decrypting myths
What are the tactics and
techniques of the Enterprise
ATT&CK framework?
The Enterprise ATT&CK framework
consists of 11 core tactics. These
tactics are considered the ‘why’ part of
the ATT&CK equation, focusing on what
objective the attacker wanted to achieve
with the compromise.
These 11 tactics are as follows:
1.
Initial access
2. Execution
3. Persistence
4.
Privilege escalation
5.
Defence evasion
6.
Credential access
7. Discovery
8.
Lateral movement
9. Collection
10. Exfiltration
11.
Command and control
Under each tactic, the framework
contains a wide array of
cybertechniques that have been used
by malware or threat actor groups
in successful compromises. These
techniques are thought of as the
The aim of the
framework is
to improve an
enterprise’s post-
compromise
threat detection
capabilities by
highlighting the
actions attackers
may have taken.
68
Tim Bandos, VP of Cyber Security,
Digital Guardian
‘how’ part of ATT&CK. I.e. How are
attackers escalating privileges? How are
adversaries exfiltrating data?
While there are only 11 tactics in the
Enterprise ATT&CK framework, there
are 291 techniques and counting, which
are best visualised via MITRE’s ATT&CK
Navigator.
This open source web app allows
for basic navigation and annotation
of all of the framework’s matrices.
Each technique contains contextual
information such as:
• What permissions are required for
the technique to be successful?
• What platform the technique is
commonly seen on?
• How to detect commands and
processes they’re used in
For example, it’s not uncommon for
attackers to move laterally through
networks with legitimate Windows
tools like Windows Management
Instrumentation (WMI).
A strain of the ransomware Petya
leveraged WMI (along with PsExec,
EternalBlue, and EternalRomance) to
spread laterally in 2017.
Using the ATT&CK framework, a threat
hunter could look at relationships
between techniques like WMI that could
be used to gather data for the discovery
and execution of files through lateral
movement. By skimming down to the
‘detection’ section of the technique,
a threat hunter can also learn that
monitoring network traffic for WMI
connections and looking for WMI usage
in environments that don’t typically use it
can both help identify the technique.
What are the procedures of the
ATT&CK framework?
In the context of the ATT&CK
framework, a procedure describes the
way adversaries have implemented a
technique in the past, which can be very
Issue 10
|
www.intelligentciso.com