MITRE ATT&CK is a knowledge base with a modeling of the behavior of a cyberattacker, reflecting the different phases of an attack life cycle linked to targeted platforms: Windows, macOS, Linux, mobile devices and so on.
MITRE ATT&CK focuses on how attackers attempt to compromise and operate within digital infrastructures from the outside.
This model originated from a project that aimed at documenting and categorizing all the post-compromise tactics, techniques and procedures, used by attackers against Microsoft Windows operating systems in order to improve the detection of malicious behaviors.
© 2020 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation.
MITRE ATT&CK proposes to classify the techniques under the reference Txxxx. Let’s take the example of the famous T1086, with PowerShell attacks. TEHTRIS EDR has an engine that analyzes PowerShell codes which are launched by script or interactive. This solution was among the only two products that possessed this feature on the market when we first shared it to all our existing customers. Imagine also that you want to be compatible with T1016, and for example detect the launch of an “ipconfig /all”. Sounds like a simple plan…
Except that in some infrastructures, we have seen .bat scripts launched via Netlogon, or launched regularly, which really launch “ipconfig /all” for internal use. So, who wants to go through thousands of alerts every day only for compatibility with T1016? Which of these alerts will really be linked to a real compromise?
Jumping back to the T1086 for PowerShell, we have also seen scripts in the field using the Get-NetIPConfiguration cmdlet, equivalent to ipconfig.exe in terms of usage. So, do we have to worry about this every time it is used? Especially when it is frequently used in official scripts legitimately run by administrators?
MITRE ATT&CK is not an exhaustive list of all possible attack vectors in the world, but for several years now it has clearly been the reference tool for studying certain situations: incidents, comparison of tools, behavioral categorization, research on aggressors in digital intelligence mode, etc.
When the MITRE ATT&CK model was published in May 2015, with more than 96 techniques gathered in 9 tactics, all our products at TEHTRIS already had offensive categories, to know which phase we were talking about for an incident: preparation? intrusion? post-intrusion actions? security policy issues? etc. We already had these criteria since 2014 in our internal knowledge base at TEHTRIS, thanks to the internal eGambit engine.
The major evolutions of MITRE ATT&CK, and their widespread use worldwide, led us to evolve our model in order to to stick to the same numbering and references. The TEHTRIS XDR Platform is therefore 100% compatible with MITRE ATT&CK, and we will continue to follow this line of thought in order to get even closer to the associated possibilities.
Don’t worry, that’s exactly what we’re getting at: it will all be a matter of context. And complexity can go very far, so we have chosen one of the most basic examples here. During exercises and demonstrations, or in laboratories, nothing is ever as it seems in real life.
It so happens that some APT groups processed by TEHTRIS also ran IPCONFIG in scheduled task mode. So you ask yourself: to keep it only for T1086 compatibilty even if it means that many alerts are raised in some networks? Or not to keep it with the risk of missing potential attacks? You have to choose what you want to watch, why, and how. Side note: for this APT, at the contextual level, the command was launched by SYSTEM. Simple.
In recent years, there has been a huge focus on EDR to support EPP. Then, everyone realized that even that would not be enough, and that we would need to go even further, hunting for attacks via XDR.
As a matter of fact, there are still many organizations that cannot easily deploy EDR agents like in SCADA/ICS environments, for example. Imagine using a sniffer-type solution against some Windows as potential victims. TEHTRIS NTA enables you to watch the incoming and outgoing flows. That’s the power of XDR, bringing together sources that are natively able to work together: systems, networks, the cloud and so on.
With TEHTRIS NTA, if an offensive communication channel has been detected, we will indeed be able to react in this way, which will be very practical if nobody is supposed to connect remotely in this way.
For example, if we have TCP cleartext streams that contain “stdapi_net_config_get_interfaces” from a Meterpreter, or a stream that contains “Windows IP Configuration” but also “Ethernet adapter Local Area Connection” we might think about a T1016 type usage.
The combination of the sensors of an XDR platform, allows for the possibility to be completely in line with reality on any infrastructure.
At TEHTRIS, we use MITRE ATT&CK internally for all components of the TEHTRIS XDR Platform, so that all data sources can quickly indicate which technique is being used when an alert comes up from the field.
It can be used to study attack simulations, for example to observe how TEHTRIS EDR will react to a known APT-XX. We can simulate offensive test operations against our products, in quality test mode, or to check for deviations from defensive targets.
Finally, we discuss internally with certain clients and partners, about whether or not it is appropriate to raise some points, depending on the local environment, and above all, to what extent this information should be reported or not.
In conclusion, MITRE ATT&CK allows you to structure what you want to observe, how and why you want it, with real possibilities for optimization. In the examples above, we focused on what might appear to be basic technics.
However, some of them have been used against very stealthy advanced APT groups, and that is also the advantage of an XDR platform. Once you have understood the profile of the attackers, as proposed in the technical intelligence section of MITRE ATT&CK, even in a large park, you can set up specific rules to detect some behaviors at the slightest movement.
Once “burned”, the offensive hackers’ teams would almost have to resign, because they become too visible. With all our captures over the last few years, we’ve got some pretty good predictive models.
Thus, we believe that each environment needs an initial phase where one chooses how to configure its sensors, whether they are in systems (EDR, EPP), on events and logs (SIEM), or linked to network stimuli (honeypots, NTA).