The MITRE ATT&CK® framework is a globally accessible knowledge base of adversary tactics and techniques based on real-world observations. It has systemized the tactics and techniques of adversaries, providing a common taxonomy and reference framework of the cyber-attack kill chain. The ATT&CK knowledge base is used extensively by Cymulate to create meaningful and life-like attack scenarios for its customers to challenge, assess and optimize their security controls, in the production environment.
The ATT&CK Matrix for Enterprise describes the cyber kill chain in 14 threat-actor tactics. The tactics are realized with many techniques and sub-techniques, too many to list here. Furthermore, the implementation of an individual technique can have thousands of variations. For example, to validate email security against spear phishing emails, just one ATT&CK technique, thousands of emails with different attachments and payloads must be created to find the ones that can get in undetected by the email security controls.
The 14 tactics of the ATT&CK framework are:
|Reconnaissance||Techniques that involve adversaries actively or passively gathering information that can be used to support targeting.|
|Resource Development||Techniques that involve adversaries creating, purchasing, or compromising/stealing resources that can be used to support targeting.|
|Initial Access||Techniques that use various entry vectors to gain their initial foothold within a network.|
|Execution||Techniques that result in adversary-controlled code running on a local or remote system.|
|Persistence||Techniques that adversaries use to keep access to systems across restarts, changed credentials, and other interruptions that could cut off their access.|
|Privilege Escalation||Techniques that adversaries use to gain higher-level permissions on a system or network.|
|Defense Evasion||Techniques that adversaries use to avoid detection throughout their compromise.|
|Credential Access||Techniques for stealing credentials like account names and passwords.|
|Discovery||Techniques an adversary may use to gain knowledge about the system and internal network.|
|Lateral Movement||Techniques that adversaries use to enter and control remote systems on a network.|
|Collection||Techniques adversaries may use to gather information and the sources information is collected from that are relevant to following through on the adversary’s objectives.|
|Command and Control||Techniques that adversaries may use to communicate with systems under their control within a victim network.|
|Exfiltration||Techniques that adversaries may use to steal data from your network.|
|Impact||Techniques that adversaries use to disrupt availability or compromise integrity by manipulating business and operational processes.|
Cymulate implements the tactics by attack vector, the mapping is described in the matrix below. In order to assess the security layers of an enterprise architecture against real world attack scenario, we operationalize ATT&CK tactics and techniques to attack vectors. The result is that Cymulate attack vectors implement multiple tactics and the same tactics are implemented in multiple vectors, just as they would appear in actual attack scenarios. For example, the Recon vector operationalizes techniques found in both the Reconnaissance & Resource Development tactics, and techniques used in Lateral Movement are implemented in both the Endpoint and Lateral Movement vectors. We decouple endpoint security validation from infrastructure resilience to enable our customers to assess and optimize each layer independently to the various techniques used by threat actors to move laterally in an organizations network.
Mapping Vectors to MITRE ATT&CK Tactics
As you can imagine a single standalone technique, or atomic execution has limited value. To create meaningful executions, techniques and tactics must be combined in the right context. One of many examples supported in the platform is the execution “Online Credential Theft With a Packed Mimikatz (64) using RunDLL32” that combines two Defense Evasion techniques with a Credential Access technique to create a meaningful execution.
Operationalizing the Cyber-Attack Kill Chain
The next step in operationalizing ATT&CK is to create meaningful scenarios. A unique capability of Cymulate to chain executions and simulate real-life attack flows across the cyber kill chain. Scenarios can be simple assessments that for example perform automated health checks to complex scenarios that simulate a full kill chain APT group for the purpose of exercising incident playbooks. In the example below we chain 4 executions that combine Credential Access, Defense Evasion and Execution tactics. Context demands a meaningful sequence of executions and chaining of outputs to inputs:
Unconstrained Delegation and a Printer Bug to Gain Domain Admin Rights
FIN 8 Full Kill-Chain APT Simulation
Mapping the Results
The MITRE ATT&CK® framework has advanced the cyber security industry providing both a comprehensive knowledge base but with a common taxonomy and reference framework of the cyber-attack kill chain. The framework enables security practitioners, ethical hackers, vendors and service providers to share a common language when describing attacks, security gaps and infrastructure weaknesses. Cymulate shares this approach with the industry by mapping individual assessments and results to the framework.
Aggregated results provide a heat map that identifies the systematic strengths and weaknesses of a security architecture.