves by carrying out a particular action.
Since there are many techniques for the cyberattacker to accomplish their tactical aims, there are multiple techniques in each tactical category. For example, under the tactic Persistence, the cyberattacker’s aim is to stay on the system. Persistence includes a series of techniques that cyberattackers usually employ to this end, such as altering AppInit DLLs or the use of the Windows task scheduler to execute malicious scripts. Each of these is a specific technique that can be used to achieve this goal.
ATT&CK and Threat Hunting_
In research tasks, the ATT&CK framework allows threat hunter teams to classify cyberattacker actions that they have detected, and thus correlate them with their techniques and establish behavioral and activity patterns. Afterwards, Indicators of Compromise (IoC) can be established from these patterns, for which an automated response can be developed. This process saves a great deal of time and resources, which can then be dedicated to other cybersecurity challenges.
Following this operative logic, Cytomic offers a managed Threat Hunting and Incident Response service solution based on the Cytomic Orion solution. Our solution is focused on threat intelligence, with hunters specialized in searching for, detecting, and interpreting, via hypotheses, events and isolated activities that make up an attack, and which no solution is able to detect or correlate.
Likewise, our Cytomic Orion standardizes and professionalizes the hunting and investigation process, accelerating the identification speed, and drastically reducing detection and response times for new threats that use Living-off-the-Land (LotL) techniques. Because, as the MITRE analysis that led to the constitution of the ATT&CK framework shows, rapid identification and detection of threats and cyberattacker behaviors is the key for avoiding serious damage in organizations.