Introducing the Rick the Toolman series: The MITRE ATT&CK framework.
If you’ve been reading any of my essays of the last year or so, you know that I'm a huge fan of the Lockheed Martin Intrusion Kill Chain model. The ideas that emerged from the original 2010 paper revolutionized cybersecurity thinking. Because of that, I incorporated the key points from that paper into my cybersecurity first principles strategy. As security executives, we all should be asking pointed questions to our infosec teams about how our internal security posture is configured against known adversary behavior.
As many people have pointed out to me though, the Intrusion Kill Chain model is not the only threat model in existence. There are many others that range from minor tweaks to the original idea, like the Unified Kill Chain model by Paul Pols, to a different approach, like the Diamond Model, designed by Caltagirone, Pendergast, and Betz. Just do a Google search for “kill chain” and see how many vendor versions you get. But, as the British statistician, George Box, said, “All models are wrong, but some are useful.” It doesn’t matter what model you use so much. Pick a model that you like and that you can adapt to have an impact on your security posture. What matters more is an understanding that your security strategy should have a threat modeling component. Along with zero trust, resilience, and risk forecasting, deploying security controls to prevent known adversary behavior is as important as the other three. It might be more important.
The question then is, how do you do it? It’s one thing to have a model that fits into your organization. It’s quite another to make something operational. You need some combination of people, process, and technology to deploy a new thing or to maintain something already in existence.
For this series of essays, I'm going to focus on the technology side. For all of our first principle strategies, I'm going to explain to the security executive the essential tools that your team will have to master in order to get the job done. Consider this the security tool CliffsNotes for busy security executives so that they can make informed decisions about their security posture. That’s why I'm calling this essay collection, the Rick-the-Toolman series, in honor of one of my favorite comics, Tim Allen, and his long running TV show in the 1990s called Home Improvement. For you youngsters out there, Tim was obsessed with tools and so am I.
But the tools I'm going to talk about in this series here will not only include the software and hardware platforms that we all like to deploy into our security stack. I will also talk about best practices, maturity models, and frameworks. For this essay, I'm going to start with the MITRE ATT&CK® framework. “ATT&CK” stands for Adversarial Tactics, Techniques, and Common Knowledge. I'm going to explain how your infosec team can use it to support your intrusion kill chain strategy. More importantly, I am going to explain the framework in terms that busy security executives can understand.
Mitre or just what is an FFRDC?
For the uninitiated, Mitre is an American quasi-governmental non-profit that manages several U.S. Government Federally Funded Research and Development Centers or FFRDCs. I know that’s a mouthful and don’t worry if it doesn’t make sense to you. Most people have trouble getting their heads around that idea. What’s a quasi-governmental non-profit? I know.
The U.S. government invented the concept after WWII because, after the war, America didn’t have the in-house scientific resources anymore that would take the country into the future. Lawmakers decided that they needed to farm that work out in a way that was beneficial to the government but didn’t compete with industry. The bottom line is that these nonprofits manage research organizations that run under unique and specific rules:
- Not for profit (obviously).
- Can’t have any commercial conflicts of Interest.
- Can’t manufacture.
- Can’t sell.
- Can’t work for commercial companies.
- Can’t compete with industry.
- And sponsored by some government entity that needs research like NASA, the DOD, or the Department of Energy.
Essentially, they are unbiased think tanks working for the U.S. government that can act as a bridge to the commercial and academic sectors. The RAND Corporation was the first non profit chosen to manage an FFRDC back in 1947. As of the summer of 2021, there are 43 FFRDCs and the three that are probably the most well known are
- The Jet Propulsion Laboratory (JPL) run by the California Institute of Technology.
- The Software Engineering Institute (SEI) run by Carnegie Mellon University.
- And the Lawrence Berkeley National Laboratory (LBNL) run by the University of California.
By the way, the LBNL is where Dr. Clifford Stoll worked in the late 1980s during the events showcased in his Cybersecurity Canon Hall of Fame book, “The Cuckoo’s Egg.”
MITRE runs six centers that study a broad range of topics. The ATT&CK framework came out of The National Cybersecurity Center of Excellence (NCCoE) FFRDC sponsored by the National Institute of Standards and Technology (NIST).
The main takeaway then is that published research from an FFRDC, specifically the Mitre ATT&CK framework in this case, is not coming from a vendor trying to influence the sales for their company. It’s just pure research designed to support the American government’s research goals. Because of that, affected research communities, like cybersecurity, can consider FFRDC research to be unbiased towards any commercial products. And, when commercial products support FFRDC research in some way, the leaders of those products can say that they support national goals and not just their own bottom line. They can also say that they support a government standard.
The Mitre ATT&CK framework.
Some people have told me that the Mitre ATT&CK framework is just another threat model in the same vein as the others mentioned above (Intrusion Kill Chain, Diamond Model, Unified Kill Chain). I understand their point if you say that the framework extends the original Lockheed Martin intrusion kill chain paper and corrects for some of the limitations. It eliminates the kill chain recon phase and clarifies and extends the actions on the objective stage to include techniques for
- Privilege Escalation
- Defense Evasion
- Credential Access
- Lateral Movement
- Command & Control
The frameworks’ significant innovation though is an extension of the list of information requirements intelligence analysts collect on adversary playbooks. They added tactics, techniques, and procedures. Before the framework, we would all collect indicators of compromise without any relation to known adversary behavior like IP addresses to known bad guy locations, strange DNS requests, and network traffic on unusual ports. These are not bad per se but they are ephemeral and hackers can easily change them at the drop of a hat and did. By the time infosec teams deployed countermeasures, the bad guys had likewly already changed their behavior.
Mitre’s extension to the kill chain model includes the grouping of tactics (the “why”), the techniques used (the “how”), and the specific implementation procedures the adversary group used to deploy the tactic. Now we're getting somewhere. That intelligence is not as ephemeral, is tied to known adversary group behavior, and is conducive to designing impactful countermeasures. Where the Lockheed Martin Kill Chain model is conceptual, the Mitre ATT&CK framework is operational.
All of that is fine and good. But the real power of the Mitre ATT&CK framework is an intelligence product that I call the ATT&CK Framework wiki. It’s a globally-accessible knowledge base of known adversary behavior. It’s derived from real-world observations from both Mitre intelligence analysts and from the cybersecurity intelligence community at large. In other words, it’s the most complete, free, open source standardized database of adversary offensive playbook intelligence.
Although the wiki tracks several crime groups, that’s not the focus. It primarily covers how APT groups (Advanced Persistent Threat groups) traverse their version of the intrusion kill chain via operating systems like Microsoft Windows, Linux, Apple OS X/iOS, and Google Android OS / Chrome OS and on victim data islands like mobile devices, infrastructure as code cloud deployments, and industrial control systems (ICS).
Most importantly, the framework standardizes the taxonomy vocabulary for both offense and defense. Before the framework, each vendor and government organization had their own language. Any intelligence product coming out of those organizations couldn’t be shared with anybody else without a lot of manual conversion-grunt-work to make sense of it all. Talk about the Tower of Babel. We were all looking at the same activity and couldn’t talk about it collectively in any way that made sense. The Mitre ATT&CK framework fixed that by releasing the first version of the framework in 2013 and has made significant improvements to the model almost every two years since.
The bottom line is that the Mitre ATT&CK framework has become the industry’s de facto standard for representing adversary playbook intelligence.
A word about attribution.
In the Mitre wiki as of this writing, you can find intelligence on some 125 adversary group names. There are famous names that you've probably read about in the news like APT1, the Lazarus Group, and The Sandworm Team. There are many more that you haven’t heard about with cool code names like Ferocious Kitten, Nomadic Octopus, and Wizard Spider. The thing about these code names is that they really don’t attribute adversary groups as in, here are a bunch of cyber bad guys that we are calling Nomadic Octopus. We really use group names to identify unique adversary attack patterns across the intrusion kill chain that have been seen repeatedly in the wild.
What I mean by that is when the Mitre ATT&CK wiki publishes intelligence about Ferocious Kitten, it doesn't normally include information about Kevin (day job - Walmart greeter) as the hacker behind the attacks. The wiki just outlines a set of generic attack techniques and specific procedures observed in the wild that intelligence analysts have grouped together as belonging to the same adversary playbook.
Sometimes, intelligence analysts are pretty sure that these pattern names, like APT1, originate from a specific government. In the APT1 case, the security vendor Mandiant actually hacked back to one of the bad guy’s computers, compromised his camera, and watched his team operate in the room in real time. You can view some of the videos on youtube. After that operation, Mandiant intelligence analysts had high confidence that APT1 is a Chinese military hacking group belonging to the 2nd Bureau of the People’s Liberation Army (PLA) known as Unit 61398. But that kind of attribution is an exception to the norm. For the rest of the groups like Nomadic Octopus, intelligence analysts may have some suspicions that the group hails from Russia, but they rarely have irrefutable proof as concrete as the APT1 evidence.
The point is for the bulk of us, it doesn’t matter which government is behind the attacks. If you know that North Korea is attacking you, who cares? It doesn’t help you at all. What is important is knowing whether or not your team is observing attack patterns consistent with the Lazarus Group in your networks and whether or not they have deployed prevention controls to counter them at each stage of the intrusion kill chain.
What makes this code name situation even more confusing though is that the industry has no standard for naming attack patterns. Every vendor and every government intelligence group has their own system. In some cases, we end up with a smorgasbord of names for the same attack patterns. For example, Mitre lists APT29 as one of the groups it tracks. With a simple Google search, I found 14 additional aliases that other organizations use to track the same activity like Cozy Bear, the Dukes, and Office Monkeys.
Here’s the thing. Don’t get lost in the naming weeds. Besides being fun to say in board rooms as in “We have intelligence that the threat group, Office Monkeys, has been attacking our competitors and we expect to see them attacking us in the near future,” the name is not important. Your infosec teams should stick with the opensource names from the Mitre ATT&CK framework and move on. Have them keep track of the aliases as you go just keep things straight. The important thing they should be doing though is collecting the tactics, techniques, and procedures for each group, devising strategies to search for that behavior in your networks, and developing plans to automatically deploy countermeasures for each.
ATT&CK framework use case: Operationalize the intelligence.
That was a lot of words (Just over 2,000 by my count) to explain what the Mitre ATT&CK framework is and why you should use it as a tool. If you've read this far, you’re probably asking yourself, “Geez Rick, thanks for the history lesson but can you just tell me how to use the thing?”I'm glad that you asked.
The first thing to note is that regardless of your size, your infosec team helps to manage a set of technologies that you either specifically deploy to counter bad actor behavior or because of the service the technology provides, you can configure to reduce the attack surface. Examples of the former are intrusion detection systems, firewalls, endpoint protection systems, etc. Examples of the latter are S3 buckets, SaaS services, email systems, etc. Just to simplify things, I refer to all of that technology as the security stack as in, I have a stack of technology that I can use to improve my cyber defenses.
The main ATT&CK Framework use case that security executives should be asking their infosec teams about is how to make the ATT&CK framework intelligence operational. It’s sitting there in a big wiki just waiting to be used. Your teams have to somehow collect it, study it, and devise a plan to improve their defenses for each of the 125 published adversary groups. If they get that far, they have to also devise a way to maintain their plan as the intelligence changes. The only way to do this is through automation.
- Collection: Automatically collect the MITRE ATT&CK intelligence on a routine basis.
- Verify technique counter measures: Automate the process for verifying your security stack counter measures against the generic techniques used by all 125 adversary groups. In other words, write code that automatically interrogates every technology in your security stack for the specific controls in place for each adversary group.
- Procedures check: Automate the process for verifying your security stack counter measures against the specific procedures used by all 125 adversary groups.
- Gap plan: Develop a plan to close the gap between countermeasures in place compared to countermeasures needed for generic techniques and specific procedures. This is your SOC analysts or your intel team getting into a room and devising countermeasure plans for each known adversary group. It could also be your team asking the vendors responsible for the technology in your security stack for their recommendations.
- Update the security stack: Automate the process to deliver new configurations to the security stack based on the gap plan. In other words, once you devise the plan, you want the ability to push the “Nomadic Octopus Update” button and have new controls sent to all of the technology in your security stack with a countermeasure update.
It’s important to note that sometimes you won’t be able to invent a countermeasure for a generic technique or a specific procedure based upon the security stack that you control. That’s OK. In that case, we have three options.
- Live with the risk.
- Devise some other countermeasure somewhere else on the intrusion kill chain or invent some new people/process policy that has the same effect.
- Decide that we have a technology gap and that we need to find some other technology to insert into our security stack to specifically address the gaps.
ATT&CK framework use case: Purple team exercises.
Purple team exercises are when you pit your blue team forces (your day-to-day infosec team) against an opposing force (red team) that tries to break in. This kind of exercise is in the same functionality ballpark as penetration tests. You task a team to break through your deployed defenses in order to find gaps that you didn’t know about. But in my mind, purple team operations are much more valuable than generic penetration tests. Penetration testers will find any way into your system that they can exploit. That’s valuable to some degree but a red team following the specific tactics, techniques, and procedures of Wizard Spider will verify whether or not your defensive controls designed precisely to counter Wizard Spider actually work. A red tram running the Wizard Spider playbook tests your deployed security controls and tests your blue team on their incident response capability. Purple team exercises should be continuous. The red team works through each and every adversary playbook in the Mitre wiki one at a time and conferring with the blue team about what worked and what didn’t. This provides an excellent training ground for your blue team and dedicates resources to countering known adversary behavior.
Like I said before, Mitre designed the ATT&CK framework to specifically track APT actors. I don’t really like the “APT” term because it’s not specific enough. It started out meaning nation state actors who didn’t run smash and grab operations that we associated with cyber crime back in the early 2000s. Nation states really only did Cyber espionage back then. Criminals would get in, steal their money, and get out. APTs took their time. They persisted.
Today though, that distinction doesn’t really exist any more, especially when you talk about ransomware groups. These teams stay on station for long periods of time similar to APT groups. And, some nation state actors use crime to fund their operations. The thing that distinguishes cybercrime and nation state continuous-low-level-cyber-conflict is more about motive and tools these days, not persistence.
Even though the ATT&CK framework doesn’t focus on cybercrime or hacktivism, the wiki does have a smattering of crime groups they call the FIN groups (4,5,6,7,8, and 10). FIN stands for financially motivated threat group. That said, by my unofficial count, there are an additional 100 criminal and hacktivist groups that have made their way into the news this past year and the Mitre ATT&CK framework doesn’t cover those. If you are worried about cyber criminals, you will need to start tracking those groups yourself or maybe hire a commercial threat intelligence service to do it for you. In either case, follow the MITRE ATT&CK framework standard so that, down the line, the intelligence can be easily shared.
As a security executive, you should be asking your infosec teams about incorporating the Mitre ATT&CK framework into their daily operation. If you are a small startup and don’t have a lot of resources, you should absolutely be asking the vendors responsible for your security stack to do this for you. Come to think of it, even if you have a lot of resources for in-house development of the intrusion kill chain strategy, you should be asking your vendors to support this idea.
Take a look at what Palo Alto Networks is doing with their intelligence team, Unit 42, and their publication of Atoms. This is a security vendor who creates countermeasures for specific adversary groups for their entire product line. At the time of this writing, they have recommended controls for some 50 adversary playbooks.
Mitre has an additional program called Mitre ATT&CK evaluations where they invite vendors to come into their labs and demonstrate how their products defend against known adversary playbook behavior. So far they have finished evaluations for FIN7 and an ICS (Industrial Control System) campaign called Triton. They have plans for Wizard Spider and Sandworm next year. They are also inviting managed security service providers (MSSPs) to demonstrate how they protect against the entire suite of adversary playbooks in 2022. That should be interesting.
As a community, we should also be asking Mitre to expand the scope of the framework to include adversary playbooks other than nation state. Since Mitre is an FFRDC, this is a national security matter when it comes to ransomware since those groups have no issues going after critical infrastructure like medical facilities, oil pipelines, and government institutions.
We should also be asking Mitre to go faster on their evaluations program. I tip my hat to their leading the way on this idea, but at this rate, we won’t get through the suite of known adversary groups for 50 years. I don’t think that’s going to work.
Finally, as a security executive, ask your infosec teams to become proficient in tracking unknown adversary playbooks within your own infrastructure. Follow the Mitre model or pick your own. But this is an essential skill if you have any hope of deploying the intrusion kill chain strategy within your own environment.
The Mitre ATT&CK framework is an essential tool in the security executives toolbox. Turning the knobs and dials of the tool is something that you should be asking your infosec team to become proficient at. The good news is that you don’t have to start from scratch in deploying your intrusion kill chain strategy. Mitre has done the bulk of the hard work standing up the framework and because of their FFRDC status, the community recognizes it as an international standard.
The bad news is that none of this is fire and forget. You can’t just flip a switch and all of this becomes operational. In order to reduce the probability of material impact from all known adversary groups, you have to do some work on your end. That will be internal development of these ideas and external pressure that you apply to your security vendors to help you with this strategy.
11 MAY 2020:
CSOP S1E6:: Cybersecurity First Principles
26 MAY 2020:
CSOP S1E8:: Cybersecurity first principles: intrusion kill chains.
08 JUN 2020:
CSOP S1E10:: Cybersecurity first principles - DevSecOps
22 JUN 2020:
CSOP S1E12:: Cybersecurity first principles - intelligence operations
20 JUL 2020:
CSOP S2E1: Security operations centers: a first principle idea.
27 JUL 2020:
CSOP S2E2: Security operations centers: around the Hash Table.
- Hash Table Guests:
- Don Welch: Interim CIO of Penn State University
- Helen Patton: CISO for Ohio State University
- Bob Turner: CISO for the University of Wisconsin at Madison
- Kevin Ford: CISO for the State of North Dakota
- Link: Podcast
- Link: Transcript
- No Essay
03 AUG 2020:
CSOP S2E3: Incident response: a first principle idea..
10 AUG 2020:
CSOP S2E4: Incident response: around the Hash Table.
- Hash Table Guests:
- Jerry Archer - Sallie Mae CSO
- Ted Wagner - SAP National Security Services CISO
- Steve Winterfeld - Akamai Advisory CISO
- Rick Doten - Carolina Complete Health CISO
- Link: Podcast
- Link: Transcript
- No Essay
14 SEP 2020:
CSOP S2E9: Red team, blue team operations: a first principle idea.
21 SEP 2020:
CSOP S2E10: Red team blue team operations: around the Hash Table.
- Hash Table Guests:
- Tom Quinn: CISO - T. Rowe Price
- Rick Doten: CISO - Carolina Complete Health
- Link: Podcast
- Link: Transcript
- No Essay
16 AUG 2021:
CSOP S6E5: Pt 1 - Cybersecurity first principles - orchestrating the security stack.
23 AUG 2021:
CSOP S6E6: Pt 2 - Cybersecurity first principles - orchestrating the security stack.
- Hash Table Guests:
- Bob Turner, Fortinet Education Field CISO
- Kevin Magee, Microsoft Canada CSO
- Link: Podcast
- Link: Transcript
- No Essay
30 AUG 2021:
CSOP S6E7: Pt 1 - Cybersecurity first principles - adversary playbooks.
13 SEP 2021:
CSOP S2E8: Pt 2 - Cybersecurity first principles - adversary playbooks.
- Hash Table Guests: None
- Ryan Olson, the Palo Alto Networks (Unit 42) Threat Intelligence VP
- Link: Podcast
- Link: Transcript
- No Essay
“2020 GLOBAL THREAT REPORT,” Crowdstrike, 2020.
“‘All Models Are Wrong, but Some Are Useful’. George E. P. Box – AdMoRe ITN,” by Guillem Barroso., Upc.edu, May 3, 2018.
“APT1: Exposing One of China’s CyberEspionage Units.” Mandiant, YouTube Video. YouTube, February 19, 2021.
“APT1: Exposing One of China’s Cyber Espionage Units | Mandiant.” Mandiant.com, 2013.
“APT Groups and Operations - Google Drive.” by Florian Roth, Medium, 25 March 2018.
“Atoms” Unit42, Palo Alto Networks, 2021.
“ATT&CK Evaluations.” MITRE Engenuity, October 25, 2021.
“CliffsNotes Study Guides | Book Summaries, Test Preparation & Homework Help | Written by Teachers.” Cliffsnotes.com, 2015.
“CYBERARK® SOLUTIONS AND THE MITRE ATT&CK FRAMEWORK,” by CYBERARK.
“CyCraft Classroom: MITRE ATT&CK vs. Cyber Kill Chain vs. Diamond Model.” Medium. CyCraft, July 2020.
“FFRDC Whiteboard Explainer Video,” Mitre, YouTube Video. YouTube, October 19, 2015.
"Implementing Intrusion Kill Chain Strategies by Creating Defensive Campaign Adversary Playbooks," by Rick Howard, Ryan Olson, and Deirdre Beard (Editor), "The Cyber Defense Review," by the Army Cyber Institute, Volume 4, Number 2, Fall 2020.
"Intelligence-Driven Computer Network Defense Informed by Analysis of Adversary Campaigns and Intrusion Kill Chains,” by Eric Hutchins, Michael Cloppert, Rohan Amin, Lockheed Martin Corporation, 2010, Last Visited 30 April 2020.
"MITRE ATT&CK: Design and Philosophy," by Blake Strom, Andy Applebaum, Doug Miller, Kathryn Nickels, Adam Pennington, and Cody Thomas, Mitre, March 2020
“MITRE ATT&CK® Framework.” Mitre, YouTube Video. YouTube, January 25, 2021.
“MITRE ATT&CK®.” Mitre.org, 2021.
“The Cuckoo's Egg: Tracking a Spy Through the Maze of Computer Espionage,” by Clifford Stoll, Published by Gallery Books, 1989.
“The Diamond Model of Intrusion Analysis,” by Sergio Caltagirone, Andrew Pendergast, and Christopher Betz, 2013.
“The Unified Kill Chain.” Paul Pols, Unifiedkillchain.com, 2021.
“The Quasi Government.” Alaska.edu, 2021.
“Tim Allen: ‘Rewires America’ & ‘All Men Are Pigs’” seetherfan1328, YouTube Video. YouTube, December 29, 2011.