Fortifying Cyber Defences: A Technical Guide to leveraging the MITRE ATT&CK Framework

In the ever-evolving landscape of cyber security threats, organisations face an array of sophisticated adversaries seeking to infiltrate their networks, compromise sensitive data, and disrupt operations. To effectively combat these threats, cyber security professionals require robust methodologies and frameworks that provide comprehensive insights into adversary tactics, techniques, and procedures (TTPs). Cue the MITRE ATT&CK Framework, among the arsenal of defensive strategies, this framework stands out as a fundamental resource, empowering organisations with invaluable knowledge and actionable intelligence to proactively defend against cyber threats.

That’s wonderful, you’re thinking, but what is The MITRE ATT&CK Framework?

Short for Adversarial Tactics, Techniques, and Common Knowledge, it is a globally recognised knowledge base that meticulously catalogues real-world cyber threat behaviours observed in the wild. It is developed by the MITRE Corporation, a non-profit organisation dedicated to advancing public interest in science and technology. This framework serves as a comprehensive repository of adversary tactics and techniques across various stages of the cyber kill chain. Organised into matrices that delineate tactics and techniques employed by threat actors, the MITRE ATT&CK Framework provides a structured taxonomy that enables cyber security professionals to understand, analyse, and respond effectively to cyber threats.

Okay, so we now know what the framework is. The next question is WHY should I spend resources on its implementation?

Organisations today operate in an environment where cyber threats are not only persistent but also increasingly sophisticated. In this landscape, the MITRE ATT&CK Framework offers a strategic advantage by equipping organisations with the knowledge and tools necessary to enhance their defensive posture. By leveraging the framework’s rich repository of adversary behaviours, organisations can proactively identify and mitigate potential vulnerabilities within their networks, anticipate emerging threats, and align their security strategies with industry best practices. All of this ensures the organisation is not a low hanging fruit when it comes to being a target for threat actors.

However, because of the large size of TTP’s which a threat actor can utilise, potential users of this matrix find themselves in a “deer in headlights” situation. To assist with this, our principal threat intelligence analyst here at norm., Daniel Russell, has correlated some of the most common active adversary attack techniques with the MITRE ATT&CK Framework and mitigations that will help organisations defend against active threat actors:

Active adversaries target external remote services (T1133):

Explanation: The External Remote Services technique within the MITRE ATT&CK Framework involves attackers gaining initial access through remote services, often requiring valid accounts. Attackers frequently use VPNs, remote access services, Windows Remote Management, and VNC to gain access to enterprise networks. The incident response team here at norm. often see compromises with valid authentication credentials used to access the remote access gateways that manage these connections.

Mitigations: The best defence is disabling or completely removing unnecessary remote access paths, limiting access to devices on the network, network segmentation to reduce what can be targeted should attackers gain entry, and requiring multi-factor authentication. Such attacks can be identified by application and network monitoring. Also, authentication logs should be collected to identify suspicious logon activity. A dark net monitoring service can provide a first indicator of breached account to an organisation, enabling administrators to reset the accounts password and analyse logs for anomalous behaviour.

Exploit public-facing applications (T1190):

Explanation: If attackers don’t have valid credentials, active adversaries will attempt to exploit vulnerabilities in applications accessible from the internet, such as firewalls or VPN gateways. Exploited applications are also commonly web servers and websites, Internet-connected databases, services such as SSH and SMB, and common administration and management protocols. This also includes cloud systems, containerised applications, and edge network appliances. norm. has been engaged in incident response scenarios where threat actors have exploited known vulnerabilities in VPN gateways to achieve entry into an estate.

Mitigations: The mitigations for attacks targeting internet-facing applications include typical application security best practices such as regular vulnerability assessments and patch management, application isolation, and sandboxing techniques, as well as privileged account management.

Valid accounts (T1078):

Explanation: In many incidents which norm. have led, attackers use legitimate credentials to infiltrate systems, often in conjunction with the exploitation  of external remote services. While this initial access is pivotal, attackers utilise valid credentials to evade defences, as  they can  operate without detection. Furthermore, leverage this access as a launchpad to acquire even higher privileges and penetrate  more sensitive systems and data.

Mitigations: The best defences involve effective identity management practices – user and privileged account management, effective password policies, user training and continuous monitoring of systems and application access for nefarious activity. For applications developed in-house, always make sure that they are designed with effective and secure credential management.

Exploitation for Privilege Escalation (T1068):

This technique is where attackers bring a vulnerable driver to exploit and gain higher privileges within the system. Adversaries may include the vulnerable driver with files delivered during Initial Access or download it to a compromised system via an Ingress Tool Transfer or Lateral Tool Transfer.

Mitigations: The key mitigations advised by MITRE include application isolation and sandboxing to limit exploit impact, as well as execution and exploit prevention to block known vulnerable drivers and to detect malicious activity. Organisations are also advised to utilise timely intelligence to identify the software exploits currently used by attackers.

Impair Defences (T1562):

Explanation: To make things even more challenging for defenders, attackers will hinder and disable the defensive capabilities of their targets. They will attempt to shut down anti-malware systems, endpoint protection software, firewalls, log and analysis capabilities, and intrusion detection/prevention systems.

Mitigations: Key recommendations include restricting file, directory, and registry permissions to prevent unauthorised modification of security tools and configurations. Also, proper user account management is critical so that only authorised users have permission to disable or interfere with security services, logging, and firewall capabilities. Organisations can also set up a monitoring and alerting system for any key software disabling.

Inhibit system recovery (T1490):

This technique involves attackers disrupting or entirely disabling the capabilities of organisations to recover from attacks, such as compromising backup catalogues, volume shadow copies, backups, and other system restoration features. This technique has been seen by norm. in several large estate wide attacks.

Mitigations: Ensure backups are stored securely off-system, protected from unauthorised access or destruction, and enable versioning for cloud storage objects. Also, technical controls should be considered to stop the disabling of services or the deletion of files that are part of any system recovery process. Additionally, utilise a monitoring and alerting solution for suspicious activity, such as unexpected volume shadow copy deletion or modifications to boot configuration data.

System services: service execution (T1569.002)

Lastly, attackers may abuse system services to execute malicious services, which can be part of an execution technique. These include Windows service control manager, PsExec, and other tools and system utilities that can be used to command remote execution. Often, this is done to execute malware on the targeted systems.

Mitigations: As mentioned previously, good management of privileged account processes and restricting file and directory permissions will help to prevent unauthorised creation or modification of services. Employing application-allow lists can also block unapproved services from launching. Monitoring for suspicious process creation, service installations, and command execution will also help spot malicious service use.

Ultimately, despite the defensive measures taken, attackers – particularly those supported by state entities or significant financial backing – will adapt their tactics within  the business-technology environment, targeting less fortified areas. As credentials strengthen and  multi-factor authentication and vulnerabilities get patched, attackers will experiment with new methodologies. Herein lies the importance of integrating the MITRE ATT&CK framework with threat intelligence. By analysing verified data and the kill chain structure, organisations can enhance prioritisation and remediation strategies based on real-world cybercriminal activities. Teamed with a 24×7 monitoring service leveraging threat intelligence-backed dark net monitoring, organisations can stay one step ahead of threat actors without over extending resources.