How to use Mitre’s ATT&CK framework to protect IT assets

Mitre (a research lab funded by the US government) defined Mitre’s ATT&CK to present for each stage in a typical “kill chain” the TTPs (Tactics + Techniques + Procedures) how adversaries attack computer systems.

NOTE: Content here are my personal opinions, and not intended to represent any employer (past or present). “PROTIP:” here highlight information I haven’t seen elsewhere on the internet because it is hard-won, little-know but significant facts based on my personal research and experience.

Mouse over each TTP for a T number referencing the Procedures, Assets, Mitigations, and Detection within each variation of Mitre’s original ATT&ACK framework:

• https://atlas.mitre.org adds columns for ML (Machine Learning).

  

• https://attack.mitre.org/tactics/enterprise provides specific TTPs for each operating system. This is for ICS (Industrial Control Systems):

  

• Dragos.com, a MSPP specializing in OT (Operational Technologies) used by Industrial Control System (ICS), modified the framework for OT:

  

• Users of Exabeam shows a dashboard containing a Threat count for each stage:

  

• The ATT&CK Navigator is a web-based tool for annotating and exploring ATT&CK matrices. It can be used to visualize defensive coverage, red/blue team planning, the frequency of detected techniques, etc

  https://mitre-attack.github.io/attack-navigator

NOTE: “Reconnaissance” and “Resource Development” stages are not evaluated because it’s difficult to collect information about them.

Attack Tactics

1. Reconnaissance

2. Resource Development

3. Initial Access
4. ML Model Access (not in standard & Dragos)
5. Execution
6. Persistence (not in Dragos)
7. Privilege Escalation

8. Defense Evasion

9. Credential Access (not in Dragos)
10. Discovery
11. Lateral Movement (not in ML)
12. Collection

13. Command and Control or ML Attack Staging or “Inhibit Response Function” in Dragos

14. Exfiltration (or Impair Process Control in Dragos)
15. Impact

Alphabetical order

atomicredteam.io/atomics

12) Collection
13) Command And Control
 9) Credential Access
 8) Defense Evasion
10) Discovery
 5) Execution
14) Exfiltration
15) Impact
 3) Initial Access
11) Lateral Movement
 6) Persistence
 7) Privilege Escalation
 1) Reconnaissance

---

Defensive Tactics

Here are some examples:

1. Employee training against phishing attacks.

2. Use MFA (Multi-Factor Authentication) for all logins.

3. Setup SNMP pings with authentication

4. Configure every node with certificates for two-way encryption usingmTLS (Mutual TLS) between every node for all network connections.

5. Segment the network into zones, with a firewall between each zone, and only allow the minimum ports and protocols needed for each zone. This limits lateral movement by attackers.

6. Have API servers verify JWT (JSON Web Tokens) signatures to block attempts at user impersonation. Sign JWT tokens with a private key, then verify the signature with a public key.

7. Enforce a strict whitelist of permitted hosts for the jku header.

8. Always set an expiration date for any tokens issued.

9. Avoid sending tokens in URL parameter string, which end up in logs.

10. Include the aud (audience) claim (or similar) to specify the intended recipient of the token. This prevents it from being used on different websites.

11. Enable the issuing server to revoke tokens (on logout, for example).

12. Use the Tripwire utility to create a hash of each static file (such as exe’s), then verify each on a schedule to see if they have been changed to a potentially hacked version.

13. Send alerts to SIEM (Security Information and Event Management) for irregular logins, when a device is added to or removed from the network, when data streams are larger or smaller than normal, etc.

14. To ensure an alert, regularly schedule a fake test attack sent to each device, which causes a log in SIEM.

15. Setup secure video surveillance of remote hardware devices to provide a history of accesses.

16. Create a SBOM (Software Bill of Materials) of each open-source library package in the chain of references. Flag suspicious version changes, then scan the code of each package for vulnerabilities such as exfiltrating data externally.

17. Verify that each device is running the latest version of its OS and all patches.

18. Use a CIS Benchmark to configure each device to a secure state.

19. Use API management servers to assign API tokens so that the number of API calls per minute can be tracked and limited.

Standards for ICS (Industrial Control Systems) are defined by NIST (National Institute of Standards and Technology) as ISA/IEC-62443 or ISA-99 in the US and IEC (International Electrotechnical Commission) in Europe.

Questions

TODO:

1. Initial Access vector – How did the attacker get in?
2. How is the adversary accessing the environment?
3. How did the attacker move laterally? (RDP, SSH, network shares, malware, etc.)
4. How is the adversary maintaining control persistence? (How are they staying in?)
5. How is the attacker communicating with the C2 (Command and Control) server?
6. What is the method of persistence (malware backdoor, webshell, legitimate credentials, remote tools, etc.)?
7. What is the attacker doing on the system? (What commands are they running?)
8. Has data been exfiltrated and if so, what kind of data and via what mechanism?

---

Resources

VIDEO:

https://github.com/deanbushmiller/ATTACK/blob/main/Layers-for-navigator/ATTACK-Layers-in-Navigator.pdf

---

(Mitre's) ATT&CK was published on January 24, 2024.