Mitre Attack-utilizing the cyber kill chain
Who are our opps? how do we think like them?
Mitre attack is a framework developed by the Mitre Corporation in 2013.
At the time security researchers didnt have a way to communicate or share threat intelligence the standardised language of tactics techniques and procedures was revolutionary, in the field of threat intelligence.
WHat is mitre attack?
Think of security systems as a castle with its own defenses, say our castle is under attack or potentially under attack, we have the enemy heading in from the north, we dont know whether or not they’re going to attack our castle but we need to be sure our castle will survive.
Then think of Mitre Attack as a battle map, from movies where generals stand around a table with figurines in the war room. think of that, but online.
it intentionally takes the attackers perspective to help us think like an attacker. By understanding attacker tactics and techniques, security teams can be more proactive in defending their systems. They can identify potential weaknesses and implement controls to prevent attacks before they happen.
We can utilize Mitre Attack as our own cyber warfare tool.
It’s an open source framework we can update and share information while simultaneously using it to improve our own defenses and building our playbooks.
what are ttp’s
Mitre Attack is structured into Tactics, Techniques, and Procedures. Tactics represent the goals which can include stealing PII (personal identifiable information), or gaining control of a victims system. Techniques are the ‘how?’ question, what specific methods is an attacker going to use to execute it’s goals. Procedures is real world examples of how techniques are implemented. This structure allows cybersecurity professionals to identify potential threats, understand attacker motivations, and develop targeted defenses. By referencing ATT&CK, security teams can prioritize their efforts based on the tactics and techniques most relevant to their specific environment.
We can see the top row of the ATT&CK Matrix for enterprise chart below represents the tactics from recon to collection and structures the techniques below each tactic.
There are three categories of MITRE ATTACK:
ATT&CK for Enterprise which focuses in Windows, Linux, Cloud
ATT&CK for mobile which focuses on Andriod and Apple OS
ATT&CK for ICS which focuses on industrial control systems (the integration of hardware and software for critical infrastructure)
how can we use Mitre attack to our advantage?
Say you’re trying to make your own playbook, where would you start?
As outlined by the Mitre Corporation, one of the best ways to start is to choose an adversary group that has targeted organisations similar to yours. What tactics and techniques have they used previously? What defenses can you implement to protect against those? What defenses are used against the same techniques used by those adversaries?
cyberkill chain
‘Kill Chain’ is a military term used to describe the stages of an attack. the ‘Cyber Kill Chain’ is derived from a Lockheed Martin 2011 military model. It’s divided into seven steps where we can identify attacker behaviour and implement defenses to prevent it.
Sometimes to beat the opps, we need to think like the opps.
stage 1. reconaissance
Attackers gather information about the target in this stage. They identify vulnerabilities in systems, software versions, open ports, IP addresses.
We can mitigate attackers reconnaissance by reducing our attack surface. Methods can include segmenting our network. Divide your network into smaller segments to limit the attacker's access to critical assets and data.
Disable unnecessary services. Identify and disable any services, ports, or protocols that aren't essential for your business operations. This reduces potential entry points for attackers to probe, via reconnaissance tools or NMAP.
Patching and Updates, regularly patch vulnerabilities in your operating systems and necessary applications to eliminate potential exploitation points.
We can mitigate attacker recon by hardening our defenses. we can enforce strong password policies and implement MFA for all user accounts to make unauthorized access more difficult. we can also deploy WAFs (web application firewalls) to filter and block malicious traffic targeting web applications and APIs. And/or Implement IDS/IPS (intrusion detection/prevention) systems to detect and potentially block suspicious network activity that might indicate reconnaissance attempts.
stage 2. weaponisation
In the Cyber Kill Chain, the weaponization stage is where attackers create or prepare the tools they'll use to launch their assault. It's essentially the attacker's "armory" phase, where they refine their strategy and choose what weapons they are going to use for the target.
Possible techniques used in this stage include; modifying existing malware They might take existing malware tools and customize them to exploit specific vulnerabilities they discovered in the target's environment. Or even developing custom malware For highly targeted attacks, attackers may develop entirely new malware tailored to exploit unique vulnerabilities in the target's systems. This can also include more common techniques, such as, crafting social engineering tools like phishing emails or malicious websites/links to target specific people or employees within an organisation.
This is also the stage where we develop our own targeted defenses against the assault.
we can monitor threat intelligence feeds to stay informed and stay updated on the latest malware trends, vulnerabilities, and attacker tactics. We can practice threat modeling where we regularly conduct threat modeling exercises to identify potential attack vectors and the types of weapons attackers might use against your specific systems and data.
we can use the same techniques from Stage 1. where we regularly apply patch updates and segment our network to make the attack surface smaller and less prone to cyber attacks.
Some Security solutions that we can use in this stage to prevent weaponisation are:
Endpoint Detection and Response (EDR): Deploy EDR solutions that can monitor user activity and detect suspicious behavior.
Intrusion Detection/Prevention Systems (IDS/IPS): Implement IDS/IPS systems to monitor network traffic for signs of malicious activity and potentially block attacks in progress.
Security Information and Event Management (SIEM): Utilize SIEM tools to collect and analyze security data from various sources.
stage 3. delivery
Attackers have a variety of methods to deliver their malicious payloads.
Some delivery techniques are Phishing Emails which are deceptive emails containing malicious attachments or links. Clicking these elements can download the payload. Or Watering Hole Attacks which is when attackers compromise legitimate websites to deliver malware to people who visit. Another example is malvertising which is essentially malicious advertisements displayed on websites or apps, tricking users into clicking and downloading malware. social engineering using psychological manipulation to trick users into installing malware themselves (e.g., clicking a fake download link). And a form of devilery that we often see in political cyberweapons, vulnerability exploits taking advantage of weaknesses or vulnrabilitys/zero-day exploits in software or systems to directly deliver the payload.
Delivery is an important stage because without successfully delivering the payload, the attacker cannot achieve their goals. By understanding how attackers deliver payloads, defenders can implement security measures to intercept them before they reach their targets.
One thing to note is; delivery methods can be combined. For instance, a phishing email might contain a link to a malicious website hosting the payload.
stage 4. exploitation
exploitation is the fourth stage where attackers leverage the vulnerabilities they've identified in the reconnaissance phase to execute their payload and gain a foothold in your system.
If we go back to our castle analogy, this stage is essentially the attacker physically invading our castle after it has found its weakness.
Exploits are pieces of code or software which are created to take advantage of vulnerabilities in operating systems, applications, or firmware. Attackers use exploits to compromise systems and execute their malicious code.
Payloads refers to the actual malicious code designed to gain access, or steal data.
common ways exploitation is performed includes; buffer overflows (exploiting weaknesses that allow attackers to inject their own malicious code), SQL injection (Injecting malicious SQL code into database queries).
We can protect against exploitation via several methods (some mentioned above). Implementing IDS/IPS, Patch management (updates), application whitelisting.
stage 5. installation
following the exploitation stage, installation is where the attackers have already gained a foothold in the victim’s system. Installation refers to the attacker's steps and behaviour once they have gained access.
what is installed during installation? thinking of our castle analogy, once attackers have already gotten inside our castle. They may have their own soldiers guarding certain parts of the castle so we can’t access it. They may appoint their own king of the castle (privilege escalation). On a software/hardware system, this can include installing malware eg, viruses, worms, trojans, ransomware, spyware.
Attackers can create backdoors into the targets systems to keep access even when the original entry point is closed.
how do we prevent installation?
EDR (endpoint detection and response)
Application Whitelisting
User training/education
Antivirus/Anti-malware
Stage 6. command and control
By this stage attackers have already gained significant access and control over our system. In this stage the attacker utilises the malware and malicious instruments they have installed or used in the previous stage.
during this stage is where attackers can actually steal data or control functions in a software system.
attackers can command and control via servers dedicated to command and control communication, they can leverage peer to peer communication networks. Attackers can also use cloud servers to disguise communication as legitimate traffic.
Command and control is an important stage to mitigate, we need to prevent attackers from having ongoing control over our system.
how can we prevent this?
Network Traffic analysis (tcpdump, wireshark)
EDR (endpoint detection and response)
SIEM (security information and event management)
Network Segementation)
Stage 7. Actions on objectives
Also called ‘post-exploitation’, this is the final stage of the cyber kill chain where the attackers have reached their goals. By this stage, each step of the Kill Chain has already been leveraged. The only procedures left for us to take at this stage are just mitigation and incident response.
Some techniques attackers may use in this stage include data exfiltration, maybe installing additional malware, moving laterally across the network.
what can we do at this stage?
EDR to respond to malicious activity
CSIRP Have a comprehensive incident response plan
Network segmentation
We know that this is a preventable stage as long as we can anticipate attacker goals and implement security solutions.