CSO Perspectives is a weekly column and podcast where Rick Howard discusses the ideas, strategies and technologies that senior cybersecurity executives wrestle with on a daily basis.
Current state of MITRE ATT&CK: the essential tool to support the Intrusion Kill Chain Prevention Strategy.
The MITRE ATT&CK wiki is the only open source collection dedicated to cataloging known nation state (and some crime) hacker tactics, techniques, and procedures (TTPs) across the intrusion kill chain. I’ve been a fan of it for a decade now. My old intelligence director, Ryan Olson, introduced me to it when we founded the Palo Alto Networks public-facing intelligence team (Unit 42). It took a while for Ryan to get it through my thick head the immense potential value of the of MITRE intelligence collection to anybody pursuing the Intrusion Kill Chain Prevention Strategy, but once I got it, it was like inserting the last piece into a very large puzzle. It was a eureka moment for me. I realized that there really is nothing else like it in the world.
The Intrusion Kill Chain Prevention Strategy realizes that hacker groups (like The Shadow Brokers, Fancy Bear, the Lazarus Group, etc) must successfully execute a chain of offensive actions against their victims in order to accomplish their goal; not one thing, a set of things. Sometimes the infosec profession refers to the set of things as offensive attack campaigns.
The strategy makes a couple of assumptions. First, the hacker group reuses these campaigns against multiple victims. They don’t build it, use it once, throw it away, and then build another one. That would be wasteful. Which brings us to the second assumption. Designing, building, and deploying attack campaigns is expensive in terms of the people-process-technology triad. Hacker groups are reluctant to abandon a good one. Which is good news for the good guys.
Analysts studying attack campaigns can loosely categorize subsets of the campaign into stages of malicious activity (like delivery, installation, exploitation, command and control, lateral movement, etc). With that categorization, analysts can then design and deploy prevention and detection controls for one or more of the TTPs in that attack stage.
When the Fancy Bear hackers run into one of our blocks, they don’t throw the entire campaign out (See assumption 1). They pivot. They try to find a way around that one block. Even if they are successful though (they develop some new thing in the exploitation stage let’s say; something that the good guys have never seen before; some new code that we don’t have a prevention control for yet), it doesn’t guarantee Fancy Bear’s success because the good guys have deployed other prevention controls in other stages in the attack sequence. Those controls will defeat the adversary. The more controls you put in place for each stage reduces the probability of a material cyber event to your organization from that hacker campaign. If the key defensive strategy for your infosec program is the Intrusion Kill Chain Prevention Strategy (See my first principles book for a deeper explanation), you have to be using the MITRE ATT&CK Framework wiki or something very similar that you either built yourself or you paid for.
Over the years, I became one of its biggest unofficial evangelists as I was out and about speaking at conferences and talking to security professionals of all stripes. When I met with the MITRE people about it, I kept quietly suggesting that they should give me a commission for my support (I'm still waiting to hear back - MITRE, if you’re listening, send checks to the Rick Howard Bermuda Islands Retirement Fund).
But that doesn’t mean that I haven’t been frustrated with it too. Although it has had a large impact on the infosec professional community already and the MITRE people behind it have made huge improvements to it in a very short amount of time, the idea of it has so much more unrealized potential. So, I thought it was time to put a stake in the ground and assess what the current state of the MITRE ATT&CK framework is today.
Kill chain history.
It all began with the Lockheed Martin paper published in 2010. It caused a shift in the collective cyber professional’s thinking away from defending against generic offensive tools (like viruses, malware, and exploit code) with no relation to what the adversary was trying to accomplish towards specifically defeating the adversary’s overall goal.
Before the paper, most of us were using a Defense in Depth strategy designed to block the hacker's generic offensive malicious software. By generic, I mean that we didn’t associate the weapon with any adversary plan. We were just looking to detect and prevent bad things on the network.
To counter the deployment, network defenders would stack one or more blocking tools between the boundary of our digital environments and our crown jewels (like firewalls, intrusion prevention systems, and anti-virus software). The idea was that if the first tool failed to prevent the deployment of the offensive weapon, then the second prevention tool in the stack would catch it. If that one failed, then the third one would be successful. That’s what Defense in Depth means; multiple ways to prevent bad things from happening. The number of defensive tools you had in the security stack depended on your internal budget.
The Kill Chain paper’s great insight was that all cyber adversaries, regardless of their motivation, have to complete a set of tasks in order to accomplish their ultimate goal. And their goal (whatever it is) doesn’t really matter in terms of devising a defensive strategy. Whether it’s crime, espionage, hacktivism, low-level-cyber-conflict, or just mischief making for the fun of it, every hacking crew has to follow this general model. Instead of cybersecurity professionals trying (and mostly failing) to block all of the generic hacking weapons in existence with the Defense in Depth strategy, we would instead design prevention controls for known adversary campaigns and install them at every stage of the attack chain.
The brilliance of this model is that the hacker team has to be 100% successful in avoiding all of those prevention controls in order to accomplish their goal. They can’t make one mistake. The defenders, on the other hand, only have to be successful once somewhere along the attack chain. If we are, we can break the attack sequence. We can kill the attack. That’s why the paper’s title says that it’s “Informed by Analysis of Adversary Campaigns and Intrusion Kill Chains.” By doing a post mortem on victim zero and other subsequent victims, cyber intelligence analysts can construct the attack sequence in the aftermath and potentially identify multiple locations along the chain where we can kill the attack. That doesn’t help victim zero but it helps every other potential victim that Fancy Bear has in its sights.
That’s a magnificent and radical insight. It seems obvious to us now that we’re 10 years past the initial paper publication, but back then, it was revolutionary.
Just a year later, 2011, the Department of Defense published their paper on the Diamond Model. It provides a structure for how cyber intelligence teams can analyze attack sequences and provided a standard language for intelligence analysts to discuss the same campaigns. In the early days of the idea, we were all doing our own thing. It was exceedingly difficult to communicate what I knew about a Lazarus Group campaign with somebody else because we were all speaking different languages. The result was that the Diamond Model became a supporting guidebook for organizations pursuing the kill chain strategy.
And then in 2013. MITRE released the first version of the ATT&CK framework. The team recognized the overall value of the kill chain strategic direction but they wanted to convey the actions that individual adversaries make,“how one action relates to another, how sequences of actions relate to tactical adversary objectives, and how the actions correlate with data sources, defenses, configurations, and other countermeasures used for the security of a platform and domain.”
Over time, I started calling these three research efforts the Intrusion Kill Chain Trifecta.
The intrusion kill chain trifecta
When we first started doing this podcast back in 2020, the Intrusion Kill Chain Prevention Strategy was one of the first topics we covered. In 2022, we covered it again. And of course, when we published the first principles book back in 2023, I dedicated chapter 4 to the idea.
In the book and the podcasts, I made the case about why these three research efforts should be considered collectively and not separately. They are three significant elements coming together. “One is a strategy document (Lockheed Martin), one is an operational construct for defensive action (MITRE), and one is a methodology for cyber threat intelligence teams (Diamond). You don’t choose one model over the other. All of these models work in conjunction with each other.
To be clear though, there wasn’t a lot of collaboration between the research groups. The Lockheed Martin people weren’t saying, “Hey, we're doing the strategic piece. DOD, you work on the intelligence piece, and MITRE, you build an intelligence wiki.” No, different parts of the infosec profession were all thinking along the same lines, working independently, and coming to different conclusions.
The situation was similar to the old Buddhist parable where six blind men examined the same elephant. Each man was convinced that what he experienced was the correct interpretation when really, it was only a piece of the whole.
Frank Duff is the Chief Innovation Officer at a startup called Tidal Cyber. Their mission is to make it practical and affordable for all enterprises to adopt MITRE ATT&CK. (Full Disclosure: I advise Tidal Cyber so take whatever I say here with a grain of salt). Before Tidal Cyber though, Frank spent 20 years working for MITRE and the last ten years supporting the ATT&CK project. He told me that he thought that the Trifecta idea was really serendipitous, and not coincidental; that really it was a collection of some really smart people working in the same space and coming up with things that were complementary to each other.
Amy Robertson has been working at MITRE for the past six years as a cyber threat intelligence engineer; the last four years as the ATT&CK Engagement lead. She concurs with Frank. She views the Trifecta models as complementary. She says you take the output of the ATT&CK wiki as inputs to the Diamond Model and the outputs of the Diamond Model support the KIll Chain strategy.
Where do you get kill chain intelligence?
The question then is, where do most of us get the threat intelligence that will inform us about known attack sequences? Well, you can develop it yourself by using the Diamond Model and reading thousands of security vendor intelligence blogs about this adversary campaign or that one; like the latest ESET report on the Chinese Hacker group, Mustang Panda, running attack campaigns against the shipping industry in Europe; or the Microsoft report on the North Korean hacker group, Moonstone Sleet, running attack campaigns against software development firms for the purpose of cyber crime and cyber espionage.
But doing it yourself is hard, expensive, and is likely not part of the core business model for whatever organization you work for. Unless you’re a Fortune 500 company, the NSA, or the FBI in terms of available resources, establishing an Intrusion Kill Chain strategy for your organization will likely not make it past your next budget planning round.
Or you can buy the information from commercial cyber intelligence firms, but this just makes the process slightly less hard. And there’s likely a lot of backend work from your internal team to turn the inbound commercial intelligence into something actionable. More importantly, it’s still expensive.
Or you could join an information-sharing group like an ISAC or an ISAO (Information Sharing and Analysis Centers or Organizations). That would be less expensive but still very hard because you will likely have similar intelligence transformation tasks that you had with the commercial intelligence firm.
This is where MITRE ATT&CK comes in. The MITRE ATT&CK wiki, as I like to call it, is the largest collection of open-source cyber intelligence designed specifically to collect data on known adversary attack campaigns across the Kill Chain. At least that’s how I see it. I'm not sure that the rest of the cybersecurity profession sees it that way so I'm probably wrong. Even MITRE doesn’t like to link ATT&CK too closely to the Kill Chain Strategy. Amy says that ATT&CK is really for anticipating the adversary’s pivot when network defenders block one of their TTPs. The way I see it though is that ATT&CK lists all of Fancy Bear’s known TTPS. It doesn’t anticipate the new thing that Fancy Bear invents, but it does know every TTP that Fancy Bear has used in the past. When Fancy Bear pivots to a new thing, the results aren’t devastating. We have prevention controls for all the other steps in the attack sequence.
The starting gun: Mandiant’s APT 1 paper.
We forget that around this timeframe (2010 - 2013), most of the network defenders in the commercial world were unaware of the Intrusion Kill Chain Strategy. The Trifecta is the result of three different U.S. governmental organizations: two contractors (Lockheed Martin and MITRE) and the U.S. Department of Defense. And although the respective research work was public, it wasn’t like the commercial world was racing to embrace it.
That started to change in February of 2013. The commercial cyber intelligence company, Mandiant, released the now famous 74-page APT 1 report that told the story of how the Chinese military had been conducting cyber espionage operations against almost 150 different commercial and government organizations around the world. Chinese cyber espionage had begun in the early 2000s and the US military’s secret code name for it was TITAN RAIN. But prior to the APT1 report, nobody in the commercial world, except for Google in 2010, talked about successful Chinese cyber breaches against their organization for fear that public knowledge would impact their bottom line. The Mandiant APT 1 report catapulted commercial cyber intelligence from an obscure practice performed by elite organizations to a legitimate commercial business and a best practice for all infosec programs. According to Nick Selby writing for Darkreading back in 2014, “One of the most positive impacts of the APT1 report is the undeniable rise in the stature of the threat intelligence industry.” Frank says that the APT1 paper was “one of those cornerstones, really turning points, in the industry.”
ATT&CK misconceptions and frustrations.
Even though ATT&CK has had a huge impact on the cybersecurity profession, most people that I talk to don’t really understand what it is. There are many misconceptions about how it operates and the intelligence that it collects and frustrations felt in the community about its direction and progress.
First, as far as I know, MITRE hasn’t deployed thousands of sensors themselves across the world’s networks. What they do have is a loose collection of Defense Industrial Base companies (DIB Companies - think U.S. Government contractors) who regularly share threat intelligence with the MITRE Intelligence team. In that way, the MITRE ATT&CK wiki is an intelligence product of an ISAO (Information Sharing and Analysis Organization), although MITRE doesn’t refer to itself like that. This might be the reason that ATT&CK doesn’t track that many cyber crime groups and mostly focuses on nation states. The DIB companies' most pressing concerns deal with nation state threats after all although I don’t see why a ransomware group wouldn’t target a Raytheon or a Leidos; both relatively known beltway bandit companies.
Note: “Beltway bandit” is an old pejorative phrase from the late 1970s for companies that do a significant amount of contract work for the U.S. government. Of course, I use it here with only love and affection because I used to sell to these guys in the past and I even worked for one.
By the way, the MITRE Intelligence Team is relatively small. That’s why updates to the wiki and to the configuration of the site are not in real time. They update the wiki three or four times a year which for me is a big frustration. I would like that to be updated continuously, not every once in a while. I get why, but I don’t have to like it.
Amy says that the biggest misconception that she runs into is that the ATT&CK wiki is comprehensive; that it tracks all known adversary activity. She says that is just not the case. How could it be? She says that the wiki is only as good as the intelligence coming in from its sharing partners and reminds everybody that if your favorite hacker group and attack campaigns aren't listed in the wiki, you should report the intelligence you have to the MITRE team.
I think the biggest misconception that I see is that the security profession still uses hacker names, like The Shadow Brokers, when what we really are talking about is the attack campaign the members of The Shadow Brokers team are running against their victims. That may seem like a subtle and useless point but it has significance over time.
First, The Shadow Brokers may run different campaigns against different victims that aren’t related to each other. I know I said at the beginning of this essay that one of the key insights to the kill chain paper was that hacker groups don’t throw out attack campaigns willy-nilly. They might change a component of the attack sequence, but not the entire thing. That’s still true. But any hacker group that has had success for a period of time will likely have developed more than one campaign. Using the hacker group’s name to refer to one campaign they ran in 2012 and to a completely different campaign they ran in 2020 just causes confusion.
My frustration with ATT&CK is that they are just now getting on the campaign bandwagon a decade after it began. According to their website, a campaign describes “any grouping of intrusion activity conducted over a specific period of time with common targets and objectives.” As of this writing though, ATT&CK is only tracking just under 30 campaigns. Since it also tracks about 150 hacker groups, that number seems relatively low.
I'm also not sure that their definition captures the requirement. In my mind, it’s way more than that. An attack campaign is the collection of all TTPs a hacker group uses across the intrusion kill chain. It should also roughly include the sequence. Fancy Bear used TTP X for delivery, deployed TTP Y and Z for lateral movement, etc.
And I know this kind of intelligence work is hard and the MITRE intelligence team is so small, but it is frustrating. Still, it isn’t like anybody else is doing that much better. Frank’s company, Tidal Cyber, a company that’s trying to operationalize MITRE ATT&CK, is only tracking 75 campaigns.
It feels to me that the infosec profession hasn’t fully embraced the campaign idea; in my mind, the true power behind the intrusion kill strategy. Today, ATT&CK is tracking some 650 TTPs that known hacker groups have used. That’s useful, but that collection is also eerily similar to what we were doing back in the Defense-in-Depth days; blocking malicious technical things on the network without really understanding what the adversary was trying to accomplish; without the specific goal of trying to defeat the adversary.
Rick Doten is a VP of Information Security at Centene (A fortune 25 company) and a regular visitor to the Cyberwire Hash Table. He was also involved in evangelizing the Lockheed Martin kill chain paper back in the day. He says that his frustration is that ATT&CK provides no context. “It’s all technical, It only provides a measurement of protections and detections of tooling, not about processes to identify, respond, and learn about the perspective or abilities of adversaries.
From where I sit, ATT&CK helps the infosec profession be better than when we were back in the Defense in Depth days, but it hasn’t quite reached its full potential yet.
ATT&CK takeaways in 2024.
Here we are in 2024, just past the 10 year anniversary of the MITRE ATT&CK framework. Amy says that in the future, “ATT&CK will continue to evolve with the threat landscape, evolve with the adversaries and technology and continue to provide actionable intelligence and resources to inform defensive strategies.” She says, “that has always been the goal and will continue to be the goal as we continue to evolve.”
Frank says that as he looks back on ATT&CK and the journey he had contributing to the project, the way it has evolved has been just incredible. “From the first publicly released version [where we had ] maybe around 75 techniques. And now it's up to 623 techniques and sub techniques. And frankly, they're not done yet. There's a lot of variation in those techniques that needs to continue to be expanded out, but now the whole industry is communicating on the standard.
For me, despite my frustrations and the common industry misconceptions about it, I think I'm still its biggest fan. I would like it to be bigger (all campaigns, not just nation state), faster (continuously updated not every once in a while), and I would like it to fully embrace the campaign concept. But those are all things that can be fixed. And I will be here on the sidelines as its biggest cheerleader.
References:
Amy L. Robertson, 2024. ATT&CK 2024 Roadmap [Essay]. Medium.
Nick Selby, 2014. One Year Later: The APT1 Report [Essay]. Dark Reading.
Rick Howard, 2020. cyber threat intelligence (CTI) (noun) [Podcast]. Word Notes: The CyberWire.
SAHIL BLOOM, 2023. The Blind Men & the Elephant [Website]. The Curiosity Chronicle.