According to industry standards, the average adversary’s dwell time is six months, which indicates that it takes around six months from the point of infiltration (into a network) until the point of detection. Six months is a long period of time.
Even if you are a beginner attacker who has managed to gain access to a network, you may accomplish a great deal in six months. When it comes to performing and executing an attack, different adversaries, whether they be individuals, organizations, or state-sponsored hacking outfits, each have their own signatures, processes, tactics, and strategies that they employ.
It would therefore become impossible for your team of experienced threat hunters, and red teamers to identify and detect an attack. This is where the ATT&CK Framework from MITRE comes into play.
ATT&CK Framework
ATT&CK stands for Adversarial Tactics, Techniques and Common Knowledge.
The MITRE’S ATT&CK is a post-exploitation framework that can be used by your team of experienced threat hunters, red teamers, etc. to identify and detect an attack. The framework is a matrix of techniques sorted by tactics that can be used by an adversary once it is inside the network.
In addition, after the security team has gathered knowledge of what might be exploited by an attacker, they can search for specific loopholes and security flaws in the systems that have been identified. This will strengthen their security posture and make it more difficult for adversaries to infiltrate the network after they have gained access.
The Framework has different matrices for each major OS. This includes
- MITRE Pre-Attack
- Windows
- Linux
- MacOS
- Mobile Systems
Tactics
We just learnt that ATT&CK is a matrix of techniques sorted by tactics. There are 14 tactics in the MITRE ATT&CK Framework that can be used to perform a full-fledged cyber-attack, from reconnaissance to data exfiltration.
Reconnaissance
Gathering information on the target is part of this process. Depending on the available resources, data collection might be active or passive. Many various google dorks and search engines, such as SHODAN, now supplies a wealth of information.
Resource Development
It consists of techniques that involve adversaries creating, purchasing, or compromising/stealing resources that can be used to support targeting. An example would be to set up a C2 (Command and Control Center or Infrastructure)
Initial Access
This includes methods for gaining a first foothold on a machine in the victim’s network. If the attacker has access to the machine at a lower level or with low privileges, he may not be able to do anything until the privileges are upgraded.
Execution
Techniques that result in adversary-controlled code running on a local or remote system are included in this category.
Persistence
Persistence is maintaining access to the compromised host machine. This tactic consists of techniques that an adversary can use to keep access to systems across restarts, changed credentials, and other interruptions that could cut off their access.
Privilege Escalation
This includes methods for obtaining high-level permission on a system or network. This can be accomplished by running an exploit or elevating privileges based on the machine’s already operating processes.
Defense Evasion
Essentially, this includes tactics that the adversaries can use to prevent detection, such as merging the code with already operating processes, which will allow them to evade either the defense or the forensic investigation.
Credential Access
There are a variety of approaches for obtaining the credentials of account(s) on a network under this category. Most of the time, if the Active Directory is hacked, an attacker can gain access to any and all of the accounts that may exist in the directory.
Discovery
This consists of techniques that can be used by the adversary to gain knowledge of other hosts in the network.
Lateral Movement
Lateral Movement is gaining access to other hosts/accounts in the network. This consists of techniques to explore the target network and gain access to the other systems/hosts.
Collection
Collection consists of techniques adversaries may use to gather information.
Command and Control
This consists of techniques that adversaries may use to communicate with systems under their control within a victim network.
Exfiltration
Consists of techniques of exfiltrate data from the victim or the target network to the adversary’s network.
Impact
This consists of techniques that adversaries use to disrupt availability or compromise integrity by manipulating business and operational processes.
Under each of these 11 tactics, there are multiple techniques. An adversary can choose any of the techniques from each tactic to attack. On the flip side, this can also be used by the red team and blue team, as a part of the attack-defense strategy to look for security loopholes that can be exploited.
Uses of MITRE ATT&CK Framework
Used worldwide across multiple disciplines including intrusion detection, threat hunting, threat intelligence, etc.
- Used by Red Teams and Blue Teams to find loopholes and security vulnerabilities.
- Used as a reference for studying post-exploitation techniques that can be used by the adversaries.
