Various organizations maintain public cybersecurity defense frameworks that anyone can use to benchmark and improve their cybersecurity posture. Examples include the Lockheed Martin Cyber Kill Chain® and the MITRE ATT&CK® framework. The latter is more widely known and goes into much more depth. Knowledge about the Mitre ATT&CK® framework is now built into the Kemp Flowmon Anomaly Detection System (ADS). We’ll discuss the wider framework and how ADS incorporates it in this article.
What is the MITRE ATT&CK® Framework?
The MITRE Corporation is a not-for-profit federally-funded research and development organization tasked with devising solutions to keep the USA safe from various threats. Via their R&D centers and public-private partnerships, MITRE works across Government to tackle challenges to safety, stability, and well-being in many areas. One of which is the security of IT systems.
The MITRE ATT&CK® Framework is a knowledge base of threats and actions that the MITRE Corporation maintains with industry and other stakeholder’s input. The ATT&CK part of the name is an acronym for Adversarial Tactics, Techniques, and Common Knowledge. The framework is open to anyone in the private sector, Governments, and cybersecurity solution vendors globally, and not just within the USA. The frameworks (yes plural – more on this later) Can be used as a foundation to identify and build protections against specific threats used by cybercriminals.
The MITRE ATT&CK® Framework has three top-level categories, within which there are matrices that outline tactics used by attackers, techniques that they use, and mitigations that organizations can take to guard against the attackers to increase cybersecurity. The top-level categories are Enterprise, Mobile, and ICS (Industrial Control Systems – often referred to as Operational Technology (OT)). These top-level categories are split into matrices that detail the tactics and techniques within the framework.
What are the MITRE ATT&CK® Matrices?
We won’t replicate the detailed information that is available on the MITRE ATT&CK® Framework website.
The Enterprise category has a top-level matrix that is available to view on the Enterprise Matrix page. It has 14 subcategories that include different numbers of techniques and tactics. They are:
- Reconnaissance – information gathering activity used to plan attacks.
- Resource Development – building infrastructure to be used in attacks. Such as fake websites.
- Initial Access – Initial attack vectors and attempts to breach security, like phishing emails.
- Execution – trying to inject and run malicious code.
- Persistence – maintaining persistence on a breached network using various techniques.
- Privilege Escalation – getting the rights and access permissions to carry out escalated function attacks.
- Defense Evasion – activities used by attackers to avoid discovery on the network.
- Credential Access – monitoring and stealing login details for systems not yet fully breached — keylogging, for example.
- Discovery – finding other systems on the network to infect and control.
- Lateral Movement – jumping from one infected system to another. Often using credentials that work across systems.
- Collection – gathering data that has value if sold or used for further attack planning or blackmail.
- Command and Control – communication with infected systems from cybercriminal systems on the web. Often using hidden transmissions in standard network packets.
- Exfiltration – copying data out to cybercriminals servers to be sold on the dark web, held for ransom, or used for future attack planning.
- Impact – disrupt the operation of the IT systems. Most commonly with ransomware encryption but also via other malware types.
See the Enterprise Matrix page for the entire matrix and details within each of these Enterprise subcategories. The Enterprise Matrix is the largest and the most mature. Within the Enterprise segment of the MITRE ATT&CK® Framework, there are seven sub-matrix levels. They are:
- PRE – covers preparatory techniques.
- Windows – a subset of the main Enterprise matrix focused on the Windows platform.
- macOS – a subset of the main Enterprise matrix focused on the macOS platform.
- Linux – a subset of the main Enterprise matrix focused on the Linux platform.
- Network – a subset of the main Enterprise matrix covering network-related security.
- Containers – a subset of the main Enterprise matrix covering security of the increasingly common container application delivery model.
- Cloud – a subset of the main Enterprise matrix covering cloud-related security. There are five sub-matrices focused on these specific cloud-based services and models:
- Office 365
- Azure AD
- Google Workspace
Complementing Enterprise are categories for Mobile and ICS. There is much overlap between the Enterprise matrices and the Mobile ones. The mobile category has two sub-matrices for Apple iOS and Google Android, the two leading mobile operating systems.
How Can the MITRE ATT&CK® Framework Boost Cybersecurity?
There are many ways that an organization can use the information within the MITRE ATT&CK® Framework to gauge and then improve its cybersecurity.
The tactics and techniques mean that an organization will know what attackers will likely do when thinking about their cybersecurity. Cybersecurity professionals can use the framework info to make simulated attacks against defenses to detect gaps or vulnerabilities.
How they do this will vary between organizations, based on their infrastructure and cyber defenses. It’s a good idea to use automation to check for the tactics and techniques outlined in the framework. The Kemp Flowmon Anomaly Detection System (ADS) release 11.3 supports MITRE ATT&CK® Framework reporting. It can identify and alert on cybercriminal activity with situational awareness based on the tactics and techniques in the framework.
How Kemp Flowmon ADS Integrates the MITRE ATT&CK® Framework
ADS is a security solution that uses machine learning to detect anomalies hidden in network traffic. It complements other security tools and creates a multi-layered protection system capable of uncovering threats at every stage of compromise. Release 11.3 enhances contextual network understanding using built-in knowledge of the adversary tactics and techniques described in the MITRE ATT&CK framework.
ADS 11.3 now assigns ATT&CK® categories to detected events to provide an understanding of what the event could mean. Simply put, the system relates a discrete anomaly on the network with intelligence on globally observed adversary methods. The particular ATT&CK® category appears on the ADS dashboard for easy analysis and review. This capability provides full situational awareness and enables assessment of the stage of a breach, its scope, and the adversary’s next move.
Kemp Flowmon ADS performs a contextual analysis of network events and determines which category or categories it matches. This analysis considers several factors to assign the category correctly, as one event may indicate several different tactics or techniques.
For more details on how ADS 11.3 uses the MITRE ATT&CK framework categories, see our Boost Your Situational Awareness With Kemp Flowmon ADS 11.3 blog post. Please check out our ongoing weekly BrightTALK Webinar series also discussed ADS and the MITRE ATT&CK framework in August. You can view our 30-minute webinar titled Manage security threats with MITRE ATT&CK Framework on the BrightTALK site.
Use Cases for the MITRE ATT&CK® Framework
Organizations can use the MITRE ATT&CK® Framework to support a range of cybersecurity planning and testing activities. Given the detailed matrices, it should be possible to identify techniques and tactics that security professionals can use to structure defense planning. Some typical use cases for the framework include:
- Perform a Security Gap Analysis on current cybersecurity – use the information in the framework to assess existing tools for any weak spots. And also to evaluate new tools and services before purchase to ensure that they add value and increase cybersecurity.
- Raise the cyber-threat intelligence of the security team – the threat landscape is large and ever-changing. The matrices provide a good snapshot of the knowledge cybersecurity professionals should have.
- Accelerate the identification of threats – the framework groupings make it easier to link together different activities and behaviors that together indicate an ongoing attack or emerging threat.
- Simulate typical adversary attack methods – testers can use the framework during penetration testing to simulate techniques cybercriminals will use to probe cyber-defenses.
- Provide a common threat and attack matrix for Red Teams – Red Teams who are ethically attacking organizations to find weaknesses can also use the matrices as a baseline set of tactics and techniques.
- Simplify reporting for non-technical Executives – communicating threats to non-technical Executives can be challenging. The framework provides an excellent visual medium to highlight cybersecurity weaknesses, and to help secure the funding to plug any gaps.
- Baseline the preparedness of existing Security Operations Centre (SOC) – similar to the gap analysis, but many organizations have outsourced SOC provision. Teams can use the framework to baseline a SOC — either if it’s an external provider or an in-house one.
The integration of the framework’s reporting categories into Kemp Flowmon ADS makes it much easier to automate many of these use cases.
The MITRE ATT&CK framework is an excellent resource for learning about current cyberattack tactics and techniques.
It’s also a great checklist when designing and implementing cybersecurity defenses. The integration with the comprehensive anomaly detection tools within Kemp Flowmon ADS means that everyone can see unusual network activity in an easily understood way. This makes it much more likely that any bad actors on a network will be detected, isolated, and then expelled before they can complete their attack plans.