You are on the Cert-IST public site
In-Brief: MITRE’s ATT&CK model

Date :March 08, 2019

Publication: Article

To model attacker behavior, analysts are now more and more using the ATT&CK model which has been developed by the US research organization MITRE. Started in 2013, and made public in 2015, this work became very popular in 2018 and the first edition of a conference dedicated to this subject has held in October 2018: ATT&CKcon.

ATT&CK (Adversary Tactics, Techniques and Common Knowledge) is a project that uses known cyber-attacks to inventory:

  • Attack tactics and techniques. Tactics are roughly equivalent to the steps of the kill-chain (examples of tactics: Initial Access, Execution, Persistence, etc...) and techniques to the possible ways to implement a tactic. These 2 elements are presented in a large table (called the "ATT&CK matrix") where each column is a tactic and each row for this column is a technique.
  • Attacker groups, for example: APT28, PittyTiger or Stealth Falcon.
  • Software used by attackers, for example: Mimikatz, Colbalt Strike, etc....

 

The ATT&ACK matrix is the central component of the project. It has two typical applications:

  • By coloring all the cells corresponding to the techniques already used by an attacker, this gives a colored mosaic that represents the capability profile of this attacker. When a new attack occurs, it then theoretically possible to recognize who the attacker is by establishing the ATT&CK profile for that new attack, and searching which attacker matches this profile. If we assume that it is difficult for an attacker to change all its attacking techniques (this is the principle of the Pyramid of pain), then this approach becomes an interesting method for attribution.
  • By looking which techniques are most commonly used, regardless of the attacker who uses it, we identify the key cells of the matrix and we can decide to strengthen our defenses first on these key cells. For example, "Power Shell" or "WMI" are some of the techniques widely used by attackers and working on detection for these techniques could be a quick win.

ATT&CK is probably not the ultimate solution to fight cyber-attacks (see some limitations below), but it is a really interesting achievement that helps in the CTI (Cyber Threat Intelligence) field to:

  • structure existing data,
  • build a corpus of data based on the actual attacks observed,
  • work at TTP level (techniques, tactics and procedures) rather than at the observable level (IOC).

In terms of limitations, the following difficulties can be mentioned:

  • Identifying the ATT&CK techniques used by an attack is significant workload that requires a deep analysis of the attack.
  • There will be biases in the data produced. For example, the techniques that are easiest to identify (or popular) will be cited more often than the others.
  • New attack techniques will appear, which will require the model to evolve, with eventually the need to introduce versioning for the model.
  • Attackers evolve over time. Ideally, a timeframe aspect should be added to the model to indicate the period of time an attacker has used a given technique.

We should not be afraid of these difficulties, because even if we cannot solve them easily, the emergence of the ATT&CK model is definitely a significant improvement for the analysis of cyber-attacks. It is must-known model in the field of CTI.

 

For more information :