What red and blue teamers should know about MITRE ATT&CK

No matter where your alliance falls on the scale from red to blue, MITRE ATT&CK is shaping standard red team engagement, assisting blue teamers in mapping coverage and alert gap identification, and enhancing other security best practices. A working knowledge of the primary enterprise matrix provides a detailed, high-level overview of the red versus blue realm world and eases understanding for business professionals.

What is ATT&CK?

The Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK) matrix is a detailed matrix comprising offensive, high level adversarial tactics and specific techniques that allow defensive security teams to classify attacks and monitor the malicious activity environment when utilized with other security tools. This matrix is often used as a risk framework when working with compliance and assessing the potential vulnerabilities in an environment.

ATT&CK is constantly adapting, adding new techniques, and creating new matrices for further granularity. There are currently 15 matrices maintained, with the most recent focusing on mobile devices by operating system.

If you’re interested in staying up-to-date, the MITRE ATT&CK website posts major updates, such as new releases of matrices or hot topic techniques, as well as the more frequent minor updates, which can be found in the Changelog section of their website.

How do the matrices work?

Each matrix contains 12 tactics that range from the initial access into the target system to the final post exploitation impact. The top row of each matrix will detail the following tactics beginning with pre-exploitation and the initial compromise, otherwise known as Initial Access, and end with post exploitation, or Impact:

• Initial Access
• Execution
• Persistence
• Privilege Escalation
• Defense Evasion
• Credential Access
• Discovery
• Lateral Movement
• Collection
• Command and Control
• Exfiltration
• Impact

Under each tactic is a breakdown of techniques used when performing a penetration test. These tactics have remained the same since the creation of the original matrix in 2013, but the techniques are constantly adapting with new tools, software, hardware, and exploits.

Is the matrix a catch-all?

Sadly, no.

The cybersecurity world is ever-changing, as are the ATT&CK matrices. The tools and techniques found here are only as accurate as the community who contributes and provides evidence of a new technique.

For a red team or penetration tester, merely following this matrix allows for the freedom to explore a system with no specific targets in mind. To some, this is preferred as there is a structure to test against with known targets, but for those who enjoy creativity and out of the box thinking, being forced to follow the matrix is horrifying.

Similar logic holds true for those utilizing the matrices as a compliance framework or to map monitoring and coverage. The coverage and monitoring are only as good as the detections themselves, and the only thing being monitored are the techniques In the matrices; things are bound to fall through the cracks.

While this may be an imperfect solution for both sides, MITRE’s quick adaption of new techniques and community have made the framework the best solution for many.

Does Hurricane Labs use the MITRE ATT&CK Framework?

I’m glad you asked. Hurricane Labs has been using the ATT&CK framework and matrices more often as more and more in the industry choose to adapt monitoring and offensive engagements around the matrices.

How does Hurricane Labs use the matrices?

The Hurricane Labs purple team uses the matrices and framework to craft a test base if there are any tactics as well as techniques that they would like to see specifically attempted in their environment. The purple team works to fit customer needs as well as provide any suggestions of techniques or additional attack vectors that have not yet been considered.

After evaluating the MITRE ATT&CK App for Splunk, our Security Operations team has been mapping all custom searches created by our architects and mapping them to the techniques the searches detect. This is hand-built by our MITRE Team who are rolling this out slowly on a weekly basis.

I’m a current customer of Hurricane Labs, when can I expect to see the MITRE app deployed?

Our rollouts are set to complete by Mid-October of 2020. We look forward to helping you minimize your monitoring and alerting coverage gaps.

Conclusion

MITRE ATT&CK is helping bring communities together to solve problems and develop more effective cybersecurity solutions. Hopefully this blog post helped you better understand the framework and how this collection of real-world adversary tactics and techniques can be used to better assess an organization’s risk.