Hacker
Professional
- Messages
- 1,044
- Reaction score
- 813
- Points
- 113
So what is MITER and what attacks? MITER is a US-based not-for-profit organization that operates federal and local research and development centers. MITER's areas of interest include Artificial Intelligence, Quantum Informatics, Health Informatics, Space Security, Cyber Threats and Defense Sharing, and more.
In the field of information security, MITER Corporation is known for its list of Common Vulnerabilities and Vulnerabilities (CVEs)cve.mitre.org. It is a well-known security vulnerability database that emerged in 1999 and has since become one of the primary resources used to structure and store error data in software. These databases are used by cybercriminals when they first try to infiltrate the victim's infrastructure after scanning the network.
CVE is not MITER's only information security project. There are also such areas that are actively developing:
- ATT & CK (Adversarial Tactics, Techniques, and Common Knowledge), attack.mitre.org is a structured list of well-known techniques, techniques and tactics of attackers, presented in the form of tables;
- Structured Threat Information Expression (STIX) is a serialization language and format used to exchange Cyber Threat Intelligence (CTI) information between information security systems;
- CAR (Cyber Analytics Repository) is a knowledge base developed based on the ATT & CK model. It can be represented as pseudocode, and defender teams can use it to create detection logic in defense systems;
- SHIELD Active Defense is an active defense knowledge base that codifies security practices and complements the risk mitigation measures presented in ATT & CK;
- AEP (ATT & CK Emulation Plans) are ways to simulate attacker behavior based on a specific set of TTP (Tactics, Techniques, and Procedures) according to ATT & CK.
MITER ATT & CK and information security.
Fragment of the methodological manual
Why do you need ATT & CK
MITER introduced the ATT & CK matrix in 2013 to describe and categorize attacker behavior (sample) based on real-world observations. Before we start to understand how to use the matrix, let's go over the basic concepts.
APT (Advanced Persistent Threat) is a group of attackers or even a country that is involved in long-term cyberattacks against organizations or countries. The literal translation of this term represents an ever-expanding threat. After reading the entire article, you will realize that there is nothing particularly advanced here.
A large list of APT-known groups, who are fans of information security.
TTP Sets (Techniques, Tactics and Procedures) are deciphered as follows:
- as-teak - the attacker operates at different stages of its operation, what is the purpose or objective attacker to a certain step, for example: TA0002 Execution - this is when an attacker tries to run his malicious code. Yes, it sounds corny, but look what happens next;
- technique - how an attacker achieves a goal or a set task, what tools, technologies, code, exploits, tools are used, etc. Example: T1059.001 PowerShell - using PowerShell in an attack;
- procedure - how this technique is performed and why. For example: a malware using PowerShell downloads a payload, which in turn downloads Cobalt Strike to try and run it on remote hosts (do you think this was a combination of technology and tactics?).
How does an attacker act in general? He opens the hacker tutorial, where he introduces the concept of the Kill Chain on the second page. Kill Chain, that is, the "chain of murder" - a model that determines the sequence of actions that lead the criminal to the goal. It consists of a series of usually sequential steps:
- reconnaissance - reconnaissance;
- weaponization - preparation for an attack, definition of tools and delivery - delivery;
- exploitation - exploitation of the arsenal;
- installation - installation;
- command & control (C2) - control via command servers;
- lateral movement - horizontal movement, distribution within the network;
- objectives - target impact.
The MITER ATT & CK Matrix began with a proprietary design known as the FMX (Fort Mead Experiment). As part of this, security specialists were tasked with simulating hostile TTPs against a network, and then data about attacks on that network were collected and analyzed. It was these data that later formed the basis for ATT and SK. Since the ATT and CK matrix is a fairly complete description of the behavior that attackers use when hacking networks, the matrix is useful for various offensive and defensive dimensions, representations, and other mechanisms (such as FSTEC threat modeling.
MITER split ATT & CK into several summary matrices:
- Enterprise - TTPs used in attacks against organizations;
- Mobile - TTP associated with portable devices;
- ICS - Industrial Control Systems, TTP for industrial systems.
Each of them contains tactics and techniques related to the subject matter of this matrix. The most popular matrix is Enterprise. It, in turn, consists of branches, each of which is responsible for its own:
- PRE Matrix - foreplay;
- Windows - attacks on Windows -based infrastructures;
- macOS - the same for apple computers;
- Linux - guess;
- Cloud - attacks on clouds;
- Network - attacks on the network.
ATT & CK Enterprise Matrix for Kill Chain Model
As you can see, the PRE matrix contains data related to the preparatory stages of an attack, such as network scanning and inventory, phishing, or social engineering. And the rest of the enterprise matrix sub-tables contain the most interesting things. There are 14 categories at the top of the matrix. Each category contains tactics that an attacker could use.
Categories of the ATT & CK Enterprise matrix and the number of nested techniques in each category
For example, let's take a look at the execution tactics. In how many ways can something work on the target system? It is no longer necessary to reinvent the wheel and build a consortium, the smart uncles have invented everything a long time ago. Let's show some tactics for TA0002 Execution and see how many execution techniques exist. There are only a dozen of them, not counting sub-techniques:
- T1059 - Command and Scripting Interpreter, command and script interpreters;
- T1203 - Exploitation for Client Execution, exploitation of vulnerabilities in client software;
- T1559 - Inter-Process Communication, using interprocess communication;
- T1106 - Native API, interaction with the operating system API;
- T1053 - Scheduled Task / Job, life in schedulers;
- T1129 - Shared Modules, DLL loading;
- T1072 - Software Deployment Tools, use of software deployment systems;
- T1569 - System Services, Application of Services.
- T1204 - User Execution, user actions aimed at the convenience of the attacker;
- T1047 - Windows Management Instrumentation , Using WMI.
Sub Machines T1059 Command and Scripting Interpreter
Scripts and commands are specific to various popular operating systems that can be used in a malicious campaign. Clicking on the inscription opens a page dedicated to the description of a specific technique, as an example - after clicking on the Command and Scripting Interpreter, access to all related information about this method opens, namely: a brief description of the technique, examples of procedures for different groups and measures to reduce risks ...
When modeling threats with the new FSTEC method, you must use the TTP package as a Lego constructor. If you see an attack, generate all forms of its implementation (scenarios) from TTP cubes, and MITER ATT & CK is indicated as one of the possible sources for generating the initial data.
To highlight the methods, tactics and procedures used, you can use MITER ATT & CK Navigator instead of Excel after analyzing the malware. For example, you can see the distribution of targeted Carbanak attacks per TTP.
In short, the MITER ATT & CK matrix can and should be used both in malware analysis and to compare tactics and methods of different groups. As an example, you can see the Group-IB study on the ProLock ransomware. There is a section MITER ATT & CK Mapping, which describes the tactics and techniques used.
To automate the mapping, you can use the official tool (while it is beta) Threat Report ATT & CK Mapper (TRAM), which, using NLP (Natural Language Processing) mechanisms for keywords, suggests the appropriate tactics or technique. In this case, the analyst can only confirm or reject the offer. We will consider this utility in one of the future articles.
CAPA rules
The permissions that nearly all Android apps ask for upon installation have long attracted the attention of security professionals. They usually ask for access to the camera, microphone, and network.
The FireEye researchers this, but what prevents them from checking what capabilities a particular executable file has? This is where the CAPA rules come into play .
Sample Android app with its permissions
When it dynamically scans an object, it operates in an isolated environment and monitors all actions at the hypervisor or special utility level. Using the CAPA rules (which, incidentally, are open source), the analyst can reduce time, perform preliminary static analysis of the object and focus on the potential actions and capabilities of the program according to the MITER ATT & CK matrix .
This is what the CAPA output looks like when analyzed .exe. The experimental program was written in Python and compiled into an executable file using auto_py_to_exe.
An example of analysis using CAPA rules for a file 1.exe
We see that the analyzed file uses three tactics and five techniques according to the MITER ATT & CK matrix. In addition, CAPA lists the capabilities of the executable by function used.
Functions of the 1.exe object
Automatic detection of CAPA capabilities is done by looking for distinctive artifacts. These are used API calls, strings, constants, creating mutexes and sockets, loaded libraries. These artifacts are defined by rules (similar to YARA rules) that help identify the functionality implemented in the malware.
Consider an example of the SARA rule.
CAPA rule: schedule task via command line
First of all, CAPA extracts strings and constants, which can be function names or something that can be communicated to an expert. Found broken down into file properties and parsing results (strings, constants, calls). File properties are headers and imported APIs (including the names of the functions used). The above example uses a boolean condition:
Code:
create_process AND [(line / schtasks / i AND line / \ / create / i) OR line / RegisterThat is, the rule defines the console commands used to create tasks in Windows Scheduler.
It is worth noting that CAPA rules only work with objects in PE (Portable Executable) format. Use the -v and -vv options for more information.
Conclusions
The community of people interested in supporting the philosophy of MITER ATT & CK is growing every year, so the use of this matrix is becoming more and more popular. For example, manufacturers use ATT & CK when creating alerts in their products. This approach makes it easier to investigate incidents, and also allows you to quickly respond to them. ATT & CK is not just an advertising campaign, but an important source of knowledge for the entire cybersecurity industry market.
It is because of this that the entire cybersecurity community, including software developers, use the ATT & CK knowledge base in order to communicate in a common language.
It is important to remember that the last two letters in the abbreviation ATT & CK stand for general knowledge, that is, "well-known things." The matrix builds on previous attacks and provides behavioral clues as to which TTPs were used. It is undoubtedly a great knowledge base, easy to use and very well supported. However, the paradox lies in the fact that she will never be able to fully describe all the techniques of the attacker, although she strives for precisely this.
