Last Updated on Sat Aug 13, 2022
ATT&CK + D3FEND = D.E.A.T.H
The alarming increase in the number of cyber attacks has brought a need for cybersecurity systems with a dire need for security assessment and administration. A prime principle of security assurance is the implementation of strategic planning for risk reduction. Excluding the risks that arise from the supply chain or the production processes, the other fundamental solution for risk reduction is to have continuous security validation and testing of the organizations security contorls. In addition, security teams must protect the critical infrastructure powering their organizations. To curb this demand, organizations generally invest in solutions to simulate the attacker behaviours and extensive organizational security vulnerability testing.
However, these tactics come up short in evaluating the elements of administration and those modelling tactics to prevent information security breaches. By providing cybersecurity teams with the knowledge to identify security issues instantly, they can understand which vendors to focus on first. This dramatically reduces the operational burden on Third-party risk management committees throughout vendor selection, integration, and management. In addition, they can be accorded with vendors to enhance remediation efforts. One such approach is built on the idea of combining the two public knowledge bases, MITRE ATT&CK and MITRE D3FEND, which can prove essential to estimate operational applicability, identify strengths and weaknesses, and develop enterprise solutions comprising multiple capabilities.
This post is also inspired by this Twitter meme.
What is MITRE ATT&CK?
Modern network attacks can be executed in various ways, making it inefficient to define each attack technique and its type uniquely. The increase in attack techniques led to the requirement of unified database maintaining these techniques and descriptions. MITRE ATT&CK was developed in 2013 due to MITRE's Fort Meade Experiment (FMX), where researchers emulated both adversary and defender behaviour to enhance post-compromise discovery of threats through telemetry and behavioural analysis. MITRE ATT&CK stands for MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK).
MITRE ATT&CK is a curated information base and standard for cyber adversary behaviour, exhibiting the different aspects of an adversary's attack lifecycle and the platforms they are identified to target.
The tactics and techniques abstraction in the model provides a universal registry of unique adversary actions recognized by both offensive and defensive cybersecurity. It also presents an appropriate level of categorization for adversary activity and specific ways of defending against it. The behavioural model presented by ATT&CK contains the following core elements:
- Tactics: tactical adversary goals during an attack.
- Techniques: describing how adversaries achieve tactical goals.
- Procedures: Documented adversary usage of techniques and other metadata
An attack's lifecycle can be broken down into goals known as tactics
Initial Access (TA0001): various entry vectors to gain an initial foothold with a network. Some techniques may include exploiting public-facing applications, adding hardware, replicating through removable media, spear-phishing attachment/link, spear-phishing via service, compromising supply chain, trusted relationships, etc.
Execution (TA0002): techniques that result in adversary-controlled code execution on a local or remote system. Some techniques may include using Command-Line Interface, Control Panel items or dynamic data exchange through API/GUI/PowerShell/module load, compiled HTML file, scheduled task, scripting, and service execution.
Persistence (TA0003): techniques to maintain access across system changes. Some techniques may include account manipulation, application shimming, bootkit, browser extensions, changing default file association, external remote services, hidden files and directories, hooking, and image file execution options.
Privilege Escalation (TA0004): techniques to gain greater permissions on a system or network. Some techniques may include access token manipulation, application shimming, bypassing user application control, DLL injection, exploitation for privilege escalation, extra window memory injection, and process injection.
Defense Evasion (TA0005): techniques to avoid detection during execution. Some techniques may include binary padding, clear command history, code signing, DLL search order hijacking, deobfuscate/decoding files/information, disabling security tools, indicator blocking/removal, and file deletion.
Credential Access (TA0006): techniques to steal account credentials. Some techniques may include credential dumping, credentials in files, input capture, network sniffing, password filter DLL, and two-factor authentication interception.
Discovery (TA0007): techniques to gain intel about the system and network. Some techniques may include system services/information, applications, query registry, network configuration, remote systems, system owner/users, network services/connections, processes, and security software.
Lateral Movement (TA0008): techniques to enter and control remote systems on a network. Some techniques may include third-party/application deployment software, remote services, Windows remote management/Admin shares, and logon scripts.
Collection (TA0009): techniques to gather information from target systems. Some techniques may include data from local system/removable media/network shared drive, input/audio/video/screen capture, and data staged.
Exfiltration (TA0010): techniques to steal data from your network. Some techniques may include data compressed/encrypted, exfiltration over another network medium/command and control channel/alternative protocol/physical medium, automated exfiltration, scheduled transfer, data transfer size.
Command and Control (TA0011): techniques to communicate with systems under their control within a victim network. Some techniques may include data obfuscation/encoding, fallback channels, custom cryptographic/command & control protocol, multiband communication, commonly/uncommonly used port, standard application/non-application layer protocol, multilayer encryption, connection proxy, and communication through removable media.
Impact (TA0040): techniques to interrupt or perform destructive actions on a system. Some techniques may include ransomware, data encryption, internal and external defacement, disk wipers, denial of service etc.
What is MITRE D3FEND?
MITRE has started building D3FEND, a network defence framework with funding from the NSA.
D3FEND stands for Detection, Denial, and Disruption Framework Empowering Network Defense.
D3FEND helps security architects quickly understand the specific capabilities of various defensive technologies. In addition, this framework will be shared publicly so everyone can use it and benefit from it the same way they use the ATT&CK framework.
Generally, a cybersecurity countermeasure is any procedure designed to neutralise offensive adversarial activities. But, it is not enough to understand what a countermeasure does—what it detects and prevents. A security practitioner should understand the countermeasures employed by their organisation, strictly what they do, how they do it, and their limitations when deployed.
A red team conducting an exercise to identify security gaps must plan their engagement with a masterful understanding of a countermeasure's functionality if they are to bypass it. Existing cybersecurity knowledge bases, including MITRE ATT&CK, do not do justice to the fidelity and structure of these countermeasures to meet these needs. Furthermore, no framework or model exists that has had its knowledge content supported by the rigorous changes of the ever-evolving cybersecurity landscape.
D3FEND establishes a fine-grained semantic model of countermeasures, their properties, relationships, and history of development. It provides a process for curating content into new knowledge and tying it to its source information in meaningful ways. The goal behind building the D3FEND matrix is to:
- create a sustainable knowledge framework for characterising and relating cybersecurity countermeasure technology
- accelerate knowledge discovery and acquisition efforts required to keep pace with technological changes in the cyber domain.
The D3FEND knowledge graph can be embedded within the more extensive web of datasets available within the Linked Open Data Cloud. These will connect the public knowledge to research literature, organisations, authors, inventors, and investors. It is a conceptual framework that "explains, either graphically or in narrative form, the main things to be studied—the key factors, constructs, or variables—and the presumed relationships among them." A domain knowledge model which "is used to reduce conceptual and terminological confusion" and foster communication, reusability, and cooperation. Finally, a knowledge graph providing a flexible representation of knowledge and enables complex machine reasoning about the domain.
D3FEND primarily concerns abstract and generic semantics versus vendor-specific terminology or technical jargon. However, analysis of technical terminology is usually required to select adequate semantics—and in some cases, create or define applicable new semantics. Therefore, the creators of D3FEND also described a semantic model of a portion of the MITRE ATT&CK framework to represent the offensive TTPs with the same standard, standardised semantic language. This enables us to incorporate ATT&CK by mapping its concepts directly to D3FEND's defensive techniques and artifacts model. The D3FEND graph contains semantically rigorous types and relations that define the key concepts in the cybersecurity countermeasure domain and the references necessary to link those concepts to each other.
Detection Engineering and Threat Hunting with MITRE ATT&CK and D3FEND
ATT&CK + D3FEND = D.E.A.T.H
Threat hunting is the practice of proactively searching for cyber threats lurking undetected in a network. Cyber threat hunting digs deep to find malicious actors in your environment that have slipped past your initial endpoint security defences. Unfortunately, once an adversary successfully evades detection and an attack has penetrated an organization's defences, many organizations lack the advanced detection capabilities to stop the persistent threats from remaining in the network. That's why threat hunting is an essential component of any defence strategy.
Detection engineering aims to identify threats before they can do significant damage. Detection engineering is about creating a culture, as well as a process of developing, evolving, and tuning detections to defend against current threats. It aligns content developers, threat hunters, threat intelligence, red teams, risk management, and so forth to build a threat-informed defence system. Detection engineering starts with threat modelling - identifying the threats relevant to your organization.
Then, using the MITRE ATT&CK framework and performing a gap analysis to discover what's relevant, it ultimately starts by asking the following questions:
- What do I need to detect?
- What threat actors, techniques, tools, etc., apply to us?
- How can I demonstrate the relevance to the business?
The answers to those questions can help you build a formula for the threats your organization should be concerned about.
This is where D3FEND comes into play, and the D3FEND matrix is broken down into five subcategories:
Harden: This category comprises measures to reduce the attack surface. It also somewhat reflects monitoring the access through authentication. The class restricts easy access to everything through an application, credential, message, and platform hardening. It resembles the regulation and security protocol policies enforced by several primary compliances for restricting access without appropriate authentication. It also focuses on updating patches to reduce the chances of vulnerabilities.
Detect:: This category focuses majorly on analyzing the threats identified with the help of the MITRE ATT&CK framework. The columns in this category include:
- File analysis
- Identifier analysis
- Message analysis
- Network traffic analysis
- Platform monitoring
- Process analysis
- User behaviour analysis
MDR services and SIEM solutions fit well into this category. All the triage data logged and gathered by a SIEM solution can help analyze defending against the potential threats. A robust SIEM solution with efficient correlation rules can also help with file, identifier, message, and behaviour analysis. On the other hand, MDR services with XDR capabilities can come in handy with platform monitoring, network analysis, and process analysis.
Isolate: As the name gives out, the isolate category focuses on isolating compromised or potentially vulnerable hosts. It lists two columns, execution isolation and network isolation, to monitor traffic continuously, with IP and DNS filtering. Filtering the vulnerable hosts can help with a seamless and quick isolation process.
Deceive: This category focuses on decoying the entire environment or objects like files, network resources, persona, credentials, etc., on deceiving a cyber attacker from the actual environment and objects to a false one.
Evict: The evict category lists credential and process eviction columns and focuses on ultimately terminating the vulnerable or compromised components to enhance defence.
The DNS Traffic Analysis entry explains how this method works and the included considerations.
The knowledge bases ATT&CK and D3FEND are tied together by highlighting the ATT&CK techniques related to the D3FEND entry. D3FEND has no direct map from an offensive technique (ATT&CK) to a defensive technique (D3FEND). Instead, it has been modelled to what each technique is doing in terms of what digital artifacts they interact with. This produces a graph structure that maps or relates to any countermeasures that interact with such scenarios. The reasoning logic which makes these relationship processes consider the taxonomical properties of both techniques and digital artifact specifications. This method allows us to generalize effectively and move beyond simplistic, hard-coded mappings.
Control Validation Compass
Control Validation Compass ("CVC") is an open-source tool and dataset designed to speed the process of a) identifying security control gaps and b) closing those gaps by pointing teams to relevant detections. CVC promotes a control validation or "purple team" approach and mindset by pointing teams to relevant offensive security tests, so they can immediately validate the effectiveness of new (or existing) controls.
- Intelligence Teams: These teams identify threats to the organizations they support but often have less immediate visibility into their internal controls landscape. CVC puts more resources and potential context directly into these teams' hands.
- Defenders / Blue Teams: The Threat Alignment page provides a quick & easy way for any team to instantly identify potential gaps in control coverage that should be filled with new detections and tested. If new detections must be created, each page of CVC points teams to many resources with potentially relevant logic.
- Offensive Security / Red Teams: Red teams can use CVC to identify where control coverage may be lighter and build simulation/emulation exercises around this knowledge.
Evaluate MITRE ATT&CK Matrix with Open-Source Adversary Emulation Tools
Cyberattack simulation, aka Threat Simulation, is an emerging IT security technology that can help discover gaps, vulnerabilities, and misconfigurations in your security infrastructure. We have covered the need for adversary simulation and the top ten open-source adversary simulation tools in this blog.