Pt 1 – Introducing Rick the Toolman Series: Mitre ATT&CK.
Rick Howard: If you're a longtime listener to this podcast, you know that I'm a huge fan of the Lockheed Martin intrusion kill chain model. The ideas that emerged from that original 2010 paper revolutionized cybersecurity thinking. And because of that, I incorporated the key points from that paper into my cybersecurity first principles strategy. As security executives, we all should be asking pointed questions to our infosec teams about how our internal security posture is configured against known adversary behavior.
Rick Howard: As many people have pointed out to me, though, the intrusion kill chain model is not the only threat model in existence. There are many others that range from minor tweaks to the original idea, like the unified kill chain model from Paul Pols to a different approach altogether, like the diamond model designed by Caltagirone, Pendergrast and Betz. If you want to have your mind blown, just do a Google search for kill chain and see how many security vendor versions you get.
Rick Howard: But as the British statistician George Box said, all models are wrong, but some are useful. It doesn't matter what model you use so much. Pick a model that you like and that you can adapt to have an impact on your security posture. What matters more is an understanding that your security strategy should have a threat modeling component. Along with zero trust, resilience and risk forecasting, deploying security controls to prevent known adversary behavior is as important as the other three. It might be more important. The question, then, is, how do you do it? I'm so glad that you asked.
Rick Howard: My name is Rick Howard, and I'm broadcasting from the CyberWire's secret sanctum sanctorum studios located underwater somewhere along the Patapsco River near Baltimore Harbor. And you're listening to "CSO Perspectives," my podcast about the ideas, strategies and technologies that senior security executives wrestle with on a daily basis.
Rick Howard: It's one thing to have a model that fits into your organization. It's quite another to make something operational. You need some combination of people, process and technology. For this series of essays, I'm going to focus on the technology side. For all of our first principle strategies, I'm going to explain to the security executive the essential tools that your team will have to master in order to get the job done. Consider this the security tool Cliff Notes (ph) for busy security executives so that they can make informed decisions about their security posture. That's why I'm calling these podcast episodes the Rick the Tool Man series in honor of one of my favorite comics, Tim Allen, and his long-running TV show in the 1990s called "Home Improvement."
Rick Howard: For you youngsters out there, Tim was obsessed with tools, and so am I. But the tools I'm going to talk about in this series will not only include the software and hardware platforms that we all like to deploy into our security stack. I will also talk about best practices, maturity models and frameworks. For this show, I'm going to start with the MITRE ATT&CK framework. ATT&CK, A-T-T-ampersand-C-K, stands for adversarial tactics, techniques and common knowledge. I'm going to explain how your infosec team can use it to support your intrusion kill chain strategy. More importantly, I'm going to explain the framework in terms that the busy security executives can understand.
Rick Howard: For the uninitiated, MITRE is an American quasi-governmental nonprofit that manages several U.S. government federally funded research and development centers called FFRDCs.
Tim Allen: (Grunting).
Rick Howard: I know that's a mouthful, and don't worry if it doesn't make sense to you. Most people have trouble getting their heads around that idea. What's a quasi-governmental nonprofit? It turns out that the U.S. government invented the concept after World War II because after the war, America didn't have the in-house scientific resources anymore that would take the country into the future. Lawmakers decided that they needed to farm that work out in a way that was beneficial to the government but didn't compete with industry.
Rick Howard: The bottom line is that these nonprofits manage research organizations that run under unique and specific rules - not for profit obviously, can't have any commercial conflicts of interest, can't manufacture, can't sell, can't work for commercial companies, can't compete with industry and sponsored by some government entity that needs research like NASA, the DOD or the Department of Energy. Essentially, they are unbiased think tanks working for the U.S. government that can act as a bridge to commercial and academic sectors.
Rick Howard: The Rand Corporation was the first nonprofit chosen to manage in FFRDC back in 1947. In the fall of 2021, though, there are 43 FFRDCs. And the three that are probably the most well known are the Jet Propulsion Laboratory, or JPL, run by the California Institute of Technology, the Software Engineering Institute, or SEI, run by Carnegie Mellon University, and the Lawrence Berkeley National Laboratory, or LBNL, run by the University of California. And by the way, the LBNL is where Dr. Clifford Stoll worked in the late 1980s during the events showcased in his Cybersecurity Canon Hall of Fame book "The Cuckoo's Egg."
Rick Howard: MITRE runs six centers that study a broad range of topics. The ATT&CK framework came out of the National Cybersecurity Center of Excellence, or NCCoE, sponsored by the National Institute of Standards and Technology, or NIST. The main takeaway, then, is that published research from an FFRDC, specifically the MITRE ATT&CK framework in this case, is not coming from a vendor trying to influence the sales of their company. It's just pure research designed to support the American government's research goals. Because of that, affected research communities like cybersecurity can consider FFRDC research to be unbiased towards any commercial products. And when commercial product support for RDC research in some way, the leaders of those products can say that they support national goals and not just their own bottom line. They can also say that they support a government standard.
Rick Howard: Some people have told me that the MITRE ATT&CK framework is just another threat model in the same vein as the ones I mentioned before - the intrusion kill chain model, the diamond model and the unified kill chain. I understand their point if you say that the framework extends the original Lockheed Martin intrusion kill chain paper and corrects some of the limitations. It eliminates the kill chain recon phase and clarifies and extends the actions on the objective stage to include techniques for persistence, privilege escalation, defense evasion, credential access, discovery, lateral movement, collection, command and control, exfiltration and impact. That's all fantastic.
(SOUNDBITE OF TV SHOW, "HOME IMPROVEMENT")
Tim Allen: (As Tim Taylor) Oh, yeah.
Rick Howard: The framework's most significant innovation, though, is an extension of the list of information requirements intelligence analysts collect on adversary playbooks. They added tactics, techniques and procedures. Before the framework, we would all collect indicators of compromise without any relation to known adversary behavior - you know, things like IP addresses to known bad guy locations, strange DNS requests and network traffic on unusual ports. These are not bad per se, but they are ephemeral, and hackers can easily change them at the drop of a hat and did and continue to do so. By the time infosec team deployed countermeasures, the bad guys had likely already changed their behavior. MITRE's extension to the kill chain model includes the grouping of tactics, the why, the techniques used, the how and the specific implementation procedures that adversary groups use to deploy the tactic. Now we're getting somewhere.
(SOUNDBITE OF TV SHOW, "HOME IMPROVEMENT")
Tim Allen: (As Tim Taylor) Oh, yeah.
Rick Howard: Tactics, techniques and procedures are not nearly as ephemeral as indicators of compromise. They are tied to known adversary group behavior and are conducive to designing impactful countermeasures. Where the Lockheed Martin kill chain model is conceptual, The MITRE ATT&CK framework is operational. All of that is fine and good, but the real power of the MITRE ATT&CK framework is an intelligence product that I call the ATT&CK framework wiki. It's a globally accessible knowledge base of known adversary behavior. It's derived from real-world observations from both MITRE intelligence analysts and from the cybersecurity intelligence community at large. In other words, it's the most complete, free, open source, standardized database of adversary offensive playbook intelligence. Although the wiki tracks several crime groups, that's not the focus. It primarily covers how APT groups, advanced persistent threat groups, traverse MITRE's version of the intrusion kill chain via operating systems like Microsoft Windows, Linux, Apple OS X and iOS and Google's Android OS and Chrome OS. It also tracks victim data islands like mobile devices, infrastructure-as-code cloud deployments and industrial control systems. Most importantly, the framework standardizes the taxonomy vocabulary for both offense and defense. Before the framework, each vendor and government organization had their own language. Any intelligence product coming out of those organizations couldn't be shared with anybody else without a lot of manual conversion grunt work to make sense of it all. Talk about the Tower of Babel.
(SOUNDBITE OF TV SHOW, "HOME IMPROVEMENT")
Tim Allen: (As Tim Taylor) Oh, no.
Rick Howard: We were all looking at the same activity and couldn't talk about it collectively in any way that made sense. The MITRE ATT&CK framework fixed that by releasing the first version in 2013 and has made significant improvements to the model almost every two years since. The bottom line is that the MITRE ATT&CK framework has become the industry's de facto standard for representing adversary playbook intelligence.
Rick Howard: In the MITRE wiki, as of this episode, you can find intelligence on some 125 adversary group names. There are famous names that you probably read about in the news, like APT1 and the Lazarus Group and the Santorum team. There are many more that you likely haven't heard about with cool code names like Ferocious Kitten, Nomadic Octopus and Wizard Spider. The thing about these codenames is that they don't really attribute adversary groups, as in there are a bunch of cyber bad guys that we're calling Nomadic Octopus. MITRE really uses group names to identify unique adversary attack patterns across the intrusion kill chain that they have seen repeatedly in the wild. What I mean by that is that when the MITRE ATT&CK wiki publishes intelligence about Ferocious Kitten, it doesn't normally include information about Kevin, you know, day-job Walmart greeter, as the hacker behind the attacks. The wiki does outlines a set of generic attack techniques and specific procedures observed in the wild that intelligence analysts have grouped together as belonging to the same adversary playbook. Sometimes, intelligence analysts are pretty sure that these pattern names, like APT1, originate from a specific government. In the APT1 case, the security vendor Mandiant actually hacked back to one of the bad guys' computers, compromised his computer and watched his team operate in the room in real time. You can view some of those videos on YouTube. After that operation, Mandiant intelligence analysts had high confidence that APT1 is a Chinese military hacking group belonging to the second bureau of the People's Liberation Army, or PLA, known as Unit 61398. Here's Kevin Mandia keynoting the 2014 RSA Conference as the chief operating officer of FireEye, the company that bought Mandiant right after Mandiant released this report in 2013.
(SOUNDBITE OF ARCHIVED RECORDING)
Kevin Mandia: When we released this report in February of 2013, we took our nomenclature at Mandiant of APT1, and we think that the PLA Unit 61398, a military unit with people in uniform being charged to compromise private sector entities. We released also 3,000 different indicators of compromise, meaning bad domain names, bad IP addresses and basically the C2 infrastructure of APT1's backbone where they launch the attacks. Five-minute video just to kind of show you, hey, here's what the attacks look like because we had responded to them in so much time. It's obvious to me that, in fact, the Chinese military was behind it. And the evidence was in the form of about a 60-something-page report, 3,000 different indicators, 141 different victim companies. And we'll step through that.
Rick Howard: But that kind of attribution is an exception to the norm. For the rest of the groups like Nomadic Octopus, intelligence analysts may have some suspicions that the group hails from, say, Russia, but they rarely have irrefutable proof as concrete as the APT1 evidence for Mandiant. The point is, for the bulk of us, it doesn't matter which government is behind the attacks. If you know that North Korea is attacking you, who cares? It doesn't help you at all in defending your organization knowing that piece of information. What is important is knowing whether or not your team is observing attack patterns consistent with the Lazarus Group in your networks and whether or not they have deployed prevention controls to counter them at each stage of the intrusion kill chain.
Rick Howard: What makes the codename situation even more confusing, though, is that the industry has no standard for naming attack patterns. Every vendor and every government intelligence group has their own system. In some cases, we end up with a smorgasbord of names for the same attack patterns. For example, MITRE lists APT29 as one of the groups it tracks. With a simple Google search, I found 14 additional aliases that other organizations use to track the same activity, like Cozy Bear, The Dukes and Office Monkeys. Here's the thing - don't get lost in the naming weeds. Besides getting a chuckle because I used Office Monkeys in a board presentation...
(SOUNDBITE OF TV SHOW, "HOME IMPROVEMENT")
Tim Allen: (As Tim Taylor) Oh, yeah.
Rick Howard: ...The name isn't important. Your infosec teams should stick with the open source names from the MITRE ATT&CK framework and move on. Have them keep track of the aliases as you go just to keep things straight. But the important thing they should be doing is collecting the tactics, techniques and procedures for each group, devising strategies to search for that behavior in their networks and developing plans to automatically deploy countermeasures for each.
Rick Howard: All of that was a long way around the horn to explain what the MITRE ATT&CK framework is and why you should use it as a tool. And I can hear you saying, geez, Rick, thanks for the history lesson, but can you just tell me how to use the thing? Of course. I thought you'd never ask. The first thing to note is that regardless of your size, your infosec team helps to manage a set of technologies that you either specifically deploy to counter bad actor behavior or because the service the technology provides - you can configure it to reduce the attack surface. Examples for the former are intrusion detection systems, firewalls and endpoint protection systems. And examples for the latter are S3 buckets, SAS services and email systems. Just to simplify things, I refer to all of that technology as the security stack, as in, I have a stack of technology that I can use to improve my cyberdefenses. The main ATT&CK framework use case that security executives should be asking their infosec teams about is how to make the ATT&CK framework intelligence operational. It's sitting there in a big wiki, just waiting to be used. Your teams have to somehow collect it, study it and devise a plan to improve their defenses for each of the 125 published adversary groups. They also have to devise a way to maintain their plan as the intelligence changes. The only way to do this is through automation or, if you will, infrastructure as code or if you like better, dev ops. So step one, collection. Automatically collect the MITRE ATT&CK intelligence on a routine basis. Easy. Step two, verify technique countermeasures. Automate the process for verifying your security stack countermeasures against the generic techniques used by all 125 adversary groups. In other words, write code that automatically interrogates every technology in your security stack or the specific controls in place for each adversary group. Step three, procedures check. Do the same thing for the specific procedures used by all 125 adversary groups. Step four, gap Plan. Develop a plan to close the gap between countermeasures in place compared to countermeasures needed for the generic techniques and specific procedures. This is your SOC analyst or your intel team getting into a room and devising countermeasure plans for each known adversary group. It could also be your team asking the vendors responsible for your security stack technology for their recommendations. Lastly, update the security stack. Automate the process to deliver new configurations to the security stack based on the gap plan. In other words, once you devised a plan, you want the ability to push the button that says Nomadic Octopus update and have new controls sent to all the technology in your security stack with a countermeasure update, regardless of what data island it's sitting in. Now, it's important to note that, sometimes, you won't be able to invent a countermeasure for a generic technique or a specific procedure based upon the security stack that you control. That's OK. In that case, we have four options - live with the risk or devise some other countermeasure somewhere else on the intrusion kill chain or invent some new people process policy that has the same effect or, finally, decide that we have a technology gap and that we need to find some other technology to insert into our security stack to specifically address the gaps.
Rick Howard: Purple team exercises are when you pit your blue team forces, your day-to-day infosec team, against an opposing force, red team, that tries to break in. This kind of exercise is in the same functionality ballpark as penetration tests. You task a team to break through your deployed defenses in order to find gaps that you didn't know about already. But in my mind, purple team operations are much more valuable than generic penetration tests. Penetration testers will find any way into your system that they can exploit, and that's valuable to some degree. But a red team following the specific tactics, techniques and procedures of Wizard Spider will verify whether or not your defensive controls designed precisely to counter Wizard Spider actually work. The red team running the Wizard Spider playbook tests your deployed security controls and tests your blue team on their incident response capability. Purple team exercises should be continuous. The red team works through each and every adversary playbook in the MITRE wiki one at a time and confers with the blue team about what worked and what didn't. This provides an excellent training ground for your blue team and dedicates resources to countering known adversary behavior.
Rick Howard: Like I said before, MITRE designed the ATT&CK framework to specifically track APT actors. You know what? I don't really like the APT term because it's not specific enough. It started out meaning nation-state actors who didn't run smash and grab operations that we associated with cybercrime back in the early 2000s. Nation-states really only did cyber-espionage back then. Criminals would get in, steal their money and get out. APTs took their time. They persisted. Today, though, that distinction doesn't really exist anymore, especially when you talk about ransomware groups. These teams stay on station for long periods of time, similar to APT groups, and some nation-state actors use crime to fund their operations. The thing that distinguishes cybercrime and nation-state continuous, low-level cyberconflict is more about motive and tools these days, not persistence. Even though the ATT&CK framework doesn't focus on cybercrime or hacktivism, the wiki does have a smattering of cybercrimes they call FIN groups, or financially motivated threat groups four through eight and 10. That said, by my unofficial count, there are at least an additional 100 criminal and hacktivist groups that have made their way into the news this past year. AND the MITRE ATT&CK framework doesn't cover those.
(SOUNDBITE OF TV SHOW, "HOME IMPROVEMENT")
Tim Allen: (As Tim Taylor) Oh, no.
Rick Howard: If you're worried about cybercriminals, you'll need to start tracking those groups yourself or maybe hire a commercial threat intelligence service to do it for you. In either case, follow the MITRE ATT&CK framework standard so that down the line, that intelligence can be shared easily.
Rick Howard: After listening to this episode and you're interested in using this tool as the security executive for your organization, you should be asking your infosec teams about incorporating the MITRE ATT&CK framework into their daily operation. If you're a small startup and don't have a lot of resources, you should absolutely be asking the vendors responsible for your security stack to do this for you. Come to think of it, even if you do have a lot of resources for in-house development of the intrusion kill chain strategy, you should be asking your vendors to support this idea anyway. Take my old security vendor alma mater Palo Alto Networks and their intelligence team Unit 42. They publish these things called ATOMs, countermeasures for specific adversary groups designed to deploy in their entire product line. At the time of this writing, they have recommended controls for some 50 adversary playbooks. MITRE has an additional program called MITRE ATT&CK Evaluations, where they invite vendors to come into their labs and demonstrate how their products defend against known adversary playbook behavior. So far, they have finished evaluations for FIN7 and an industrial control system campaign called Triton. They have plans for Wizard Spider and Sandworm next year. They are also inviting many security service providers to demonstrate how they protect their customers against the entire suite of adversary playbooks in 2022. That should be interesting.
(SOUNDBITE OF TV SHOW, "HOME IMPROVEMENT")
Tim Allen: (As Tim Taylor) Oh, yeah.
Rick Howard: As a community, we should be asking MITRE to expand the scope of the framework to include adversary playbooks other than nation-states. Since MITRE is an FFRDC, this is a national security matter when it comes to ransomware. Since those groups have no issues going after critical infrastructure like medical facilities, oil pipelines and government institutions, we should also be asking MITRE to go faster on their evaluations program. I tip my hat to their leading the way in this idea, but at this rate, we won't get through the entire suite of known adversary groups for, like, 50 years. I don't think that's going to work.
(SOUNDBITE OF TV SHOW, "HOME IMPROVEMENT")
Tim Allen: (As Tim Taylor) Oh, no.
Rick Howard: And finally, as a security executive, ask your infosec teams to become proficient in tracking down unknown adversary playbooks within your own infrastructure. Follow the MITRE model or pick your own. But this is an essential skill if you have any hope of deploying the intrusion kill chain strategy within your own environment.
Rick Howard: The MITRE ATT&CK framework is an essential tool in the security executive's toolbox. Turning the knobs and dials of the tool is something that you should be asking your infosec team to become proficient at. The good news is that you don't have to start from scratch in deploying your intrusion kill chain strategy. MITRE has done the bulk of the hard work for you, standing up the framework. And because of their FFRDC status, the community recognizes it as an international standard. The bad news is that none of this is fire and forget. You can't just flip a switch and all of this becomes operational. In order to reduce the probability of material impact for all known adversary groups, you have to do some work on your end. That will be internal development of these ideas and external pressure that you apply to your security vendors to help you with this strategy.
Rick Howard: And that's a wrap. As always, if you agree or disagree with anything I've said, hit me up on LinkedIn or Twitter, and we can continue the conversation there. Or if you prefer email, drop a line to csop@thecyberwire.com. That's csop@thecyberwire.com. And if you have any questions you would like us to answer here at "CSO Perspectives," send a note to the same email address, and we will try to address them in the show. The CyberWire's "CSO Perspectives" is edited by John Petrik and executive produced by Peter Kilpe. Our theme song is by Blue Dot Sessions, remixed by the insanely talented Elliott Peltzman, who also does the show's mixing, sound design and original score. And I am Rick Howard. Thanks for listening.