Intelligent CISO Issue 10 | Page 68

decrypting myths What are the tactics and techniques of the Enterprise ATT&CK framework? The Enterprise ATT&CK framework consists of 11 core tactics. These tactics are considered the ‘why’ part of the ATT&CK equation, focusing on what objective the attacker wanted to achieve with the compromise. These 11 tactics are as follows: 1. Initial access 2. Execution 3. Persistence 4. Privilege escalation 5. Defence evasion 6. Credential access 7. Discovery 8. Lateral movement 9. Collection 10. Exfiltration 11. Command and control Under each tactic, the framework contains a wide array of cybertechniques that have been used by malware or threat actor groups in successful compromises. These techniques are thought of as the The aim of the framework is to improve an enterprise’s post- compromise threat detection capabilities by highlighting the actions attackers may have taken. 68 Tim Bandos, VP of Cyber Security, Digital Guardian ‘how’ part of ATT&CK. I.e. How are attackers escalating privileges? How are adversaries exfiltrating data? While there are only 11 tactics in the Enterprise ATT&CK framework, there are 291 techniques and counting, which are best visualised via MITRE’s ATT&CK Navigator. This open source web app allows for basic navigation and annotation of all of the framework’s matrices. Each technique contains contextual information such as: • What permissions are required for the technique to be successful? • What platform the technique is commonly seen on? • How to detect commands and processes they’re used in For example, it’s not uncommon for attackers to move laterally through networks with legitimate Windows tools like Windows Management Instrumentation (WMI). A strain of the ransomware Petya leveraged WMI (along with PsExec, EternalBlue, and EternalRomance) to spread laterally in 2017. Using the ATT&CK framework, a threat hunter could look at relationships between techniques like WMI that could be used to gather data for the discovery and execution of files through lateral movement. By skimming down to the ‘detection’ section of the technique, a threat hunter can also learn that monitoring network traffic for WMI connections and looking for WMI usage in environments that don’t typically use it can both help identify the technique. What are the procedures of the ATT&CK framework? In the context of the ATT&CK framework, a procedure describes the way adversaries have implemented a technique in the past, which can be very Issue 10 |