MITRE is US based Not for Profit Organization that manages federally funded research and development centers. It supports U.S. government agency’s research projects in the aviation, defense, healthcare, homeland security and cyber security etc. It has developed MITRE Att&ck that is an open knowledge base framework to assess the security of an enterprise and help security professionals, organizations, enterprise etc.
This framework has added tremendous value to the cyber security domain because earlier, the attack information was restricted up to the government organizations or was contained within few organizations only. Now that information is open to public for wider usage such as research and to develop proactive defensive mechanisms.
After breaching the organization, threat actors lurk on network for months before being detected. Therefore, investigators need to know –
Now question arises – How to investigate the breach, what to do proactively so that data breach or cyber-attacks can be minimized or at least there is minimal harm, how to search for vulnerabilities? Let’s know the basics know how of MITRE att&ck and understand how does it help?
MITRE Att&ck provides deep insights into attack and attacker’s behavior. This framework is a wonderful library of variety of malicious behavior i.e. tactics, techniques, procedure and Common Knowledge (TTP and CK). Because it is a comprehensive knowledge base of Cyber Threat Intelligence (CTI), it provides actionable information. This framework provides attacker methodologies, goals along with protection against many aspects of real-world cyberattacks.
In MITRE Att&ck – Att&ck stands for Adversarial Tactics, Techniques, and Common Knowledge.
Adversarial refers to attackers that are also known as adversaries or threat actors or hackers.
Tactics are exploits, that attackers use. Examples of tactics may be- defensive evasion, lateral movement and exfiltration.
and the MITRE Att&ck techniques are – how threat actors use the exploits. Within each tactic category, each technique describes the passage an adversary may try to follow, to achieve its objective. There are multiple techniques within each tactic because attackers use different methods based on their expertise or opportunities availability. Here, availability of opportunities means- availability of tools to an attacker within the network or how systems are mis-configured with in the network.
Each technique to find an attack, includes a description of the method used by the attacker, the systems or platforms it is applicable and if any adversary group used this technique somewhere. Techniques also describes the way to mitigate the behavior along with any published references to the technique being deployed.
Ck stands for common knowledge because it is a collection of data, information and reports. Researchers or users submit this data to the MITRE and MITRE organizes it as per behaviour of threat actors and attacks.
MITRE att&ck helps in managing common vulnerabilities & exposures (CVE) list. It provides complete information about reconnaissance, how did they get into it such as via malware or phishing attempt and what did they do after getting into the network such as privilege escalation, lateral movement, exfiltration, how did they evade your defences etc.
Since MITRE att&ck is based on real-world observations, so it allows you to correlate specific adversaries and the techniques they have used. Because adversaries often use different techniques to attack different platforms and technologies. The MITRE att&ck is divided into a series of technology domains. Domains currently covered by MITRE att&ck include Windows, MAC and Linux operating system enterprise network and mobile devices such as android and iOS.
MITRE Att&ck creates simulations in the environment and test security to gauge the defensive capabilities, conduct cyber security gap analysis, proactive cyber threat intelligence and further in budget planning. It finds vulnerabilities on the network and mobile devices and also helps in managing the assets. Mitigation becomes easy because if you know the possible attacks you can build more efficient and realistic threat model. It is very useful if you want to protect web applications, infrastructure as a service (Iaas).