Finding Cyber Threats with Attack-Based Analytics
All too often, security teams within organisations fail to test their controls using the same real-world techniques that would be used by potential adversaries. Only by emulating offensive techniques can defences be tested, measured and improved, thereby augmenting intrusion detection and prevention mechanisms. An effective security team should not only aim to test technical controls, but also their outcomes. These should answer basic questions such as:
- What can our controls and programme currently detect?
- What do they fail to detect?
- How quickly do they detect the attack methods?
- What would be the likely outcome in the event of a detection failure?
- How long does it take for us to contain the attack, remediate and recover?
- Are our intrusion detection tools and systems working as they should?
- What is the signal-to-noise ratio for the detection criteria?
Such tests would demonstrate where different threat actors would be successful or would be caught in the environment and would allow the business to know exactly what is detected or mitigated and what is not.
The ATT&CK Framework
One of the most valuable frameworks for building adversary attack emulation scenarios is ATT&CK (Adversarial Tactics, Techniques, and Common Knowledge).
As described by MITRE:
ATT&CK is a knowledge base of cyber adversary behavior and taxonomy for adversarial actions across their lifecycle. ATT&CK has several parts: PRE-ATT&CK, which focuses left of delivery and exploit, ATT&CK for Enterprise, which covers initial access/exploit and beyond, and ATT&CK for Mobile, which focuses on mobile devices.
The ATT&CK model applies to enterprise IT systems covering Windows, macOS, and Linux, and mobile devices using Android or iOS. It places the tactical goals of an adversary within ten categories:
- Persistence
- Privilege Escalation
- Defence Evasion
- Credential Access
- Discover
- Lateral Movement
- Execution
- Collection
- Exfiltration
- Command and Control
Each of the tactical categories within the matrix includes common attack techniques, such as ‘Supply Chain Compromise’ or ‘Spearphishing Link’ for Initial Access. Privilege Escalation includes ‘Sudo’ and ‘Launch Daemon’, while Credential Access contains ‘Bash History’ and ‘Two-Factor Authentication Interception’. Of course, some of the techniques, such as Network Sniffing, can span multiple categories (Credential Access and Discovery).
It’s important to stress that ATT&CK doesn’t claim to cover all possible techniques in a given tactical category (it would be dangerous to make this assumption), but is based on a community of knowledge about actions that adversaries have used for a particular purpose. Using the framework, a Red Team posing as the adversary can test each of the methods while the Blue Team acting as network defenders can see whether the actions are detected or not. In this way the security team can benefit from exposing themselves to a wide variety of adversary types and techniques.
Best Practices
The ultimate aim of running these tests is to identify visibility gaps and determine where we need to make improvements. Is your intrusion detection system doing its job and has it been configured correctly? Would the attacks be detected in your log files (assuming software or a person actually examines these files)?
Test: Ensure that you have permission and approval before running any test. You should run the test in a test environment that mimics your production environment and that’s covered by your IDS. Simulate the attack either through an automated or manual method.
Gather Evidence: Did your IDS raise an alert? Is there a new entry in a log file revealing the attack? Perhaps nothing was detected. Record and measure everything you observe.
Develop Detection: If your existing defences failed to detect anything, it’s time to investigate and implement a solution that does.
Measure: Before moving on to the next attack tactic, ensure that you record whether detection was a success or failure. This way you will know where the gaps are and can track progress.
Develop Threat Intelligence: Even with an automated solution, it’s advisable that you have a sound technical understanding of how these attacks work. If you don’t, this will be an opportunity to learn. New attacks will keep emerging and an effective threat intelligence programme will ensure that it keeps you prepared by making you aware of every new attack tactic.
Test and Enhance
As adversaries continue to evolve methods for compromising systems and evading common defences, it’s critical that information security leaders understand how their defensive operational capabilities, such as technical controls, expertise, and response processes, perform in the face of a determined adversary. Only by carrying out real-world tests can gaps in these defences be identified. As such, ATT&CK represents an excellent framework for systematically testing your defences against attack techniques and tactics.
This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.