Deep dive into MITRE ATT&CK Framework

In this article, we will take an in-depth look at every aspect of MITRE ATT&CK in detail. We’ll also check out the Python SDK provided by MITRE, which enables scripting while leveraging the framework.

MITRE ATT&CK: Framework with many facets

If you are even a little bit familiar with the threat intelligence field, you must have heard about MITRE and its ATT&CK framework.

It is an extensive knowledge base that focuses on numerous tactics and methodologies that adversaries use to carry out attacks.

Interestingly enough, these metrics are based on an analysis of attacks that have taken place in the real world, making the data more credible.

The framework is divided into tactics, techniques, and sub-techniques.

Tactics, Techniques, and Sub-techniques

Tactics

In MITRE’s own words, tactics represent the why behind the actions of an attacker. Simply put, tactics define the motive.

Let’s use an example

An attacker performs phishing on an employee of ABC Corporation to gain initial access to their system. The initial access is the why, and phishing is the how, i.e., the action performed to achieve the why. Initial access is one of the 14 tactics defined in the Enterprise section of the framework.

Some other tactics worth mentioning are:

• Execution

• Persistence

• Privilege escalation

• Lateral movement
  
  

The names are pretty self-explanatory, digging deeper into that specific step of the complete attack process.

Privilege escalation is how higher-level permissions are gained. Lateral movement explains how attackers pivot to different systems within a network.

Techniques

In our previous example of phishing to gain initial access, this is only one way. There could be multiple.

These are defined as techniques in the MITRE ATT&CK framework. The approach that is taken by an attacker to successfully achieve one of the tactics turns these techniques into the how.

Continuing the example

The framework defines that initial access can be attained by numerous techniques. This includes exploiting a public-facing application, compromising accounts, compromising supply chain modules, etc.

Sub-techniques

We know the attacker used phishing to gain initial access.

We can go further in defining the nature of the phishing technique here. It could be spearphishing, whether through an email attachment, a malicious link, or a malicious service.

These are called sub-techniques, which further explain and explore the nature of the attack. There is one catch here: not every technique has a sub-technique attached to it. This could be because some of them might not have further classifications worth noting.

Let’s take another example of supply chain attacks.

When adversaries tinker with development infrastructure (code, dependencies, tools, software, etc.), the malicious changes, if unnoticed, get propagated to whoever is using the end product, resulting in the compromise of the “supply chain”. But what is the end goal of an adversary here?

Initial access into the systems of whoever is using the infected software (remember the havoc Solarwinds attacks created). So this lets us conclude that to gain initial access, the attacker used the supply chain compromise technique.

Tactics, techniques, and sub-techniques make up the core of the ATT&CK framework, allowing a better understanding of an attacker’s methodology and its correlation with real-world events a security professional might witness.

Different tactics come under three main categories: enterprise, mobile, and ICS (industrial control systems). The nature of techniques changes depending on which category they belong to. It goes even further.

There is a collection of known APTs/groups which are then related to the techniques they use and the malicious software used to carry out these techniques. This gives the defender an upper hand as it makes it possible, to an extent, based on collected evidence in the case of a cyberattack, to determine the motives and next action of the threat actor.

The MITRE ATT&CK framework can be plugged into the existing security infrastructure of an organization. To perform such a seamless connection, most of the time an API SDK is required, and MITRE ATT&CK provides exactly that.

MITRE ATT&CK: Python API

In order to work with the ATT&CK framework and the related matrices, MITRE already provides a web application called ATT&CK Navigator, where you can play around with the framework and make it suitable for use as per your requirements.

To work with Navigator and its layers through scripting, there is a Python API for it as well. The API is split into four main parts:

• Navlayers: This module allows you to mimic the layer behavior of the Navigator web app, including import, export, and the ability to make changes to their layers.
  
  

• AttackToExcel: This functionality brings the complete MITRE ATT&CK dataset to your system, allowing you to convert them to Excel Spreadsheets or export the dataset as DataFrames (a Panda filetype) to work with the data programmatically.
  
  

• Collections: This allows you to create collections from data that you work with. You can also create collection indexes.
  
  

• DiffStix: Distinguish two different versions of ATT&CK framework content, in STIX2 bundles.
  
  

Let’s take a look at a few examples. The below code snippet lets you hold the entire framework data in a single variable:

import mitreattack.attackToExcel.attackToExcel as aTE
import mitreattack.attackToExcel.stixToDf as sTDf
attackData =aTE.get_stix_data("enterprise-attack")
techniquesData = sTD.techniquesToDf(attackdata, "enterprise-attack")

techniquesData stores the data in a dictionary format with the following keys:

techniquesData.keys():
-> dict_keys(['techniques', 'procedure examples', 'associated mitigations', 'citations'])

The data inside this dictionary is stored as DataFrames, as seen in the image below:

You can store these DataFrames as dictionaries to make working with them easier.

techniquesData['techniques'].to_dict().keys():
-> dict_keys(['ID', 'name', 'description', 'url', 'created', 'last modified', 'version', 'tactics', 'detection', 'platforms', 'data sources', 'is sub-technique', 'sub-technique of', 'defenses bypassed', 'contributors', 'permissions required', 'supports remote', 'system requirements', 'CAPEC ID', 'impact type', 'effective permissions', 'relationship citations'])

Now you have a strong resource collection of the ATT&CK framework inside a single variable! Play around with the Python SDK and check out their Github repo for further material.

MITRE TAXII Server

We mentioned “STIX2” while discussing the Python API for MITRE ATT&CK and probably left you confused!
So what is STIX?

In layman's terms, it is a standardized way of sharing threat intelligence. Structured Threat Information eXpression, or STIX, was developed by MITRE and the OASIS Committee in a collaborative effort.

STIX is a way to share threat intelligence in a machine-readable form that allows programmatic use.

Standardized information needs standardized transportation. That’s where TAXII comes into play.

Trusted Automated eXchange of Intelligence Information

The Trusted Automated eXchange of Intelligence Information, or TAXII, defines how threat intelligence will be shared among different organizations and communities. It is made specifically to work with the STIX standard.

One thing to keep in mind when it comes to threat intelligence is that sharing is of the utmost importance. If one organization faces an attack and shares the intelligence collected during this attack with other organizations, it can benefit from it and take proactive measures rather than reactive ones.

MITRE has its own TAXII server that can be leveraged to pull threat intelligence data from the ATT&CK database. It follows the TAXII 2.0 and STIX 2.0 specifications.

Covering the complete TAXII is beyond the scope of this article. However, this section was intended as an introduction to this interesting subsection of threat intelligence.

Concluding Remarks

The MITRE ATT&CK framework is an essential tool in any blue team’s arsenal, as it can result in a better defensive security posture. The MITRE organization is continuously making efforts to improve ATT&CK. Therefore, they recently showcased their new framework, D3FEND, which is focused on mitigation techniques.

ATT&CK and D3FEND encompass a large portion of the security industry and can prove crucial to your organization's security infrastructure.

We encourage you to get your hands dirty and play around with these frameworks, which will deepen your understanding further.