The MITRE ATT&CK Framework is an acronym for (Adversarial Tactics, Techniques, and Common Knowledge). The ATT&CK framework was developed by MITRE Corporation to document the tactics, techniques, and procedures (TTPs) used by intruders to gain entry into an enterprise network. The ATT&CK framework uses multiple techniques to detect threats within a network using intrusion detection, risk management, red teaming, security engineering, threat hunting and threat intelligence techniques (“mitre att&ck : Design and Philosophy”). The adversary emulation model or plan is an example of a public document that contains a comprehensive threats report. This document allows companies secure their systems effectively against known threats rather than focusing on just a few vulnerabilities.
Explain how the ATT&CK framework can help defenders better prioritize network Defense.
The MITRE ATT&CK framework can be used on windows, Linux or Mac endpoints to identify over 160 tactics of network exploitations per threat. A system analyst can generate report containing the patterns of behavior for any malware installed within a network including their attack features and techniques (“Introduction and Overview”). Instead of focusing on common malware hashes or tracking behaviors, ATT&CK breaks down the malware components to reveal its component building blocks. The threats are then classified into discrete units for easy comparison of the commonly exploited network endpoints. The common categories include the exploit tactics, control, maintain and execute tactics based on the cyber-attack lifecycle model. The ATT&CK framework then creates an analytics report for the behavior patterns of these system threats. A network defense proposal can then be drafted to prioritize the appropriate security measures based on the common attack techniques or company policies.
Delegate your assignment to our experts and they will do the rest.
2. ATT&CK is post-exploit focused. Explain the concept of “post-exploit” as if you were describing it to a group of high-level, non-technical managers.
The MITRE ATT&CK framework focuses on post –exploit techniques that targets a network after an intruder or adversary has breached a victim’s network. MITRE ATT&CK framework groups the post – exploit techniques focuses on execution exfiltration and defense evasion. This technique reduces the risk of generating large volumes of false positives while monitoring a system for possible threats or vulnerabilities. The ATT&CK framework therefore gives context to detecting and mitigating system threats. Some of the attack techniques analyzed through the post exploit framework includes persistence tactics, command and control, privilege escalation, collection, defense evasion, execution, credential access, lateral movement and finally discovery tactics. These are the most common techniques used to analyze a victim’s network after an intruder has gained entry into the victim’s network. This intrusion detection system follows an adversarial model or post –exploit technique. System administrators might use the audit or system logs to detect any unauthorized activities within a network. However MITRE ATT&CK framework groups these post-exploit behavioral threats into tactical groups for analysis.
3. Explain the concept of “Defense Evasion”. Select a minimum of three specific techniques to help further explain the tactic.
Defense evasion is the technique used by intruders to evade detection on a victim’s network. This is done by avoiding the security defenses employed within the victims network. Many companies have implemented sensors to track any form of traffic that comes in and goes out of a corporate network. Some of the perimeter sensing tools includes firewalls, proxy servers, intrusion detection systems and packet blockers. Defense evasion therefore exploits the vulnerabilities within these intrusion detection and security systems in order to gain entry into a victims network (“Exploitation for Defense Evasion”) . For example, an intruder may use the zero day vulnerability to exploit the security features within an anti-virus and therefore gain entry into a compromised network. However, intruders who are able to gain entry into a victims network using legitimate web services and encryption networks.
IDS-Evasion
The Intrusion detection system (IDS)-evasion technique uses web based tool to evade a compromised intrusion detection system (IDS). The intruder might use a web based encoding system installed within a proxy server to bypass any web aware scanners without altering the original code. An example is the pudding tool that incorporates the random UTF-8 encoding format. The pudding tool is encoded into an XML document that which makes it easy to run on an IIS networks. Instead of encoding the HTTP request codes in hex formats of the web scanners or Intrusion detection system (IDS), the random UTF-8 encoding tool bypasses certain IDS security features therefore gaining entry into a badly secured network. After the pudding malware is executed within the victim’s network it uses the “netcat” command to establish a listening port (“ Pudding”) . Once a communication session is established the pudding malware encodes all requests or packets sent to the victim’s system. This technique is accomplished using the “stealth.pl” command. Any response from the victim’s network is encoded using PERL scripts and passed back to the intruder’s computer using the “netcat” command. The intruder can even communicate with a target computer using a specific IP address or listening port.
The Bypass User Account Control
The User Account Control (UAC) is a feature found in the windows operating system that prevents illegitimate software from being downloaded and making system changes on a victim’s computer system. The User Account Control (UAC) works by bringing a pop up window requiring the user to allow a specific software to make changes to a victim’s computer. The UAC protection in any Windows system is always set at the highest level. However an intruder may include a malware into software downloaded from the internet to elevate their administrative privileges (“Defense Evasion”) .. This can be achieved by executing the Windows “IFileOperation” COM (Component Object Model) objects. The Bypass-UAC gets around the victims network security alerts by rewriting the PowerShell PEB into an executable file known as “explorer.exe”. This allows the “IFileOperation COM” object to read the PEB process through the windows process API. For example, the “rundll32.exe” can be used to load a DLL injected code onto an auto-elevated COM object to make file changes to protected system directories.
Install Root Certificate
Root certificates are often installed on a network to authorize applications or users into a system using a root certificate authority (CA). Secure networks use these root certificates to establish a secure communication session through a secure TSL/SSL channel. When a network user attempts to access a compromised website whose certificate is not trusted a user’s certificate authority (CA), the system user will be warned of a possible security breach using an error message. Intruders have been known to use the “Ay MaMi” malware to install a malicious root certificate onto a macOS network (“Defense Evasion”). This certificate then acts like “a man in the middle” therefore spoofing the network and authorizing compromised websites into collecting sensitive information or network login credentials.
Masquerading/spoofing
Spoofing is a collection of techniques intruder uses to falsify their true identities therefore masquerade as a legitimate system user or an authorized software service. An intruder can spoof the MAC addresses of one of the computers within a victim’s network and use it to contact another computer within the same network without being detected (Pols, 2018) . Spoofing is often used to exploit weaknesses in the Network Authentication Control (NAC) systems. Once the NAC has been bypassed the system becomes easy to attack through authentication protocols such as the ARP (address resolution protocol), the multicast name resolution system and the NetBios name service.
4. Explain the concept of “Lateral Movement”. Select a minimum of three specific techniques to help further explain the tactic.
Lateral movement
Lateral movement is a technique used by an intruder to gain remote access and control of a victim’s network resources. Lateral movement occurs when the intruder is able to move from one network to another by enhancing their access privileges using the vulnerable computers on a network (Strom, Battaglia, Kemmerer, Kupersanin, et al., 2017) . The intruder uses the concept of privilege escalation to exploit the victims’ network weaknesses in order to gain access to the root level folders. Some of the system resources that are exploited to achieve this goal include mapping of the victim’s windows administrative shares, scheduled tasks and SMB server files or (the remote windows server message blocks). The more the information is gathered through such techniques the higher the level of access privileges is gained into the victim’s network.
Post-exploit tactics, techniques, and procedures (TTPs)
The PowerShell scripting technique
The intruder will use a spear phishing attachment to gain initial access into the victim’s network. PowerShell scripting technique is often used to hide malicious code within a phished attachment. The PowerShell scripting technique works best by using emails or web browser platforms. An intruder gains entry into a victim’s network by sending a phishing e-mail containing an executable .zip file. This zip file will execute and install a malicious executable code embedded within a PDF file. The malicious code will disguise itself using a system file such as the acrobat reader. The AppleScript is an example of a script that can be used by an intruder to gain entry into a victim’s network. The AppleScript is often used on a macOS network to send inter-process communications between different machines (“Lateral movement”). However an intruder can use an open Secure Shell ( SSH) connection to move between the vulnerable machines and install malicious code into the vulnerable system.
Windows admin shares
Gaining access into the victim’s network using a malicious executable file is the first step to exploiting a vulnerable system. The second step is to generate new domain names and access credentials using accounts and user passwords. The Net utility can also be used to gain access to a victims windows administrator shares and therefore get valid login credentials. An intruder can gain access into the victim’s administrator shares by using techniques such as NTLM hashes or pass the hashes. Some common windows shares include the “”C$” shares, the “”ADMIN$” shares and the “IPC$” shares (“Lateral movement”). Some of the information collected from these shares includes permission groups, network configurations, authentication credentials, accounts and other network administrator resources. These new access credentials can then be used by the intruder for remote command and control purposes or (C2). This can lead to an abuse of valid authentication credentials and accounts.
Access token manipulation
Access tokens are used by the Windows system to verify the security privileges of a running process. These tokens can be manipulated to make them appear as though they are coming from an authorized system user. Token impersonation or theft is an example of an access token manipulation technique. A new access token is created by the intruder in order to duplicate the contents of the original token. The “DuplicateToken(Ex)” is an example of a token theft command that can be used to impersonate a legitimate user who is logged into the system (“Defense Evasion”) . The calling thread of the “DuplicateToken(Ex)”is then used to copy the security details of the victims login session. The intruder can therefore use these security details to gain permissions or authenticate themselves onto a remote network.
Remote desktop protocol technique
The remote desktop is often used by the windows operating systems to allow remote users into an interactive network through a desktop interface. An intruder can gain access into the victim’s network by exploiting the Remote Desktop Protocol (RDP). A session hijack is then performed to allow entry into the victim’s domain administrator. The cached authentication details are then bulk captured and sent to the intruder’s computer using windows PowerShell by invoking the mimikatz protocol. The mimikatz tool wraps any information it executes without writing or committing any of it to the victim’s hard drive. The information collected from the victim’s computer is then compressed and encrypted before being staged to a central location outside the victim’s network (Strom, Battaglia, Kemmerer, Kupersanin, et al., 2017) . Remote command tools such as the WinRAR can be used to compress, encrypt and package these files for storage on an external network. A Hypertext Transfer Protocol (HTTP) session is then created using a secure SSL/TSL socket (Secure Sockets Layer/Transport Layer Security). The stolen documents can therefore be analyzed by the intruder at his own convenience.
5. Explain the concept of “Command and Control”. Select a minimum of three specific techniques to help further explain the tactic.
Command and control are the techniques used by an intruder to communicate with the victim’s network using legitimate protocols such at HTTP or SMTP. The main intention of an intruder exploiting these communication and transportation protocols might be to gain network level access into a compromised system (“Command and Control”) . These protocols generate legitimate network traffic that makes them difficult to detect using an intrusion detection system.
The port knocking technique
The port knocking technique is used by intruders to open hidden ports for access. The hidden or closed ports are often opened using a series of packets to establish communication between the victim’s network and the intruder’s computer. The intruders might use the host firewall or a third party software to gain access into the victim’s network. Some of the commonly used ports by intruders include the mail ports (SMTP port 25), file transfer (FTP) ports or web ports such as (HTTP port 80). These ports can also be used as listening ports or to transfer files from the victim’s network.
Remote File Copy
This is whereby an intruder is able to transfer files from the victim’s network using standard application layer protocols. An intruder might use the “tcpovericmp” command to bypass the victim’s firewall using the ICMP ( Internet Control Message Protocol) . The “dnscat2” is another command line used by most intruders to create a DNS (Domain Name Service) tunnel into any network (“Command and Control”) . These commands are executed remotely into the victim’s network and the network traffic generated is hidden from the intrusion detection system using common HTTP, SMTP or DNS protocols.
Standard Cryptographic Protocol
Another command and control techniques used by intruders includes the use of encrypted channels of communication within a network. These communication channels use encryption algorithms to establish a secure connection between two computers. Some of the common encrypted channels include the HTTPS and the SSL/TSL ( Secure Sockets Layer/Transport Layer Security) channels. An intruder can use malware reverse engineering techniques to embed a malware into the victim’s encryption keys or configuration files (“Command and Control”) . . These malwares then compromises the security of encrypted files that use algorithms such as the RC4 encryption key. This further makes it easy for the victim’s network to authorize a secure communication channel with the intruder’s computer.
Connection proxy
A connection proxy server is often used by companies to direct network traffic within a corporate network. The SSLStrip tool can be used to hijack a HTTP session or traffic of a connection server. Once an intruder gains entry into a connection server he is able to gain a trusting relationship within the peer to peer network or hosts system (“Command and Control”) . . The SSLStrip is then able to listen to the network traffic from the connection server and redirects the traffic to an external web server. The web links are then mapped or copied into look alike or homograph links. The intruder can therefore use these mapped links to override the previous communication paths of a victim’s browser history.
References
Command and Control. GitHub. Accessed on 27 September 2018, from https://github.com/rmusser01/Infosec_Reference/blob/master/Draft/ATT%26CK-Stuff/ATT%26CK/Command_and_Control.md
Command and Control. The MITRE Corporation . Accessed on 27 September 2018, from https://attack.mitre.org/wiki/Command_and_Control
Defense Evasion. The MITRE Corporation. Accessed on 27 September 2018, from https://attack.mitre.org/wiki/Defense_Evasion
Exploitation for Defense Evasion. The MITRE Corporation . Accessed on 27 September 2018, from https://attack.mitre.org/wiki/Technique/T1211
Introduction and Overview. The MITRE Corporation . Accessed on 27 September 2018, from https://attack.mitre.org/wiki/Introduction_and_Overview
Lateral Movement. The MITRE Corporation . Accessed on 27 September 2018, from https://attack.mitre.org/wiki/Lateral_Movement
Mitre att&ck™ : Design and Philosophy. The MITRE Corporation . Accessed on 27 September 2018, from https://www.mitre.org/publications/technical-papers/mitre-attack-design-and-philosophy
Pols, P. (2018). Modeling Fancy Bear Cyber Attacks.
Pudding. GitHub. Accessed on 27 September 2018, from https://github.com/sensepost/pudding
Strom, B. E., Battaglia, J. A., Kemmerer, M. S., Kupersanin, W., Miller, D. P., Wampler, C., ... & Wolf, R. D. (2017). Finding Cyber Threats with ATT&CK™-Based Analytics.
