Mitigating Security Threats with MITRE ATT&CK^®

In a previous blog post I explained MITRE ATT&CK and the primary ways organizations might use it to improve their security.

As a refresher, the MITRE ATT&CK framework, model, and taxonomy provide a categorized and structured catalog of tactics (the “why” of an attack) and techniques (the “how” and sometimes the “what” of an attack). The relationship between tactics and techniques is organized and presented as the ATT&CK matrix. The philosophy of the ATT&CK model is that by focusing on and prioritizing your defense against documented cybersecurity threat behavior, you can understand, prevent, and mitigate these threats and attacks.

Drilling down into the details with each matrix reveals more details, ultimately leading to an ATT&CK page that includes examples of how known adversaries use a given technique. The ways an organization can use MITRE ATT&CK range from adversary emulation and red teaming to behavioral analytics development and SOC maturity assessment.

In this post, I look at how organizations can use the ATT&CK website as well as the PRE-ATT&CK matrix, which focuses on preventing attacks before adversaries have a chance to infiltrate your network.

Recommended Reading: UEBA (User and Entity Behavior Analytics): Complete Guide.

Using the ATT&CK website

Let’s say we want to examine the tactic of Credential Access (TA0006). This tactic can be facilitated by many techniques, including Account Manipulation (T1098), Brute Force (T1110), Credentials in Registry (T1214), and at least 15 others (Figure 1).

®" class="wp-image-221136"/>

If we drill down into one technique, say, Brute Force, we can get an overview of the technique, see several examples of associated threat actors and/or software that have been used to carry out this technique, and also see mitigation and detection strategies. As of the publication date of this blog, ATT&CK reports that at least five threat actors and three software applications have been involved in perpetrating brute force attacks (Figure 2).

®" class="wp-image-221135"/>

Note that the information that each ATT&CK page provides includes linked citations to sources, so that you can easily verify the validity of the data as well as discover more details.

According to the mitigation and detection information on this page, it turns out that brute force attacks are difficult to detect, but that one way to mitigate them is to employ multifactor authentication.

Tips from the expert

Steve Moore is Vice President and Chief Security Strategist at Exabeam, helping drive solutions for threat detection and advising customers on security programs and breach response. He is the host of the “The New CISO Podcast,” a Forbes Tech Council member, and Co-founder of TEN18 at Exabeam.

In my experience, here are tips that can help you better use the MITRE ATT&CK and PRE-ATT&CK frameworks to strengthen your organization’s defenses:

Combine ATT&CK with behavioral analytics
Use ATT&CK’s behavioral data to inform user and entity behavior analytics (UEBA). Detecting deviations from normal user behavior, like abnormal logins or access to sensitive data, becomes easier when mapped to known attack techniques.

Prioritize based on prevalent threat techniques
Use ATT&CK’s technique frequency data to prioritize defenses against techniques most often used by adversaries in your industry. For example, focus first on bolstering defenses around credential access techniques if your sector is frequently targeted for identity theft.

Automate threat hunting based on ATT&CK techniques
Leverage tools like Exabeam Threat Hunter to automate queries aligned with specific ATT&CK techniques. Automating queries for suspicious activities, such as privilege escalation or lateral movement, improves proactive threat detection.

Leverage PRE-ATT&CK for early threat prevention
Utilize the PRE-ATT&CK matrix to detect early signs of adversary preparation, such as infrastructure setup or domain registration. Monitoring these activities helps prevent attacks before they reach your network.

Integrate ATT&CK into SOC workflows
Incorporate ATT&CK techniques into your SOC’s daily operations, from alert triage to incident response playbooks. This ensures that your team responds to threats with a standardized approach, improving detection and consistency.

Using MITRE PRE-ATT&CK

If you’re interested in learning about the behaviors that happen before an attack (and you should be if you want to stay a step ahead of adversaries), you can study the PRE-ATT&CK matrix.

PRE-ATT&CK focuses on preventing attacks before adversaries have a chance to infiltrate your network. The PRE-ATT&CK matrix lets you answer questions such as:

• Are there signs that you are being targeted for an attack?
• What common techniques might be used against you?
• How should you prioritize your resources to get as much insight as possible before an attack is carried out?

You can use PRE-ATT&CK to help understand the various tactics that are commonly used to initiate an attack, and then discover the techniques that align with carrying out those tactics.

For example, one tactic is to Establish and Maintain Infrastructure (TA0022). By drilling down into that tactic, we can see multiple techniques associated with carrying it out. Among these is Domain registration hijacking (T1326).

®" class="wp-image-221134"/>

By reading the resulting ATT&CK page (Figure 4), we can see that this technique has been carried out by the threat group APT1, and that such a technique is difficult to detect but is easy for the adversary to carry out.

®" class="wp-image-221133"/>

Using Exabeam Threat Hunter with the ATT&CK framework

You can use the ATT&CK or PRE-ATT&CK matrix along with Exabeam Threat Hunter to look for tell-tale tactics in your environment. Below are some sample queries you might use to examine suspicious initial access, privilege escalation, lateral movement, and exfiltration—a typical attack chain to steal customer details or intellectual property. These are not exhaustive, nor prescriptive lists, but a good place to start.

Tactic: Initial Access (TA0001)

Threat Hunter queries:

• First email domain for user
• Failed interactive logon by a service account
• Interactive logon using a service account

Tactic: Privilege Escalation (TA0004)

Threat Hunter queries:

• Account switch to a privileged or executive account
• Non-executive user logon to executive asset
• Abnormal addition to privileged group by user

Tactic: Lateral Movement (TA0008)

Threat Hunter queries:

• Possible pass the hash attack from the source
• First account management activity from asset
• First account management activity from asset for user
• First remote logon to asset
• Service account that has logged in to more than 30 assets

Tactic: Exfiltration (TA0010)

Threat Hunter queries:

• Possible data exfiltration: Abnormal amount of data had been uploaded to low ranked websites
• Possible data exfiltration: Abnormal amount of data had been uploaded to the web.

Stay tuned for more in the series. We’ll be covering some emerging techniques, as well as more detailed tutorials on how to use ATT&CK and PRE-ATT&CK with Exabeam products.