Threat hunting is a critical discipline. But how do you do it methodically and consistently to drive success? Here, Tim Bandos, VP of Cyber Security, Digital Guardian, introduces threat hunting frameworks, teaches an organisation how to get started with it and how to implement high-fidelity techniques for advanced threat hunting.
Cyberthreat hunting is a critical discipline that more and more organisations are using to proactively detect attacks before they result in a major breach. But how do you do it methodically and consistently to drive success?
MITRE’s ATT&CK (Adversarial Tactics, Techniques and Common Knowledge) framework is becoming increasingly popular among incident responders and threat hunters and for good reason.
It was created to test the efficacy of systems and improve security before it’s too late. This article will introduce the framework and the key benefits it brings to any cybersecurity operation.
What is the MITRE ATT&CK framework?
First created in 2013, the MITRE ATT&CK framework is a comprehensive matrix of cybersecurity tactics, techniques and procedures that can be used by threat hunters and incident responders to assess an organisation’s cyber-risk. The aim of the framework is to improve an enterprise’s post-compromise threat detection capabilities by highlighting the actions attackers may have taken.
Threat hunters can also leverage the framework to identify specific combinations of techniques that adversaries may use and how effective their existing tools would be in detecting them.
There are three ‘flavours’ of ATT&CK:
- Enterprise ATT&CK – a framework of tactics, techniques and procedures used to compromise enterprise networks. This is the most popular framework and the one this article will focus on
- PRE-ATT&CK – covering tactics and techniques used pre-compromise
- Mobile ATT&CK – covering tactics and techniques used to gain access to mobile devices.
What are the tactics and techniques of the Enterprise ATT&CK framework?
The Enterprise ATT&CK framework consists of 11 core tactics. These tactics are considered the ‘why’ part of the ATT&CK equation, focusing on what objective the attacker wanted to achieve with the compromise.
These 11 tactics are as follows:
- Initial access
- Privilege escalation
- Defence evasion
- Credential access
- Lateral movement
- Command and control
Under each tactic, the framework contains a wide array of cybertechniques that have been used by malware or threat actor groups in successful compromises. These techniques are thought of as the ‘how’ part of ATT&CK. I.e. How are attackers escalating privileges? How are adversaries exfiltrating data?
While there are only 11 tactics in the Enterprise ATT&CK framework, there are 291 techniques and counting, which are best visualised via MITRE’s ATT&CK Navigator.
This open source web app allows for basic navigation and annotation of all of the framework’s matrices.
Each technique contains contextual information such as:
- What permissions are required for the technique to be successful?
- What platform the technique is commonly seen on?
- How to detect commands and processes they’re used in
For example, it’s not uncommon for attackers to move laterally through networks with legitimate Windows tools like Windows Management Instrumentation (WMI). A strain of the ransomware Petya leveraged WMI (along with PsExec, EternalBlue and EternalRomance) to spread laterally in 2017.
Using the ATT&CK framework, a threat hunter could look at relationships between techniques like WMI that could be used to gather data for the discovery and execution of files through lateral movement. By skimming down to the ‘detection’ section of the technique, a threat hunter can also learn that monitoring network traffic for WMI connections and looking for WMI usage in environments that don’t typically use it can both help identify the technique.
What are the procedures of the ATT&CK framework?
In the context of the ATT&CK framework, a procedure describes the way adversaries have implemented a technique in the past, which can be very useful for understanding exactly how the technique could be used again.
Keeping the WMI example in mind – by looking at the WMI technique examples listing, users can see that the popular Russian hacker group APT29 uses WMI to steal credentials and execute backdoors at a future time. Conversely, BlackEnergy, an APT group linked to attacks on Ukrainian energy companies in 2015, uses WMI to gather victim host details.
How does ATT&CK help the global cybersecurity community?
The ATT&CK framework has been around for years but it’s grown in popularity recently as a way to help organisations, end users and the government share accurate threat intelligence. While there are several other ways to do this, ATT&CK provides a common language that’s standardised and globally accessible, making it a particularly powerful tool.
As Katie Nickels, ATT&CK Threat Intelligence Lead for MITRE, points out, analysts and defenders can work together with data to compare and contrast threat groups.
Nickels gives a good example, comparing and contrasting techniques used by the APT3 and APT29 groups, on MITRE’s blog. By identifying the highest priority techniques an organisation can better determine how to mitigate and detect them. The fact that the knowledge base is community-driven and widely accepted for sharing structured information has afforded it a great deal of momentum as well.
Who does the ATT&CK framework benefit?
From a security testing perspective, ATT&CK can aid red teams and blue teams alike. Red teams can follow MITRE’s adversarial emulation plans to test their networks and defences by modelling off adversary behaviour classified by ATT&CK. Blue teams can leverage the ATT&CK framework to get a better grip on what adversaries are doing, prioritise threats and to ensure the right mitigations are in place.
As the volume and variety of cyberthreat actors continues to grow at an alarming rate, the need to share accurate threat intelligence on a global level is more important than ever. MITRE’s ATT&CK framework has established itself as one of the foremost ways of doing this in recent years, helping to keep the global security informed and alert to emerging cyberthreats.