Interpretation of ATT&CK framework for network security attack and defense confrontation

What is ATT&CK?

ATT&CK, known as Adversarial Tactics, Techniques, and Common Knowledge, framework first proposed by MITRE Corporation in 2013, is a knowledge base and model for describing attack behavior.

Important dimensions of ATT&CK

ATT&CK contains several important dimensions that together form the ATT&CK framework.

• Matrix: the matrix is the macro model of the ATT&CK framework.
• Tactics: Tactics indicates the target of the attacker's attack.
• Techniques: Attack techniques are the techniques used to achieve the goal of the attack.
• Procedures: An attack process refers to a real-life example of an attacker using a particular attack technique.
• Mitigations: Mitigations refer to the abatement measures that organizations can employ in response to different attack techniques.

The main set of relationships for each dimension is shown below:

 

What exactly is ATT&CK?

In contrast to Cyber Kill Chain, ATT&CK does not exactly follow the linear relationship of the attack chain, but fully demonstrates the attacker's attack techniques and corresponding mitigation measures, monitoring means, and the framework of real-life cases while trying to follow the linear relationship as much as possible.

The ATT&CK framework is divided into three main categories of Matrixes:

• ATT&CK for Enterprise Attack Chain for Enterprise
• ATT&CK for Mobile Attack Chain for Mobile Platforms
• ATT&CK for Industrial Control Systems Attack Chain for Industrial Control Systems

Taking Enterprise Matrix as an example, it contains the attack chain for platforms such as PRE (attack readiness) and Linux, etc. ATT&CK divides the entire attack phase into 14 tactics, of which PRE contains Reconnaissance, Resource Development, and the other platforms include Initial Access, Eexcution, Persistence, Privilege Escalation, Defense Evasion, Discovery, Lateral Movement. Movement, Collection, Command and Control, Exfiltration, Impact.

A sample Enterprise Matrix diagram is shown below:

In the table above, 14 tactics are shown, and each tactic contains several attack techniques. The Initial Access tactic, for example, contains nine attack techniques: Drive-by Compromise, Exploit Public-Facing Application, External Remote Services, Hardware Additions, Phishing, Replication Through Removable Media, Supply Chain Compromise, Trusted Relationship, Valid Accounts, and other attacks. Trusted Relationship, Valid Accounts, as shown below:

 

ATT&CK Application Scenarios

How can ATT&CK help us as an attack modeling framework? What are the scenarios in which ATT&CK can be used?

Official Application Scenario Guide

The official ATT&CK website describes four categories of generalized use scenarios:

 

• Detections and Analytics

ATT&CK can help cyber defenders develop detection programs to identify the techniques used by attackers in a timely manner.

• Threat Intelligence

ATT&CK provides security analysts with a common language for organizing, comparing and analyzing threat intelligence, and ATT&CK's Groups provide a better picture of the attack characteristics of threat organizations.

• Adversary Emulation and Red Teaming (adversary simulation andconfrontation between Red and Blue)

ATT&CK provides a common language and framework that the Blues (often referred to abroad as Reds instead of Strike Teams) can use to develop attack plans and simulate threat-specific attacks.

• Assessment and Engineering

ATT&CK can be used to assess your organization's defenses and drive defense architecture, such as which tools or logs you should implement.

ATT&CK provides a lot of reference knowledge for the four types of application scenarios mentioned above, where each type of application scenario is further elaborated separately with three different levels of security capabilities. We take Adversary Emulation and Red Teaming as an example to introduce the main applications of ATT&CK in Red and Blue confrontation.

In Getting Started with ATT&CK: Adversary Emulation and Red Teaming, there are 3 different levels depending on the security capabilities of the organization:

Level 1: Security teams that are just starting out and don't have a lot of resources.

Level 2: Relatively mature mid-level security team

Level 3: Organizations with more advanced security teams and resources

For Level 1 organizations.Without the help of the Blues in discovering the threat, it is still possible to use simple tests to simulate an attack scenario. The authors recommend Atomic Red Team, which performs simple "atomic tests" to test relevant defense components that are mapped to ATT&CK. for example, Network For example, Network Share Discovery (T1135) can be tested with T1135:

As shown in the figure above, we can execute the corresponding test commands in the corresponding platform to detect whether our defense system responds to the alarm prompts, whether we can do certain defense optimization. Then continue to expand and improve, as shown in the cycle below:

For Level 2 organizations.For example, we use the penetration tool Cobalt Strike to simulate attacks, and ultimately can be covered by the various types of attack techniques mapped to the ATT&CK framework, as shown in the figure below:

For Level 3 organizationsIf the Red Army, the powerful Blue Army and even its own threat intelligence agency are already in place, the Blue Army can use threat intelligence to select threat organizations with specific targets to simulate attacks for the purpose of "complete testing".

 

• Gather threat intel: Gather threat intel and select specific adversaries
• Extract techniques: mapping threat organizations and Blue Force attack techniques to ATT&CK
• Analyze & organize: analyze and organize attack plans

For example, the development of simulated attack plans against APT3 threat organizations:

• Develop tools and procedures: develop attack tools and procedures
• Emulate the adversary: the Blue Force began executing simulated attacks in accordance with the plan

Examples of good application scenarios

In addition to the several officially recommended application scenarios, there are some excellent ATT&CK practices in the industry.

Using ATT&CK As a Teacher

Travis Smith at MITRE ATT&CKcon organized the ATT&CK matrix according to the ease of exploitation and used different colors to identify the author called "ATT&CK rainbow table", as shown in the figure below:

 

 

• Blue: The technique is not really an exploit, but is achieved by using other common features such as net view
• Green: easy to utilize technology that does not require POCs, scripts or other tools, such as valid account credentials
• Yellow: usually requires some kind of tool or POC, e.g. Metasploit
• Orange: requires varying degrees of infrastructure to accomplish or investigate, and these technologies can range from very simple to very complex, and the authors have packaged them into "orange levels" such as webshell.
• Red: refers to more advanced or underlying techniques that require an in-depth understanding of the OS or DLL/EXE/ELF, etc., such as process injection.
• Purple: the authors updated a higher level technique later on, and in conjunction with the ATT&CK rainbow table, I understand that it requires a higher attack threshold or utilizes an attack technique with a lower success rate.

At this point the ATT&CK Rainbow Table, including the ATT&CK Matrix itself, can be used as a guided study guide for an individual or a team, e.g., what are the perspectives from which to start when studying lateral infiltration? What are their detection and mitigation measures? Can they be bypassed?ATT&CK would be a very good reference.

Fine-grained interpretation of the framework of a given system

ATT&CK has a better integration and analysis of the overall risk of the network, but the analysis of some specific systems and platforms will be slightly insufficient granularity. AliCloud Security has done a more granular attack topology based on ATT&CK for the specific framework of containers on the cloud, as shown in the figure below:

While not strictly unfolding in ATT&CK's common language, a more granular demonstration of the techniques used under each tactic makes it easier to guide the Blues in executing their attacks. As for the use of common language, it is not difficult to reach a common understanding of the Red and Blue within the organization, or even within the country.

Therefore, for specific system frameworks such as cloud containers, private clouds, public clouds, big data platforms, etc., the basic mapping of ATT&CK can also be accomplished by referring to this approach.

summarize

As an excellent attack modeling framework, ATT&CK provides a relatively complete attack matrix, which is a good guide for both offense and defense. We can continue to refine the technical collection of ATT&CK to improve the ability of red and blue confrontation, and also map ATT&CK to different scenarios and frameworks within the enterprise according to local conditions.

 

Reference link

https://attack.mitre.org/

https://mitre-attack.github.io/attack-navigator/

https://medium.com/mitre-attack/getting-started-with-attack-red-29f074ccf7e3

https://github.com/redcanaryco/atomic-red-team

https://github.com/TravisFSmith/mitre_attack

https://zhishihezi.net/

https://www.tripwire.com/state-of-security/mitre-framework/using-attck-teacher/

https://www.freebuf.com/articles/blockchain-articles/251496.html

https://www.freebuf.com/articles/network/254613.html

https://www.freebuf.com/articles/container/240139.html

http://vulhub.org.cn/attack

Source: OPPO