Cybersecurity, and the act of defending ourselves against attack, has quite literally become a war. We are confronted with a rapidly evolving threat landscape and increasingly determined threat actors who are out to steal our money and our secrets or even just to create chaos. This puts every organization, regardless of size, in a position where it cannot afford to ignore the need to manage cyber risk.
Before we attempt to start to manage risk, we first need to understand the need for knowledge, both of ourselves and our adversaries.
“If you know the enemy and know yourself, you need not fear the result of a hundred battles. If you know yourself but not the enemy, for every victory gained you will also suffer a defeat. If you know neither the enemy nor yourself, you will succumb in every battle.” – Sun Tsu – The Art of War
This famous passage by Sun Tsu underscores two needs. First, a need for knowledge of ourselves, our goals, our strengths, our weaknesses and the assets we need to protect. While we have ready visibility of ourselves, our adversaries may be less immediately visible. This means that we need to find ways to understand an often invisible enemy.
Sun Tsu also wrote: “To know your enemy, you must become your enemy.” This means that you need to think like your enemy. If you can do that, you may have a chance. If you fail to do that you will be doomed. Translated into the cyber world, this means that we need to understand what threat actors are trying to achieve (what they want from us or to do to us). In other words, we need to understand their tactics. Once we understand what they want to do, we need to understand how they will try to achieve that – their techniques and procedures.
The understanding of cyber adversaries isn’t a need that exists only for large enterprises. Organizations of all sizes are becoming increasingly digital. It is now impossible to run a business or provide government services without technology. As a result, the need to understand cyber threats has become universal. Smaller organizations unfortunately lack the resources to do this themselves – they can’t afford highly specialized cyber security teams. That doesn’t lessen the need they have to defend themselves, or to understand who is trying to attack them and why.
In the cyber world, much as in other domains, the way we organize knowledge is through building frameworks and bodies of common knowledge. These need to be broadly accessible and be understood by everyone, not just specialists. To help broaden this understanding, especially amongst small businesses who often lack specialist security teams, we will be running a series in which we investigate how cyber attackers think and operate. To do this, we will be using the Mitre Att&ck® framework, which is one of the most widely used bodies of knowledge in this space.
Introducing Mitre Att&ck®
Frameworks help us to better understand the way in which adversaries operate. This is a well-established practice in military strategy, where the concept of the “kill chain” was developed to identify the structure of an attack. This concept was taken into the cyber domain with the Lockheed Martin Cyber Kill Chain®, which was probably the first framework to capture the Tactics, Techniques and Procedures (TTPs) of Advanced Persistent Threats, known as APTs.
Since the Cyber Kill Chain® was launched both the needs of defenders and the wiles of attackers have evolved. This has resulted in the development of newer frameworks, in particular Mitre Att&ck®.
Mitre Att&ck® is best described by its full name: “Adversarial Tactics, Techniques, and Common Knowledge”. It is a globally accessible and open knowledge base of the tradecraft of cyber threat actors, based on real-world observations. The Att&ck® knowledge base forms the basis of specific threat models and methodologies both in the private sector and in government and is used in the development of cyber security products and services. Att&ck® provides us with the tools we need to understand how cyber attackers operate, breaking down their tactics, techniques and procedures into distinct groupings.
For this series, we don’t need an in-depth understanding of Mitre Att&ck®. There are however two key concepts we need to understand, namely:
- Tactics: These can essentially be seen as the “why” or motivator of a stage of an attack. Tactics describe the goals of an attacker in each stage of an attack.
- Techniques: These are the “how”. They describe methods the attacker might use to go about achieving his goals.
One of the key differentiators of Mitre Att&ck® is that it does not assume that attacks are linear. This is especially true to APTs, which may move repeatedly between different tactics over a longer period.
While Att&ck® provides a lot of detail, we only need to immerse ourselves in it to the level necessary to perform our own functions. This is why even a high-level understanding can be incredibly valuable in building a strategy to defend your organization.
How We Can Use Mitre Att&ck®
While Att&ck® is traditionally used extensively by SecOps teams, it can also play a key role in planning your defensive strategy. Firstly, it helps you to understand better the things that an attacker may try to do. This gives you the knowledge needed to understand the controls you need in place so that you can defend yourself against attack. In this way, Att&ck® helps to manage cyber risk better.
Aside from helping to build a defensive strategy, a high-level understanding of Att&ck® will also help in understanding what your security tools are doing, and what they are telling you. This is a valuable skill set for all IT staff to have. We increasingly see that many security tools use the language of Mitre Att&ck® – this is especially true in the threat detection space. By doing this we are building a common language. When detection tools can clearly communicate the tactics that are being observed it becomes easier to understand how far an attack has progressed and which steps should be taken to contain it.
A Brief Breakdown of Tactics
Mitre Att&ck® identifies 14 different tactics, which represent the why, or the reason for performing an action:
- Reconnaissance: How attackers gather information before launching an attack (e.g. finding out which systems or people to target).
- Resource Development: How attackers prepare resources they need to carry out an attack (e.g. creating fake websites, writing malware or buying hacking tools).
- Initial Access: How attackers first get into a system (e.g. tricking someone into opening a bad link).
- Execution: How attackers run their malicious programs on the system (e.g., starting a harmful program).
- Persistence: How attackers make sure they can stay in the system (e.g. creating hidden accounts, hiding their tools and making sure they run again after a reboot).
- Privilege Escalation: How attackers get higher-level access to the system (e.g. becoming an admin).
- Defense Evasion: How attackers avoid being detected (e.g. turning off security software or disabling logging).
- Credential Access: How attackers steal usernames and passwords (e.g. logging keystrokes, brute force).
- Discovery: How attackers learn about the system and its network (e.g. listing all connected devices).
- Lateral Movement: How attackers move through the network to other targets (i.e. accessing other computers).
- Collection: How attackers gather information that they want from the system (e.g. copying files or emails).
- Exfiltration: How attackers send stolen information out of the network (e.g. uploading files to a server).
- Command and Control: How attackers control their tools remotely (e.g. sending commands from a remote server).
- Impact: How attackers disrupt or destroy the system (e.g., deleting files or causing crashes).
In future installments of this series, we will take you on a journey through some of the more important tactics. We will look at what attackers attempt to achieve and some potential defenses against these tactics.
How XDR Uses Mitre Att&ck®
When we detect the activities of attackers, we need to describe what we are observing in a concise and consistent manner. By using the language of Mitre Att&ck® to describe what we are seeing this gives a very succinct way of communicating in a way that can be broadly understood. For this reason, Samurai XDR, along with many other products, uses the language of Mitre Att&ck® to describe its detections. By mapping detections against Att&ck® it becomes very easy to understand what the detection represents, what the attacker is trying to achieve and how urgently we need to act.
To explore this capability in more detail, you can see how detections are mapped against Mitre Att&ck® in a fully functional Free 30 Day Trial of Samurai XDR.
In the next installment of this series, we will start to explore key tactics in more detail, focusing first on Reconnaissance, looking at how the intelligence that Samurai XDR gains from NTT’s Tier 1 Internet backbone helps to detect threats in this early stage.
We hope that this series will help you to grow a better understanding of what threat actors are doing, why they do it, and ultimately to help in building the knowledge needed to manage cyber risk better.
Featured articles
How to Build a Resilient Cybersecurity Strategy for MSPs
26 September 2024 | Webinars
In today's rapidly evolving threat landscape, MSPs are on the front lines of cybersecurity. As threats become more sophisticated, MSPs...
MSP Blueprint: Proactive Threat Hunting with XDR for Enhanced Cybersecurity
12 September 2024 | Cybersecurity 101
This article explores how Managed Service Providers (MSPs) can leverage Extended Detection and Response (XDR) to enhance proactive cyber threat...
The Importance of XDR for Regulatory Compliance
5 September 2024 | XDR
The SEC's 2024 cybersecurity disclosure rules mandate public companies to disclose incidents and detail their risk management strategies. Even non-public...