Attack and defense techniques
Cybersecurity Know-How
IT security affects many different areas of a company. Trying to identify possible attack vectors for each area in advance and protect the IT infrastructure with effective countermeasures can be a Sisyphean task, especially for companies without a Security Operation Center (SOC). When it comes to implementing security measures, knowledge and experience are important.
MITRE, a nonprofit organization that operates various research facilities on behalf of the U.S. government, provides comprehensive information on IT security. MITRE developed the CVE system, for identifying and assigning unique identifiers to vulnerabilities, and also developed STIX and CyBox, which are used to exchange threat information and attack indicators.
The MITRE ATT&CK and D3FEND knowledge databases offer techniques that let you retrace an attacker's steps, as well as prevent attacks in the first place. Here's how to use these techniques to secure your enterprise IT.
ATT&CK
Released to the public in 2015, MITRE's ATT&CK framework provides a knowledge database of attack techniques and methods enriched with details about hacker groups and their individual procedures. For an initial overview of the knowledge base, visit the ATT&CK website [1] and Matrices in the top menubar. In the sidebar on the left, the ATT&CK dataset is broken down by Enterprise (enterprise IT), Mobile (smartphones), and ICS (industrial control systems). Both Enterprise and Mobile are directly integrated into the interface, while ICS currently still links to a wiki with more information.
The matrices, sorted chronologically, are based on Lockheed Martin's Cyber Kill Chain [2]. For the Enterprise Matrix, you'll find preparatory techniques in the Reconnaissance phase on the left. On the far right, you'll find an attacker's potential activities after successfully hijacking a system under the Exfiltration and Impact phases.
In order to take a closer look at individual techniques, I will focus on the Phishing for Information [3] technique listed under the Reconnaissance phase. If you click on Phishing for Information , you will be taken to a detailed page with further information. There, you will learn how attackers send phishing messages to potential victims in order to obtain more information from companies, such as login data for computer systems. Keep in mind that this technique differs from the Phishing technique listed under the Initial Access phase, where the objective is to send executable code (malware) as part of a phishing campaign.
In the Procedure Examples section, you'll find examples of groups that have used such techniques in the past, often with brief comments. The Mitigations section lists two potential countermeasures: Software Configuration and User Training. The Software Configuration countermeasure references SPF, DKIM, and DMARC (see also [4] and the "Trustworthy" article in this issue) in order to limit the success of legacy email phishing. The User Training countermeasure relies on training employees to detect and thwart phishing attempts. The Detection section primarily describes automated options for detecting the technology, which you can use for protection and also for creating situation reports. The Reference section contains sources and further information, including scientific papers, reports, and articles for further research.
D3FEND
Analogous to the attack techniques specified in the ATT&CK framework, the MITRE D3FEND [5] knowledge base provides you with information from the defender's point of view. The D3FEND matrix has five different techniques for securing your computer systems. On the left side of the matrix, Harden lists four technique categories for securing systems and resources before using them. You'll find methods for compiling software, securing passwords, and encrypting messages, as well as how to use TPM-based boot protection or hard disk encryption.
The Detect category offers techniques that can be used to detect malicious activities or to evaluate general activities on your network. Staying with the phishing example, clicking on Sender MTA Reputation Analysis (located under the Message Analysis subcategory) takes you to a page with techniques for evaluating message transfer agents (MTAs). For instance, you can determine a trust rating for the sender MTA based on past behavior, such as receiving prior emails from an MTA, the domains used as sender domains, or the number of reply emails from an MTA.
Each technique entry in the D3FEND database contains direct links to the relevant ATT&CK techniques, as well information about implementations or patents that cover corresponding techniques. In this way, you can jump back and forth from one MITRE database to another to quickly determine whether you thought of everything during hardening. The D3FEND knowledge base is a logical complement to the ATT&CK database.
Systematic Use
For a deeper insights, or to collect and process information in a targeted way, ATT&CK offers additional connections. For example, if you already use a tool for analyzing STIX data, you can import STIX datasets prepared by MITRE directly from the repository [6]. The ATT&CK navigator can be used to mark relevant entries during research and to display correlations, thus letting you plan and trace your progress in securing the infrastructure. This helps you delegate individual tasks within your team and include quick overviews of the status quo in your reports.
Buy this article as PDF
(incl. VAT)