A continuous development of the MITRE Att&ck Framework
Cybercriminals take different approaches depending on the target of the attack. For example, they use different tactics, techniques and procedures (TTPs) to compromise enterprise systems than when they attack industrial control systems or mobile devices. MITRE offers different matrices to suit the different environments. MITRE initiated the development of the ATT&CK frameworkin 2013 to help engineering teams implement robust cybersecurity by studying attack methods. The MITRE ATT&CK Framework enables the sharing of attack behaviours across attack lifecycles and provides a common taxonomy for cyber threat analysis and research.
In this article we will MITRE ATT&CK in detail and discuss MITRE attack vectors, the cyber kill chain and the role of Privileged Access Management .
What is the MITRE ATT&CK Framework?
The MITRE ATT&CK framework is an evolving hub, curated knowledge base, and model of attacker behaviour that reflects different phases of the cyber attack lifecycle on target platforms. ATT&CK stands for Adversarial Tactics, Techniques, and Common Knowledge. The tactics and techniques abstraction in the framework provides a common taxonomy of adversarial actions understood by the respective offensive, attacking and defensive, attacked sides of cyber security. In addition, the framework provides an appropriate level of categorisation for cyber attacks and specific ways to defend against them.
The MITRE ATT&CK Framework is a recognised authority for understanding the tactics, behaviours and techniques attackers use against organisations. The framework is a standard way of documenting common malicious cyber attacks, techniques used and procedures, underpinned by real-world experience. The information about a cyber-attack can be used by incident response teams and IT departments to prioritise areas to address first, proactively or after a cyber-attack has occurred, and to identify gaps in security processes, controls and tools.
The MITRE framework can be used as a basis for detecting vulnerabilities and building protective measures against specific threats from cybercriminals.
- Tactics
An attacker's tactic is a specific technical goal that a criminal intends to achieve, such as defensive penetration, lateral movement or exfiltration of data. The MITRE ATT&CK framework consists of 11 tactics that describe attacker behaviour. In ATT&CK, the importance of security coverage is weighted equally for each tactic.
- Techniques
Every tactic involves a variety of techniques. These are basically the way a criminal achieves a goal and the measures he takes for infiltration. Each technique consists of a description of the method, the platforms used and the systems it relates to, the adversary groups that use it and the ways to mitigate the activity.
- Procedure
The procedures of the MITRE framework are specific steps that an attacker takes to execute and implement a technique.
MITRE ATT&CK tactics
The attack matrix categorises the different tactics criminals use at different stages. The following is a list of some of the tactics an attacker uses throughout the attack cycle.
- Reconnaissance.
This is the first step where the attacker gathers information to facilitate their attacks. Some common examples of an attack are active scanning, phishing or the targeted collection of information about the potential victim. - Resource development - The build-up.
The criminal has built up the skills and resources needed to carry out a cyber attack. Techniques include compromising accounts, acquiring infrastructure and developing capabilities. - Initial access - The first step.
The first attempt by a criminal to access an IT network. Techniques include spear phishing, drive-by compromise and exploiting weak passwords and external remote services. - Execution - The execution.
The attacker executes malicious code on the target network. This can be done by compromising built-in scripting environments and interpreters to execute code for data theft and network exploration. - Persistence - The setting down.
The criminal tries to gain a foothold and avoid defensive attempts. They use techniques such as manipulating accounts and changing SSH authentication keys. - Privilege escalation - The takeover.
The hacker has gained access to elevated privileges on the network. Techniques include monitoring ports, caching sudo and bypassing user access control.
- Defence evasion - The self-defence.
The criminal evades detection by disabling security systems and scripts. Techniques used include higher level execution, token impersonation and abuse of elevation control mechanisms. - Credential access - The new identity.
The attacker steals account credentials. Techniques include keylogging, password cracking and brute force. - Discovery.
The criminal scours the network and understands the entry points and the corresponding surrounding network environment. - Lateral Movement - The spying.
The criminal moves laterally through the network environment. Techniques include exploiting remote services, internal spear phishing and SSH hijacking. - Collection - The collection of data.
The attacker collects information and resources necessary for the exfiltration of data. - Exfiltration - The outflow of data.
The attacker exfiltrates data from the compromised network. Techniques include automatic exfiltration and exfiltration via web servers. - Impact - The effects.
The lifecycle ends with the manipulation or destruction of compromised systems, networks, data and accounts. Techniques include removing account access, encrypting and manipulating data, denial-of-service attacks and hijacking resources.
How does a Privileged Access Management (PAM solution) assist in protection according to the MITRE ATT&CK vectors?
Attackers often enter and explore a network with unprivileged access, but need higher privileges to pursue their goals. Elevating these privileges consists of techniques criminals use to gain higher privileges on a network or system. Common methods include exploiting system weaknesses, security vulnerabilities and misconfigurations. A Privileged Access Management (PAM) helps companies protect their applications and infrastructure and maintain the confidentiality of critical infrastructure and sensitive data.
Know who did what, when and where at all times.
Organisations implement a PAM solution to protect against data leaks, system intrusions, infiltration and credential theft threats. The principle of least privilege is considered a cybersecurity best practice to protect against cyber-attacks, including lateral movement records, denial of elevated privileges and admin takeovers.
VISULOX - PAM from the leading German manufacturer
VISULOX by amitego enables IT security teams to secure access to privileged accounts in a timely manner by enforcing multi-factor authentication and configuring access policies based on location, time, user role and other definable factors. This ensures that access is only granted to authorised users, and only when it is immediately required. VISULOX enables collaboration for both internal and external users without compromising security, with audits ensuring a true dual control principle.
Security teams can also easily and remotely monitor all administrative-level access to critical IT applications and OT components via a central dashboard. The solution's session recording capabilities allow security teams to video record user activity during privileged sessions and log who authorised each privileged session. These recordings can then be used to create robust audit trails and provide forensic evidence of risky behaviours. All audit data is automatically backed up to provide an additional layer of security and ensure compliance with strict data protection regulations.
amitego is a global cybersecurity provider specialising in identity and access security, remote user control and secure data transfer technologies. VISULOX is amitego's privileged access management solution. VISULOX is designed to help organisations around the world secure and monitor all access to critical business systems. VISULOX mitigates the risk of privileged accounts being compromised and protects privileged credentials from theft by external and internal threat actors.