Targeted cyber-attacks have a profound effect on consumers, employees, governments, and enterprises, impacting economic, social, and even physical well-being. These attacks are 100% successful because they outperform enterprise security programs. They outpace housekeeping, including patch and configuration management programs, bypass defense solutions with advanced technologies, and exploit the skills gap with evasive techniques. At the heart of this problem is the outdated attack model implicit in security programs.
An attack model refers to adversarial tactics and techniques, and the information within a security program necessary to stop the full range of adversarial behavior. Until recently, capturing this range of adversary behavior was within the scope of most programs and their models of attacker behavior. These security programs could be effective by focusing on initial compromise, often by looking for specific, known malware, preventing this malware, and making life more difficult even for APTs.
However, advanced and motivated attackers now have access to information, techniques and technologies that bypass these initial defenses. Once bypassed, most organizations lose visibility of targeted attacks, leading to dwell times in the hundreds of days and resulting in massive losses. To be effective against today’s attacker sophistication, security programs must operate with a comprehensive model that covers the full scope of techniques used by adversaries and operate at a speed to detect and remediate before damage and loss.
The MITRE ATT&CK™ Matrix is the highest resolution map of post-compromise attacker techniques and technology landscape. The purpose of this paper is to identify how this attack model can be used to improve the effectiveness of enterprise security programs - their people, process, and technology, against targeted attacks.
WHAT ATTACKER MODEL DOES YOUR PROGRAM IMPLEMENT?
As a CISO, if you were asked, “what model of attacker behavior does your security program use?”, how would you answer? Most organizations build their security programs by adding point solutions and capabilities in response to individual attacker techniques and technologies, such as malware execution. FIN7 group, a financially motivated criminal group (aka Carbanak), has targeted retail, financial services, and government agencies to steal a whopping $454 billion in 2017. As shown in Figure 1, this targeted attack used no malware but instead leveraged advanced techniques including malicious macros, evasion with ‘living-off-the-land’ tools, and persistence. Enterprise security programs that focus on just malware or a few tactics are at a tremendous disadvantage against the adversaries whose attack model contains a broader collection of techniques and technologies than the security program can recognize.
A COMPREHENSIVE ATTACK MODEL IS VITAL
While the widely referenced Lockheed Cyber Kill Chain® created a common language to help organizations understand sophisticated attacks, it lacks the granularity essential to make comprehensive programmatic improvement against today’s targeted attacks. MITRE, a not-for-profit organization operating Federally Funded Research and Development Centers has created that needed granularity, collecting details on the vast array of methods to build a threat model and framework called “Adversarial Tactics, Techniques, and Common Knowledge” ATT&CKTM. Initially published in 2015, it is the first and only high resolution map of post-exploitation attacker techniques and technologies. While some forward-leaning organizations apply the ATT&CKTM model to their programs, we believe that far more can and should use this model to assess and improve the efficacy of their programs - including people, process, and technologies - against targeted attacks.
THE MITRE ATT&CK™ MODEL
The MITRE ATT&CK™ matrix is a detailed model that describes the actions attackers take while operating within an enterprise network post-compromise. Each cell describes an observable technique against which defenders can build detections. The ATT&CK™ matrix sheds light on the tactics, techniques, and procedures that adversaries use to make decisions, expand access, and execute their objectives, enabling security teams to stop targeted attacks before damage and loss.
The ten tactic categories within ‘ATT&CK™ for Enterprise’ are derived from the later stages (control, maintain, and execute) of the Lockheed Martin Cyber Kill Chain®. Each category contains a list of techniques that an adversary can use to perform that tactic. Techniques are broken down to provide a technical description, indicators, useful defensive sensor data, detection analytics, and potential mitigations. Armed with these technical insights, defenders can rapidly stop targeted attacks, before damage and loss occurs.
ENTERPRISES SHOULD APPLY THE MITRE ATT&CKTM MODEL
The MITRE ATT&CK™ model can be applied to ensure enterprise security programs have sufficient scope, scale, and speed to protect organizations from targeted attacks. By comparing the enterprise program to the ATT&CK™ matrix, security teams can identify gaps in program coverage and prioritize the improvement of the necessary skills, process, and technologies to eliminate them. Forward leaning analysts have developed tools to automate gap analyses that can be tracked over time. This tool, an open source effort, produces a heat map that can be used to communicate the exposure to targeted attacks and the resources necessary to eliminate them.
ENDGAME BRINGS THE MITRE ATT&CK™ MODEL TO ENTERPRISE SECURITY PROGRAMS
Endgame transforms enterprise security programs by using the MITRE ATT&CK™ matrix in two ways:
- Improving Protection Scope: Endgame is focused on covering the entire breadth and depth of the MITRE ATT&CK™ matrix, supporting prevention, detection and response, and automated hunting. Apart from building capabilities across the ATT&CK™ matrix, the Endgame team has collaborated with MITRE to add new tactics like COM Object Hijacking. This particular tactic is often used by attackers to execute code by manipulating Microsoft’s Component Object Model (COM), specifically its software classes in the current user registry hive, and enabling their persistence on an endpoint.
- Increasing Program Efficiency: Endgame implements a set of automated investigations that can be executed across tens of thousands of endpoints in minutes. Guided by the industry’s only NLU (natural language understanding) chatbot with built in domain expertise, Artemis®, accelerates Tier 1 analysts and augments Tier 3 analysts. A security program built on Endgame can achieve huge productivity gains without the problematic costs of recruiting and retention of advanced cyber protection analysts. Subsequent papers will document the Total cost of Ownership (TCO) benefits to Endgame customers.
ENDGAME STOPS APT3
Endgame is the first endpoint security vendor to collaborate with MITRE to validate the efficacy of its platform beyond malware-based attacks to include APT. To measure Endgame’s performance against sophisticated attacks, MITRE simulated the tactics used by APT3, a prolific Chinese APT group responsible for intellectual property theft costing companies over £9.2 billion a year. This attack uses over twelve techniques to gain and maintain access, including powershell misuse, credential dumping, scripting, and persistence. Endgame successfully stopped APT3 in the emulation exercise before any data theft or damage would have occurred. To learn more about how Endgame performed in MITRE’s evaluation, please reach us at firstname.lastname@example.org.