MITRE ATT&CK Knowledge Base

Cybersecurity teams continue to struggle to keep pace with the changes in their networks and the expanding digital attack surface. Meanwhile, cybercriminals have been undergoing their own digital transformation. Machine learning (ML) and agile development, new sophisticated attacks, combined with dark web Crime-as-a-Service offerings mean that attacks are faster, harder to detect, and better at finding and exploiting vulnerabilities. Recent FortiGuard Labs research points to cyberattacks becoming more destructive with more reconnaissance to enable better outcomes for attackers. For defenders, cyber risk continues to escalate.

What Is the MITRE ATT&CK's Knowledge Base?

Effectively defending against cyberattacks today requires security teams to work smarter rather than harder. Cybercriminal strategies target every link, from gathering information and gaining access to moving laterally across the network to discovering resources to target, to evading detection while exfiltrating data. Traditional security strategies, however, tend to only focus on a handful of attack components, which gives criminals a significant advantage.

To address today’s challenges, security teams need a combination of tools, strategy, automation, and skilled professionals to monitor the MITRE ATT&CK knowledge base and automate as much of the process as possible so that human resources can be focused on higher-order analysis and response. Choosing such tools, however, requires understanding the TTP's in the knowledge base and deteremine if the right detections and protections are in place.

To assist with this, MITRE has mapped the knowledge base into 14 categories, along with examples of the types of attacks that target each area. To effectively counter today’s advanced threats, security teams need to familiarize themselves with each technique and map them directly to functional areas and tools within their networks.

Understanding and Implementing MITRE ATT&CK

1. Reconnaissance

This is the adversary’s planning phase for future attacks. The activities focus on information gathering, which could be performed actively or passively depending on the requirement. Specifically, the actor is looking to learn more about the organization, including its infrastructure and employees. The more information the adversary knows about the target the better chance of a successful attack. A good example of this is credential stealing, which is increasing in popularity right now.

2. Resource Development

Before an attacker can start their cyber mission, they need to make sure they have the right resources to execute it. The attacker will need to determine whether they will create, purchase, steal, or compromise the right resources to support the mission. Examples are things like domains, web services, VPNs, infrastructure, accounts/emails, malware, and exploits. 

3. Initial Access

Exploiting known vulnerabilities in servers, compromising websites or applications, or taking advantage of successful spear-phishing attacks allow attackers to wedge a foothold into the edge of the network.

4. Execution

This is the point where an attacker executes a binary, command, or script to begin their network reconnaissance and exploitation process.

5. Persistence

Once an attacker has established a foothold, the next goal is to avoid detection. Creating or manipulating accounts, applying rootkits, using run keys, or exploiting tools like application shimming enable attackers to persist in place while they explore the network for potential targets.

6. Privilege Escalation

Basic access does not allow an attacker many opportunities to explore the network. To move around the network and access resources worth stealing, an attacker needs higher network privileges.

7. Defense Evasion

To move through a network undetected, especially when exfiltrating data, attacks need to avoid detection by things like behavioral analytics and IPS tools. Techniques such as clearing files, learning and mimicking normal traffic behaviors, or disabling security tools are just a few of the full range of tools available to today's hackers.

8. Credential Access

In many organizations, critical data and other resources are protected behind a wall of security that require appropriate credentials for access. Unfortunately, gaining access to credentials isn't always that difficult. They are stored in files or in a registry that attackers can exploit, techniques like hooking allow cybercriminals to intercept traffic to uncover credentials, and account manipulation can involve things like adding or modifying the permissions to the account being used to access the network.

9. Discovery

Not all data exists in the segment of the network that was broken into. Many of the same techniques used to this point are used again to determine where valuable resources exist.

10. Lateral Movement

11. Collection

Once an attacker has identified a payload, they need to collect that data and extract it from the network without being detected. This is often the trickiest part of the process, as this may involve massive amounts of data.

12. Command and Control

The final step is for attackers to cover their tracks completely. Multihop proxies, transferring data to common cloud services, data obfuscation, and multistage exfiltration are just a few of the techniques cybercriminals use to ensure that stolen data cannot be tracked and traced back to them. 

13. Exfiltration

Once a cybercriminal has carefully crafted each attack element to this point, they are often able to remain inside a compromised network for months, slowly moving data to other resources that are under less scrutiny, and eventually out of the network.

14. Impact

Impact consists of techniques that adversaries use to disrupt availability or compromise integrity by manipulating business and operational processes. Techniques used for impact can include destroying or tampering with data. In some cases, business processes can look fine but may have been altered to benefit the adversaries’ goals. These techniques might be used by adversaries to follow through on their end goal or to provide cover for a confidentiality breach.

Work Smarter by Addressing the MITRE ATT&CK's Knowledge Base

Addressing the knowledge base needs to be combined with understanding how the network functions, including the impact that future business requirements will have on the network. Mapping those functions allows security teams to think comprehensively about security threats.

Breaking security down into the 14 MITRE ATT&CK categories has two goals:

• The first is to engineer as much risk out of the network as possible by addressing weaknesses inherent in each technique before an attack occurs. This may include hardening protocols to prevent their exploitation, turning off unused ports, and baselining all known traffic so that new applications or escalating privileges can be identified. Each of these activities can be mapped to multiple techniques. So can behavioral analytics, which can identify when a device begins behaving strangely, such as FTPing data out of the network. Even activities such as patching or replacing vulnerable devices and subscribing to threat intelligence feeds so you are tuned to current attack methodologies and malware can be mapped to multiple techniques.
• The second goal is to apply security strategically so that fewer security tools can address more challenges. This allows you to keep the number of management and orchestration consoles you need to monitor under control. It also enhances our ability to implement artificial intelligence (AI) and ML tools, such as endpoint detection and response technologies, to address challenges at digital speeds. Tools like network access control and zero-trust network access ensure that you are aware of every device on your network, while security information and event management (SIEM) devices ensure that threat intelligence is dynamically collected and correlated from every device deployed in every corner of your network. Keep in mind that once you have chosen the right technologies and have the proper configurations and logging, it's equally as important that you have the right people and processes in place to ensure the return on investment with those technologies. A strong cyber defense is composed of people, processes, and technologies.  

At the same time, consistency in security policy implementation and enforcement across different network ecosystems is critical. For example, you should deploy the same next-generation firewall (NGFW) solution in every part of your network, whether physical or virtual. This ensures that security protocols and enforcement are applied consistently, and you can monitor and manage your systems through a single central console.

Approaching Cybersecurity Strategically 

Of course, this strategic approach may require radically rethinking your security deployment. Tools have to be fully integrated so that the network can identify and address security threats as a unified system. A self-healing network requires security devices to share and correlate threat intelligence to identify and monitor every device, track applications, detect malware, isolate infected devices, and coordinate responses across a wide variety of network ecosystems, from multi-cloud infrastructures, platforms, and applications, to remote workers and Internet-of-Things (IoT) devices, to next-gen branch offices connected to the cloud and physical resources through Secure SD-WAN. Threat intelligence and response also need to be driven into each technique in the MITRE ATT&CK knowledge base. And where possible, AI and ML need to be applied so that all security devices can respond to threats at digital speeds and human resources can provide critical supervision.

In addition, a lack of resources and personnel, combined with the sheer volume of security alerts security operations center (SOC) teams receive per day, often result in missed detections and slower responses that increase exposure to cyber risk. Security operations teams require solutions to mitigate these challenges through investment in automated and integrated SOC and cybersecurity technologies and experienced professionals to better protect against threats. Machine learning-driven automation needs to be built into SOCs to support short-staffed teams affected by the cybersecurity skills shortage.

The MITRE ATT&CK to Shift Proactive Thinking

A breach resulting in the loss of data can occur in minutes or hours. And yet, it can take weeks or months for most security breaches to be detected. By that time, the perpetrators and your data are long gone. The only way to get out in front of this challenge is to change from a traditional tactical approach that relies on isolated legacy security tools to an integrated strategy that enables you to see and control your entire networked environment, to identify anomalous behavior and automatically thwart attackers.

Require further assistance in developing an incident response plan? Learn more about Fortinet’s FortiGuard Incident Response Plan Service.