MITRE ATT&CK: What tactics and techniques are cybercriminals employing?
Table of Contents
MITRE ATT&CK is a framework that systematizes hostile actors’ tactics, techniques, and procedures
If the Allies succeeded in carrying out a massive landing like Normandy, it was mainly because Nazi Germany could not anticipate the tactics and techniques they put in place to get thousands of soldiers to take control of the coastline of this French region. When fighting an enemy, it is essential to have information about their strategies and procedures to shape one’s own and improve resilience to attack.
It is precisely this information that MITRE ATT&CK dissects, a framework that compiles the main tactics, techniques, and sub-techniques used by malicious actors to exploit vulnerabilities and provoke security incidents that put companies and public administrations in check.
This framework has been developed by MITRE, a non-profit organization working on developing tools for multiple fields, from telecommunications to Artificial Intelligence, including cybersecurity.
Since 2014, MITRE ATT&CK has provided extensive knowledge of cybercriminals’ operations. This makes it easier for companies and cybersecurity professionals to protect organizations against cyberattacks and to detect and mitigate them without affecting business operations.
Below, we will analyze the pillars of MITRE ATT&CK to understand the influence of this framework, now in its 13th version, on cybersecurity services and the protection of companies.
1. Approach cybersecurity from the point of view of the bad guys
Unlike other methodologies used in cybersecurity, such as the CIS guides, the NIST framework, or the OWASP standards, MITRE ATT&CK focuses on the bad guys. It is not, for example, about implementing critical CIS security controls but about understanding how criminals operate, what tactics they may employ to attack an organization, and what techniques they use in their fraudulent activities.
MITRE ATT&CK draws on the knowledge and experience of professionals and companies worldwide to provide an open-access framework that organizations can use to build their defense strategies.
Precisely, this knowledge of the cybersecurity community is continuously updated, incorporating new tactics, techniques, and procedures (TTPs) detected in the field that companies should take into account to optimize their security strategies. So much so that MITRE ATT&CK is updated twice a year, the latest version being April 2023.
2. The three MITRE ATT&CK technology domains
MITRE ATT&CK includes three primary variants of its framework: Enterprise, mobile, and industrial control systems.
- Enterprise. MITRE ATT&CK includes traditional corporate networks and Cloud technologies in this technological domain. To facilitate the management of its framework, MITRE makes available to organizations seven different versions of the matrix:
- PRE. It focuses only on the first two tactics of the Enterprise matrix, i.e., those deployed by malicious actors before initiating the attack and which include the preparatory techniques: Reconnaissance and resource development.
- Windows
- macOS
- Linux
- Network
- Containers
- Cloud. In turn, MITRE ATT&CK offers five different versions of this array:
- Azure AD
- Office 365
- Google Workspace
- SaaS
- IaaS
- Mobile. This domain is focused on mobile communication devices used within organizations, such as enterprise mobiles. Within the mobile ecosystem, MITRE ATT&CK offers companies and cybersecurity professionals two customized matrices:
- Android platform for mobiles using this operating system.
- iOS platform
- ICS. Under this acronym hides the concept of «Industrial Control Systems».
This customization of the framework is very interesting because it allows companies to adapt this methodology to the reality of their IT infrastructure and assets.
For example, if a company works with Office 365 and, in addition, has other software as a service (SaaS) solutions, it can use both matrices to take into account what tactics and techniques can be used by malicious actors wishing to attack its assets.
After all, cybercriminals use different tactics or techniques if they want to attack a corporate cell phone or cloud platform.
3. The 14 tactics of the criminals
The structure of the MITRE ATT&CK framework is straightforward, and, in the case of the Enterprise and Mobile matrices, it is structured around 14 primary tactics used by criminals, ranging from reconnaissance to impact. The number is reduced to 12 for the ICS domain tactics, as the first two tactics – reconnaissance and tool development – are not covered.
The MITRE ATT&CK framework defines each of the tactics briefly and lists all the techniques and sub-techniques that a company’s adversaries can use to execute them successfully.
3.1. Reconnaissance
Bad guys employ this tactic to gather valuable information in launching actions against the victim.
The data obtained through this tactic is essential when targeting an attack. This information includes details about the targeted company or public administration, the organization’s professionals, and its IT infrastructure.
In addition to targeting, the information obtained during reconnaissance can significantly help in executing initial access and driving a new reconnaissance tactic in the future.
3.2. Resource development
Through this tactic, malicious actors develop, purchase or steal resources that can be useful for executing other tactics and accomplishing their criminal objectives.
What resources are we talking about? Infrastructures, user accounts, capabilities… What are they for? For example, email accounts can be used to phish the victim and successfully execute the following tactic: linear access
3.3. Initial access
As is apparent, this tactic is used by malicious actors to infiltrate corporate networks. To do so, they employ techniques that may target several entry vectors to gain an initial access point to the network. Some techniques to implement this tactic include phishing, compromising the supply chain, using valid accounts, or using external remote services.
These starting points can facilitate continuous access to the network, for example, by using valid accounts. Or they may be limited access, e.g., because the organization is changing the compromised password.
3.4. Execution
When adversaries use this tactic, they seek to execute malicious code on the corporate network. To do so, they employ techniques that allow them to perform the code they control on a system, whether local or remote.
These techniques are combined with other techniques associated with different tactics to achieve malicious objectives.
3.5. Persistence
Once the bad guys have breached the security perimeter, they seek to persist for as long as possible by maintaining access to assets despite reboots, credential changes, or other actions that might disrupt access.
To do this, they implement techniques conducive to maintaining their position within systems, such as account manipulation, altering the authentication process, replacing or hijacking legitimate code, or installing malicious components to abuse server applications.
3.6. Privilege escalation
As the name suggests, with this tactic, malicious actors seek to gain a higher level of permissions on an enterprise system and thus accomplish their goals, such as hijacking data from a company’s customers.
In many instances, criminals can break into a corporate network but lack the necessary permissions to access their targets. To do so, they often take advantage of system weaknesses and configuration problems to obtain privileged credentials.
By their very nature, persistence and privilege escalation tactics often overlap, as operating system features that allow an adversary to gain persistence can be executed in high context when a criminal group launches an attack against a company or public administration.
3.7. Evasion of defenses
Bad guys try to remain undetected by the organization’s defensive layers. They employ techniques such as uninstalling installed security solutions or obfuscating and encrypting executable files or scripts. Evading detection is essential to attack fraudulent targets successfully.
3.8. Accessing credentials
This malicious tactic revolves around obtaining or stealing usernames and passwords. Why do criminals perform this tactic? Having legitimate login credentials, i.e., actual users of a corporate network or system, can enable them to access sensitive data and information without arousing suspicion. And they can even use these profiles to create new accounts for themselves.
3.9. Discovery
When implementing this tactic, criminals try to gather information to gain in-depth knowledge of the corporate system and network. Why? This knowledge allows them to decide how to act according to the environment in which they have to move, adapting their tactics and techniques to achieve their goals.
3.10. Lateral movement
Attackers not only want to discover how the enterprise IT environment works, but in many cases, they also want to move through it. This is where lateral movement comes into play.
The MITRE ATT&CK framework itself argues that, in many cases, to achieve their objectives, criminals need to explore the entire corporate network to find their targets, and it is also often the case that it is not enough to breach one system. Still, other systems must be breached to achieve their goal.
3.11. Harvesting
The title of this tactic gives a clear clue as to what it consists of. Criminals collect data that may interest them to achieve their goals. After collecting the information, it is common for the information to be exfiltrated to controlling systems by the attackers, who may even demand a ransom for it or make it public to cause enormous damage to the company.
3.12. Command and control
In implementing this tactic, attackers attempt to communicate with the systems they have managed to compromise in the corporate infrastructure to control them. There are various ways to establish command and control, as well as multiple levels of concealment to avoid detection by the attacked company’s detection systems.
3.13. Exfiltration
As noted in the discussion of information-gathering tactics, exfiltration involves stealing data from corporate systems. Attackers usually undertake data compression and encryption and use command and control channels to steal data from the corporate network.
3.14. Impact
The last tactic of the MITRE ATT&CK framework is called impact and refers to attempts by malicious actors to manipulate, alter, disrupt, or even destroy a company’s systems and information.
By implementing this tactic, criminals attempt to torpedo business processes and cripple the operability of the company they are attacking.
In some cases, instead of seeking to paralyze the activity, processes are altered permanently in service of the fraudulent objectives.
4. Analyzing malicious techniques, sub-techniques, and procedures
Suppose the 14 tactics that make up the MITRE ATT&CK Enterprise matrix occupy the first tier of the framework. In that case, the techniques are placed in the second tier and represent, according to MITRE ATT&CK, «how an adversary achieves a tactical objective by acting».
The MITRE ATT&CK framework is composed, in its 13th version, of 196 techniques and 411 sub-techniques. Let us better understand this structure through an example.
The first tactic of the matrix is, as mentioned above, Recognition. This tactic includes up to 10 techniques. The first of these techniques is Active scanning which, in turn, trifurcates into three sub-techniques:
- IP block scanning
- Vulnerability scanning
- Word list scanning
In this way, MITRE ATT&CK performs an exhaustive mapping of the techniques and sub-techniques used by cybercriminals to successfully implement each of the 14 tactics covered by the framework.
4.1. Relating techniques to their detection and mitigation
MITRE ATT&CK does not simply list the techniques and sub-techniques and relate them to the tactics but sets out a brief description for each and presents three key aspects:
- Examples of procedures carried out by the cybercriminal groups analyzed by the framework.
- Ways to mitigate each technique and sub-technique to deal with attackers.
- Data sources and components used to detect malicious actions.
For example, in the case of the Active Scanning technique, MITRE ATT&CK argues that:
- Mitigating it is a complex task through preventive controls. The effort should focus on minimizing the amount and sensitivity of data available to third parties.
- The data source to be considered is network traffic, both in terms of content and flow, to detect anomalous behavior.
4.2. What about procedures?
As we indicated at the beginning of the article, the TTP concept refers to three key concepts in cybersecurity: tactics, techniques, and procedures.
Tactics and techniques are at the heart of the MITRE ATT&CK matrix, but procedures also have a place through examples.
Thus, when going into the techniques and sub-techniques within the framework, in addition to a broad description of each, MITRE ATT&CK provides examples of procedures based on real cases of monitored cybercriminal groups.
For example, for the sub-technique IP Block Scanning, the framework provides an example procedure: the TeamTNT group has scanned specific lists of targeted IP addresses. These criminals, active since 2019, have taken advantage of Cloud resources to deploy cryptocurrency miners in their victims’ environments.
Thus, the framework merely provides examples of how threat groups have successfully used the different tactics and techniques compiled in the framework, keeping in mind that a single procedure can encompass various techniques and sub-techniques, depending on the needs of the attackers.
5. Data sources for detecting malicious actors’ techniques
Knowing the tactics, techniques, and procedures used by criminal groups to achieve their goals is very important, but how do you notice the techniques before the attackers succeed?
MITRE ATT&CK collects 41 data sources, i.e., information about malicious tactics and techniques that can be obtained through sensors and logs. These data sources are made up of different components. Let’s see it better through an example.
An organization’s firewall is a data source that can detect the techniques and sub-techniques implemented by malicious actors. In the context of this data source, the MITRE ATT&CK methodology defines four aspects to be monitored:
- Turning off the firewall.
- Enumeration of available firewalls and their rules.
- Metadata about a firewall and the activity recorded around it.
- Modification of firewall rules.
Each of these components is important when detecting techniques such as the Deterioration of defenses, Software discovery, and Removal of indicators.
6. MITRE ATT&CK Mitigations of Techniques and Sub-Techniques
When cybersecurity professionals and companies employ the MITRE ATT&CK framework, they are primarily looking to improve their ability to prevent, detect and mitigate cyber-attacks.
To fulfill this vital mission, more is needed to know what techniques and sub-techniques malicious actors use; it is essential to counter them with mitigation mechanisms. For this reason, the framework incorporates security concepts and classes of technologies that can significantly help prevent a technique from being successfully executed. The matrix includes 43 mitigations for the Enterprise domain. 11 for the mobile domain, and 52 for the ICS.
The first thing that jumps out is that the framework does not include mitigation for each technique but that the same concept or technology can prevent and mitigate several malicious techniques or sub-techniques. For example, the first concept in the list of mitigations for the Enterprise domain is Account Usage Policies.
MITRE ATT&CK recommends configuring features related to account usage, such as login attempt blocks. In this way, three different techniques can be combated: Brute force, Multi-factor authentication request generation, and Valid accounts.
It is important to emphasize that this framework does not establish how to remediate vulnerabilities or put in place security mechanisms and policies to prevent malicious techniques; it only provides a series of recommendations around critical concepts and technologies that companies and cybersecurity professionals need to take into account in their mission to protect the organization and its IT assets.
7. How do natural criminal groups operate, and what software do they use?
The MITRE ATT&CK framework is completed with the analysis of 138 (so far) cybercriminal groups that pose a threat to the security of companies, public administrations, and citizens.
Information on these malicious actors includes:
- Associated groups. Often, different names are used to refer to the same criminal group. APT28, for example, is popularly known as Fancy Bear, but MITRE has tracked down a dozen other names.
- Techniques used. The participle is essential because the techniques that are known to have been used by criminals are compiled through open-source research.
- Software used by criminals. The list of tools and malware used by each group is associated with the techniques they have executed.
MITRE ATT&CK helps to monitor and list some of the most dangerous cybercriminal groups whose tactics, techniques, and procedures are more sophisticated, such as APT groups, which stand for Advanced Persistent Threat.
Thus, if a company or cyber intelligence or Threat Hunting professionals detect a TTP associated with a group, they can discover who is behind an attack. In addition, learning how they operate is crucial to take measures to block their modus operandi and force them to make changes in their way of proceeding to launch new attacks.
MITRE ATT&CK is, therefore, a handy tool for combating APT groups and other organizations with numerous resources and advanced knowledge, whose ability to impact a company or public administration seriously can be lethal.
8. MITRE ATT&CK, a tool at the service of corporate protection
In the light of what we have been reporting throughout this article, we can see how MITRE ATT&CK is of great help when it comes to systematizing the information on:
- Tactics
- Techniques and sub-techniques
- Offender groups, examples of procedures, and software used.
From such systematization, security mechanisms can be implemented to detect and prevent attacks. In addition, the framework also pays attention to essential aspects of protecting a company’s IT assets:
- The data sources that help when detecting malicious activity.
- The concepts and technologies that serve to prevent and mitigate attacks.
This complex and comprehensive structure links each of the 14 malicious tactics with techniques, procedures, criminal groups, and how to detect and combat them.
Therefore, MITRE ATT&CK is a framework used by cybersecurity professionals globally, becoming a standard for understanding how criminals act and securing IT assets.
So much so that MITRE ATT&CK is used by experts and organizations when undertaking multiple services aimed at improving the resilience of companies against attacks: Threat Intelligence, Threat Hunting, Threat Detection, Red Team services, and web security audits…
In short, MITRE ATT&CK is a handy working tool to address the protection of companies from the perspective of cyber criminals. This framework compiles the malicious tactics and techniques known to date. It systematizes and interrelates them, offering a broad overview of how malicious actors operate and what aspects companies need to consider to prevent, detect, contain, and mitigate security incidents.