MITRE ATT&CK Matrix

MITRE ATT&CK Matrix

The MITRE Corporation is a nonprofit organization founded in 1958 that supports various U.S. government agencies at the highest levels. MITRE ATT&CK®, which stands for Adversarial Tactics, Techniques, and Common Knowledge, is a comprehensive matrix and knowledge base of over 200 cyber attacker tactics, techniques, and procedures. Defenders can use the matrix to classify attacker activity, assess an organization’s risk, and understand the best options for defense. One of the reasons for the popularity of ATT&CK is its shared language that enables clear communication among the cyber defense community about the precise characteristics of a threat.

ATT&CK aims to improve post-compromise detection of adversaries in enterprises by illustrating the cyber adversary behavior within an organization network. It helps to identify the nature of a compromise, point out what controls should protect against it, and eventually regulate how effective the organization’s defense is. Even though not intended to provide a checklist of all the things that need to be addressed, the clear focus on adversarial behavior provided by ATT&CK is the best way to detect and terminate an ongoing attack before a data exfiltration happens.

Lumu simplifies Continuous Compromise Assessment by consolidating its management, reporting, and related contextual intelligence within a single portal. Security teams no longer need to chase down data from multiple network monitoring tools.
Lumu automates and operationalizes this framework by presenting the ATT&CK Matrix for each compromise found on the portal, helping organizations spot gaps in defenses, identifying priorities, and making more accurate decisions about impending risks. The ATT&CK Matrix context is included in Lumu Insights and Lumu Defender.

How Lumu Integrates ATT&CK

The Enterprise ATT&CK Matrix implemented in the Lumu Portal comprises 12 columns representing Tactics (the adversary’s objective) which are expanded granularly into specific known adversarial methods. Techniques and Sub-techniques represent steps an attacker would typically follow when attacking your infrastructure. Depending on the adversary’s objective, multiple techniques can be applied, but not all tactics need to be employed.

Figure 1 - Example of the MITRE ATT&CK Matrix in Lumu Portal.

Tactics, Techniques, and Procedures (TTP)

TTPs can be translated into adversarial behaviors. When using these types of indicators to detect and respond to malicious activities, your organization directly handles the attacker’s actions, not only their specific software programs or tools. Blocking indicators such as hash values, IP addresses, domain names is relatively easy for an attacker to circumvent. However, when your organization can respond to the attacker’s TTPs promptly, the adversary needs to learn new behaviors, which can be more difficult and time-consuming to get around.

Tactics: the attacker’s technical goals.
Techniques and Sub-techniques: how the attacker intends to achieve the goals.
Procedures: specific technique implementation.
Tactics can be considered as the “why” part of an ATT&CK technique being used. In other words, it is the objective that the attacker wants to achieve with the compromise. For example, the Persistence tactic (this is the attacker’s goal—to maintain their foothold in the target environment) includes a series of techniques that adversaries might use to maintain persistent access to a system. To persist, attackers may manipulate accounts to maintain access to victim systems. Manipulating access may involve using a Trojan to add permissions and remote logins, or other activities. 

Techniques represent “how” adversaries can achieve their tactical goals and also “what” an attacker gains by completing an action. For example, the Persistence tactic can include techniques such as Hijack Execution Flow, BITS Jobs, and External Remote Services. Each of these is a single technique that attackers may use to reach the goal of persistence. In some cases, different tactics may use the same techniques. Sub-techniques are a more specific representation of the attacker’s behavior. Techniques are referenced in ATT&CK as Txxxx, and sub-techniques as Txxxx.xxx. For example, the “Use Alternate Authentication Material” technique has the ID T1550, and the sub-technique “Windows Command Shell” has the ID T1059.003.

Lumu Portal provides a visualization with technical detail at the technique level and the relationship with the context around the tactical level. The ATT&CK Matrix is available for each malicious activity in the context area of the Lumu Portal. By default, the techniques associated with each incident found are highlighted in the MITRE ATT&CK Matrix. Figure 2 is an example of how the Lumu Portal presents different techniques used by a threat in an incident.

Figure 2 - ATT&CK Matrix - Highlighted techniques view.
The techniques and sub-techniques highlighted in orange are references to behaviors associated with the specific incident. It does not mean that the adversary implemented all the techniques/sub-techniques. Your company should use this information to infer what this adversary may have carried out to achieve their goal.
You can click on the slide button “All” to visualize the full ATT&CK Matrix as in Figure 3. Otherwise, only highlighted TTPs will be shown. 
Figure 3 - ATT&CK Matrix - full view.

When you click on a technique or sub-technique, you can find a description, references, and research highlighting specific Procedures for describing how an adversary implements that given technique. In this area, you have the ID, name, description, the platforms affected by the technique/sub-technique, and the link from MITRE that contains procedures examples, mitigations, and references.

Figure 4 - ATT&CK Matrix - Technique view.

The ATT&CK framework implemented in the Lumu Portal is designed to map the adversaries’ TTPs and help organizations answer questions such as: What are their goals? How did they get inside? How are they circulating? What might they do next? And with that information in hand, determine the best way to prepare for and stop an attack in a precise manner.

Use Cases for MITRE ATT&CK

There are many benefits of taking advantage of the MITRE ATT&CK Matrix when it comes to Incidents reported in the Lumu Portal, some of which have already been mentioned, such as identifying gaps in defenses and making more accurate decisions about imminent risks.

These are some use cases for the ATT&CK Framework:

Blue Teams and Defense

‘Blue team’ is how we identify the security professionals responsible for proactively maintaining the organization’s infrastructure defenses against all cyberattacks, risks, and threats. With the ATT&CK context provided in the Lumu Portal, these teams can quickly identify the adversary and techniques used in a current attack and ultimately provide recommendations to increase the organization's cybersecurity readiness posture.

Knowing how you are being attacked is as essential as knowing your defense capabilities. Mapping your defense controls on the ATT&CK matrix can provide a clear view of which adversaries’ behaviors you can defend against and how you need to tune your detection and response capabilities. The technique information supplied by the ATT&CK can help your organization to more precisely identify gaps in your threat intelligence infrastructure, assess risks, prioritize, and plan for mitigation.

Overlapping your current cybersecurity infrastructure with the identified threats of your industry and the incidents detected by Lumu in your organization allows you to fill the gaps in your defense and reduce redundancies.

Red Team and Adversarial Emulation

‘Red teams’ are internal or external teams dedicated to testing a cybersecurity infrastructure’s effectiveness by emulating possible adversaries’ tools and techniques in the most realistic way possible. The MITRE ATT&CK context allows red teams to select tactics and the sequence of techniques to model real-world adversaries. This adversarial approach can help organizations assess their prevention, detection, remediation, and eradication performance against these actual threats.

One of the top use cases for the ATT&CK Framework is to support your organization in testing its cybersecurity solutions’ efficacy. The red teams can take advantage of the context information provided by the ATT&CK Matrix in the Lumu Portal to build models that emulate adversaries’ behaviors and test the organization’s security controls. Organizations can also use the context ATT&CK information to automate security validation testing by using breach and attack simulation systems that apply the MITRE ATT&CK framework.

Enterprise Tactics Matrix

The following table summarizes the 12 tactics in the MITRE ATT&CK Enterprise framework that you can find in the context information of Lumu Portal:

Tactic

Summary

Initial Access

The adversary is trying to get inside your network. Includes techniques that use various entry vectors to gain their initial foothold within a network.

Execution  

The adversary is trying to run malicious code. This consists of techniques that result in adversary-controlled code running on a local or remote system.

Persistence

The attacker is trying to maintain their foothold. Comprehend techniques to keep access to systems across restarts, changed credentials, and other interruptions that could cut off their access.

Privilege Escalation  

The adversary is trying to obtain higher-level permissions. Includes techniques that adversaries use to gain higher-level permissions on a system or network.

Defense Evasion

The adversary is trying to hide. This consists of techniques used to avoid detection throughout the attacker’s incursion.

Credential Access

The attacker is trying to steal credentials. Comprehend techniques for stealing account names and passwords.

Discovery

The adversary is trying to figure out your environment. Comprises techniques used to gain knowledge about the system and internal network.

Lateral Movement

The adversary is trying to move through your environment. Includes techniques that adversaries use to enter and control remote systems on a network from the already compromised host.

Collection

The attacker is trying to gather data of interest. Consists of techniques used to collect information relevant to following through on the attacker’s objectives.

Command and Control

The adversary is trying to communicate with compromised systems to control them. Techniques attackers may use to communicate with systems under their control within the victim network, often altered to look like regular HTTP traffic.

Exfiltration

The adversary is trying to steal data. Includes techniques used to steal data from networks, such as compression and encryption.

Impact

The adversary is trying to manipulate, interrupt, or destroy your systems and data. This consists of techniques used to disrupt availability or compromise integrity by manipulating business and operational processes. It is the result in your system after the attacker accomplishes their ultimate goal. 


        • Related Articles

        • Compromise Overview

          Lumu simplifies Continuous Compromise Assessment by consolidating its management, reporting, and related contextual intelligence within a single portal. Security teams no longer need to chase down data from multiple network monitoring tools. In this ...
        • Lumu Portal

          Lumu simplifies Continuous Compromise Assessment by consolidating its management, reporting, and related contextual intelligence within a single portal. Security teams no longer need to chase down data from multiple network monitoring tools. The Lumu ...
        • Spambox

          Lumu simplifies Continuous Compromise Assessment by consolidating its management, reporting, and related contextual intelligence within a single portal. Security teams no longer need to chase down data from multiple network monitoring tools. In this ...
        • Incidents

          Lumu simplifies Continuous Compromise Assessment by consolidating its management, reporting, and related contextual intelligence within a single portal. Security teams no longer need to chase down data from multiple network monitoring tools. The Lumu ...
        • Labels

          Lumu simplifies Continuous Compromise Assessment by consolidating its management, reporting, and related contextual intelligence within a single portal. Security teams no longer need to chase down data from multiple network monitoring tools. Labels ...