Cybersecurity

Understanding MITRE Frameworks ATT&CK and D3FEND

What Is MITRE ATT&CK?

The MITRE ATT&CK framework provides comprehensive information for organizations looking to defend against cyberthreats and beef up their cybersecurity strategies. The acronym ATT&CK, according to TechTarget, stands for Adversarial Tactics, Techniques, and Common Knowledge.

This framework and knowledgebase are used to evaluate common cyber adversary behavior and categorize the phases of an adversary’s attack lifecycle and preferred platform targets. The ATT&CK framework also provides a taxonomy related to adversary tactics and techniques from both an offensive and defensive viewpoint.

Essentially, ATT&CK focuses on how adversaries breach and infiltrate various types of computer information systems and communication networks. Originally a project to systematically categorize adversary behavior against Microsoft Windows systems, the framework has grown to include multiple systems, such as Linux and macOS, alongside varying environments, such as mobile devices, cloud-based systems, and industrial control systems. According to MITRE themselves, the ATT&CK behavioral model consists of the following core components:

  • “Tactics, denoting short-term, tactical adversary goals during an attack;
  • Techniques, describing how adversaries achieve tactical goals;
  • Sub-techniques, describing more specific means by which adversaries achieve tactical goals at a lower level than techniques; and
  • Documented adversary usage of techniques, their procedures, and other metadata.”

These tactics and techniques, as well as their relationships to one another, are visualized as the ATT&CK Matrix.

What is the MITRE ATT&CK Matrix?

The MITRE ATT&CK Matrix is a way to visualize phases in the attack chain from entry or “Initial Access” to an outcome or “Impact,” as well as to explore the tactics and techniques associated with each phase. MITRE themselves claim their ATT&CK matrices visualize the relationship between tactics, techniques, and sub-techniques. For example, the ATT&CK Matrix for Enterprise appears so:

Image Source: https://www.mitre.org/sites/default/files/2021-11/prs-19-01075-28-mitre-attack-design-and-philosophy.pdf

Under the column for “Credential Access,” for example, the potential tactics used to achieve this objective are listed, and include “brute force,” “man-in-the-middle,” and “unsecured credentials.” Essentially, this column tries to explain all of the tactics and techniques that an adversary could use to execute an effective account takeover.

How many tactics are covered in the MITRE ATT&CK Matrix?

There are 12 tactics/objectives covered by the Enterprise ATT&CK Matrix:

  1. Initial Access: This is when adversaries first attempt to enter your systems.
  2. Execution: The adversary will run some kind of malicious code, like ransomware.
  3. Persistence: Once in your system, adversaries work to remain there by disabling or altering code meant to shut them out.
  4. Privilege Escalation: When adversaries breach your system, they may only have low-level access; they will try to gain higher-level access by escalating the compromised user account’s privileges.
  5. Defense Evasion: Malware and suspicious behavior can be masked and hidden in trusted processes, representing one way adversaries evade defenses.
  6. Credential Access: Whether through technological means or social engineering, adversaries try to gain usernames and passwords to breach the system.
  7. Discovery: Adversaries attempt to peruse target networks and systems in the same way a cat burglar might scope a building for access and loot.
  8. Lateral Movement: If an adversary gets ahold of the right credentials, they may be able to move through multiple systems and environments in your organization.
  9. Collection: Data scraping and collection by the adversary might include personal or private information or secondary data to help complete the adversary’s goal.
  10. Command and Control: This is when an adversary communicates with a target system to control that system.
  11. Exfiltration: After collecting data, an adversary will likely move it to a secure location for them. This is the stealing of data.
  12. Impact: This is the theft, manipulation, or destruction of systems and data.

Some of these techniques contain sub-techniques, helping to explain in greater detail how adversaries achieve their objectives.

What Is MITRE D3FEND?

The MITRE D3FEND framework is based on and works as a partner to ATT&CK tactics and frameworks and focuses solely on defensive countermeasures and prevention solutions. Funded by the NSA, D3FEND is also presented as a matrix that mirrors ATT&CK to a certain extent. It presents defensive tactics and techniques based on common MITRE ATT&CK tactics, including:

  • Harden: Further split into four sub-categories that include application, credential, message, and platform hardening, these represent techniques that further secure your systems against intrusion and brute force attacks, such as “Dead Code Elimination” in your applications or “Biometric Authentication” for credentials.
  • Detect: Detection is split into sub-categories that include analysis of files, messages, identifiers, network traffic, processes, user behavior, and platform monitoring. As the name would suggest, these are techniques used to detect breaches and suspicious behavior both as they occur and after the fact.
  • Isolate: Execution isolation and network isolation are countermeasure tactics that aim to eliminate and mitigate the number of potential attack vectors in a network or system. Techniques here include “IO Port Restriction” and “Encrypted Tunnels.”
  • Deceive: The tactic of deception in cybersecurity defense revolves around decoy objects or environments made to look like the real deal. Colloquially called “honey pots,” MITRE suggests decoy files and network resources as defensive techniques, as well as connected, integrated, and standalone honeynet environments.
  • Evict: The smallest part of the D3FEND matrix and split into subcategories “Credential Eviction” and “Process Eviction,” this tactic is concerned with ending rogue processes once identified and locking intruder accounts.

Each of the defensive techniques found in the D3FEND matrix contains a summary and cross-references the specific ATT&CK-based tactics and techniques it is meant to defend against.

FAQs

How many MITRE ATT&CK Matrices exist?

There are three ATT&CK matrices in total:

  • Enterprise: The MITRE ATT&CK Matrix for Enterprise contains information involving Windows, macOS, Linux, PRE, Azure AD, Office 365, Google Workspace, SaaS, IaaS, Network, and Containers.
  • Mobile: The MITRE ATT&CK Matrix for Mobile cover techniques involving Android and iOS devices, as well as network-based effects.  
  • ICS: The MITRE ATT&CK Matrix for ICS is meant to cover industrial process controls and their associated systems.

The MITRE ATT&CK for Enterprise Matrix includes a subsection called the MITRE ATT&CK for Cloud Matrix. While adversary behavior that affects Windows, Linux, and macOS systems usually involves malware and attacks on the target organization’s systems through vectors that said organization controls, this isn’t always the case for third-party cloud systems and other enterprise cloud environments.

The MITRE ATT&CK for Cloud Matrix differs because an adversary’s tactics in the cloud environment differ. The targeted platforms might include Amazon Web Services, Office 365, or Azure, for example. Attackers will generally work within the cloud service provider’s environment to achieve their objectives, using techniques specific to that environment to achieve many of the same objectives covered in the Enterprise Matrix. Organizations at the enterprise level would do well to include a threat detection and response solution for hybrid and cloud environments if they’re working with third-party CSP or SaaS providers.

Who Is the MITRE Corporation?

The MITRE Corporation (pronounced “might-er”) is a not-for-profit with dual headquarters in the U.S. — one in Bedford, Massachusetts, and the other in McLean, Virginia. Founded in 1958, MITRE has become a powerhouse in advancing national and public security in the cyber realm.

How MITRE Develops the ATT&CK and D3FEND Frameworks

In a Medium article on the philosophy of ATT&CK, Blake Storm mentions that “the space of possible techniques that adversaries can use is huge… scaling that down and focusing in on empirically documented threat activity happening in the wild is a useful way to prioritize what to tackle first, and that serves as the core influence driving the types of information within ATT&CK.”

As such, it’s easy to see how the ATT&CK and D3FEND frameworks were developed in a way very similar to how traditional antivirus software works. Drawing upon information sources such as threat intelligence reports, conference presentations, webinars, social media, and blogs among others. The most common adversarial tactics and techniques are then prioritized and documented on the ATT&CK side, while countermeasures would be drawn up for D3FEND.

How Is the ATT&CK Framework Used?

Organizations can use the ATT&CK framework to inform their own cybersecurity operations. MITRE presents multiple organizational use cases, including:

  • Detection and Analytics: Network detection and response solutions generally rely on machine learning and artificial intelligence to detect and respond to cyberthreats and fishy behavior. These AI-based systems can reference and learn from the ATT&CK framework for high precision.
  • Threat Intelligence: ATT&CK provides a common language that allows organizations to “structure, compare, and analyze threat intelligence.” As such, ATT&CK can be used to help analyze information about the cyberthreat landscape and inform decisions based on that analysis.
  • Adversary Emulation and Red Team Training: In much the same way the military runs war games, organizations will sometimes rely on red teams, or a group authorized to emulate adversary attack capabilities. Relying on the ATT&CK framework can help these teams provide up-to-date and useful penetration testing and adversary emulation.
  • Assessment and Engineering: Those who are familiar with the ATT&CK framework and are up on current threats can make better decisions on an organization’s current capabilities and solution needs. For example, Vectra leverages MITRE ATT&CK to help decide which threat detections to build.

ATT&CK, while effective on its own, can be even more useful alongside the D3FEND framework.

How Are the ATT&CK and D3FEND Frameworks Used Together?

ATT&CK and D3FEND are alike in that they aim to provide a standard vocabulary for cybersecurity tactics, techniques, and countermeasures. The ability to understand threats and countermeasures in detail helps decision-makers keep abreast of the most pertinent threats in today’s cyberlandscape, identify strategic weak points in their current systems, and compare the risks of a breach to the costs of countermeasure deployment.

Let’s take one of the biggest and most financially devastating threats from the last few years: ransomware. According to MITRE ATT&CK framework, this technique is known as “Data Encrypted for Impact” denoted with the ID: T1486. Threat intelligence reports would have already alerted many organizations to this cyberthreat and they might turn to countermeasures to prevent this tactic. These D3FEND countermeasures might include organization-wide “File Analysis” denoted by ID: D3-FA or “Executable Denylisting” denoted by ID: D3-EDL.

Once these security measures are put in place, an organization can then engage in red teaming to determine how well the countermeasures hold up. After assessing how well their systems work, they can engineer new, more effective solutions, contributing to a more secure world for both clients and consumers alike.

Interested in learning more about Cybersecurity?