Understanding the MITRE ATT&CK Framework and the Relationship Between MITRE and Security Products

https://attack.mitre.org/

MITRE Attack Framework is a standard put forward by MITER Corporation to make the techniques and tactics used by threat actors to infiltrate a network, company or organization. In other words, it can be called a model used as a guide about cyber security attacks and defenses. While this model illuminates the attacker’s stages in making the attack, it also includes a matrix that will make it easier to understand the tools he uses during these stages, thus helping us to see the big picture in the attack.

Tactics: An action that represents the attacker’s overall goal. Tactics include techniques and procedures for attackers to carry out their attacks.

Technique: Techniques are the tools and methods used to perform tactics.

Procedure: A procedure is the detailed steps the attacker follows in performing the particular tactic and technique.

MITRE Attack Framework is supported by many security platforms. These platforms address the alarms generated on them to the matrix in MITRE , making the attacks against institutions more understandable.

https://attack.mitre.org/matrices/enterprise/

The image above is the MITRE ATT&CK Matrix. In order to better understand the picture;

https://attack.mitre.org/matrices/enterprise/

Each of the columns is a tactic name. These tactics express the attacker’s stages in the attack and the general objectives of those stages.

https://attack.mitre.org/matrices/enterprise/

The stages below the tactics are the techniques. Techniques refer to the techniques that the attacker can use while performing the relevant stage.

To explain some of these tactics and techniques;


Reconnaissance: Reconnaissance or Recon phase is a term used for the discovery of the target system or network. It is the stage at which the attacker aims to gather as much information about his target as possible. The information it tries to collect is;

-IP Addresses,
-Names of Security Products,
-Server types(FTP,SFTP,SMTP,SNMP,Web Servers),
-Topology of the network

  • T1589-Gather Victim Identity Information: It is a MITER ATT&CK tactic known as “System Information Gathering”. At this stage, the attackers were not able to gather information about the target systems.-
    • DNS Checking
    • Port Scanning
    • Social Media monitoring
  • T1598-Phishing for Information: Phishing for Information is one of the attacker’s methods of gathering information with social engineering instead of providing direct access to the target system. Some information that is aimed to be learned,
    • Personal Appearance Information
    • Security questions

Initial Access: Initial Access phase is the phase where the attacker gains access to the target system for the first time. Initial Access includes methods that an attacker uses to circumvent or bypass the target organization’s defense mechanisms. To give examples of this stage;

  • T1566-Phishing : This is the stage of confusing the targets, deceiving them and obtaining their information. This can be by e-mail. For example, an attacker can send fake e-mails to an institution, sending e-mails that impersonate a real person or institution, and try to infect these systems with harmful files and malware. An unconscious employee could easily believe such attacks.
  • T1078-Valid Accounts: This tactic involves attackers using existing and valid accounts to access the target network. Attackers target more authorized accounts to infiltrate the network. At the same time, attackers do not use the initial access tactic by taking over existing accounts instead of cracking strong passwords.

Persistence: The persistence phase is where the attacker performs their work to perpetuate and protect the phases they used to infiltrate the network. These methods include Autorun, Registers, services, scheduled tasks and system backups.

  • T1053-Scheduled Task/Job: This technique refers to the attacker running commands or scripts on certain dates by creating a scheduled task after infiltrating the target system. For example, the attacker can run the backdoor he created on certain dates, activate it again and make it accessible again on those dates.
  • T1136-Create Account: Again, this technique allows the attacker to create an account on the target system and gain access in their next attack. For example, the attacker can create an account in the system, give it high-level privileges, and delete the files attacker wants, or potentially benefit from those data, if the attacker has access to all systems and data, source code.

I have explained some MITER ATT&CK tactics and techniques. Most organizations defend themselves with end point protection products such as AV or EDR. Another important detail for these products is that they address the alarms coming from the end points to the MITRE ATT&CK Matrix.

Trellix HX(EDR)

As seen in the image above, the IOC alarm is a SUSPICIOUS USE OF CERTUTIL TO OBFUSCATE PAYLOAD EXECUTION alarm and is addressed to the MITRE as seen.

CrowdStrike Falcon(NextGen-AV,EDR)

Likewise, as can be seen on the CrowdStrike Falcon Console, events on incoming incidents are addressed to MITER in the form of Defense Evasion via Exploit for Defense Evasion or Execution via Powershell.

All these MITER addresses;

  • It is of great importance in the diagnosis and analysis of the case that has occurred.
  • Addressing the findings of a security product to miter is essential to assessing the risk of the incident and understanding the consequences of the damage.
  • At the end of all these events, it becomes easier to understand what should be considered in terms of improvement and closing the system’s gaps.
  • Perhaps one of the most important is the creation of a common language for attacks that may occur all over the world.

Posted

in

by

Tags:

Comments

Leave a Reply

Your email address will not be published. Required fields are marked *