CSO Perspectives (public) 7.15.24
Ep 92 | 7.15.24

The current state of MITRE ATT&CK.

Transcript

Rick Howard: Hey, everybody. Rick here. The MITRE ATT&CK wiki is the only open-source collection dedicated to cataloging known nation state -- and some crime -- hacker tactics, techniques, and procedures, TTPs, across the intrusion kill chain. I've been a fan of it for a decade now. My old intelligence director, Ryan Olson, introduced me to it when we founded the Palo Alto Networks public-facing intelligence team Unit 42. It took a while for Ryan to get it through my thick head the immense potential value of the of MITRE intelligence collection to anybody pursuing the intrusion kill chain prevention strategy. But once I got it, it was like inserting the last piece into a very large puzzle. It was a eureka moment for me. I realized that there really is nothing else like it in the world. The intrusion kill chain prevention strategy realizes that hacker groups like The Shadow Brokers, Fancy Bear, the Lazarus Group, et cetera, must successfully execute a chain of offensive actions against their victims in order to accomplish their goal; not one thing, a set of things. Sometimes the infosec profession refers to the set of things as offensive attack campaigns. The strategy makes a couple of assumptions. First, the hacker group reuses these campaigns against multiple victims. They don't build it, use it once, throw it away, and then build another one. That would be wasteful, which brings us to the second assumption. Designing, building, and deploying attack campaigns is expensive in terms of the people-process-technology triad. Hacker groups are reluctant to abandon a good one, which is good news for the good guys. Analysts studying attack campaigns can loosely categorize subsets of the campaign into stages of malicious activity like delivery, installation, exploitation, command and control, lateral movement, et cetera. With that categorization, analysts can then design and deploy prevention and detection controls for one or more of the TTPs in that attack stage. When the Fancy Bear hackers run into one of our blocks, they don't throw the entire campaign out, see assumption 1, they pivot. They try to find a way around that one block. Even if they are successful though, you know, they develop some new thing in the exploitation stage, let's say, something that the good guys have never seen before, some new code that we don't have a prevention control for yet. It doesn't guarantee Fancy Bear's success because the good guys have deployed other prevention controls in other stages in the attack sequence. Those controls will defeat the adversary. The more controls you put in place for each stage reduces the probability of a material cyber event to your organization from the hacker campaign. If the key defensive strategy for your infosec program is the intrusion kill chain prevention strategy -- see my "First Principles" book for a deeper explanation -- you have to be using the MITRE ATT&CK Framework wiki or something very similar that you either built yourself or you paid for. Over the years, I became one of its biggest unofficial evangelists as I was out and about speaking at conferences and talking to security professionals of all stripes. When I met with the MITRE people about it, I kept quietly suggesting that they should give me a commission for my support. I'm still waiting to hear back. MITRE, if you're listening, send checks to the Rick Howard Bermuda Islands Retirement Fund. But that doesn't mean that I haven't been frustrated with it, too. Although it has had a large impact on the infosec professional community already and the MITRE people behind it have made huge improvements to it in a very short amount of time, the idea of it has so much more unrealized potential. So here we are in 2024, over 10 years since MITRE released version one. I thought it was time to put a stake in the ground and assess what the current state of the MITRE ATT&CK framework is today. So hold on to your butts.

Unidentified Person: Hold on to your butts, butts, butts.

Rick Howard: This is going to be fun.

Unidentified Person: Butts, butts, butts. [ Music ]

Rick Howard: My name is Rick Howard, and I'm broadcasting from N2K Cyber's Secret Sanctum Sanctorum Studios located underwater somewhere along the Patapsco River near Baltimore Harbor, Maryland, in the good old US of A. And you're listening to CSO Perspectives, my podcast about the ideas, strategies, and technologies that senior security executives wrestle with on a daily basis. [ Music ] It all began with the Lockheed Martin paper published in 2010. It caused a shift in the collective cyber professional's thinking away from defending against generic offensive tools like viruses, malware, and exploit code, with no relation to what the adversary was trying to accomplish towards specifically defeating the adversary's overall goal. Before the paper, most of us were using a defense in-depth strategy designed to block the hacker's generic offensive malicious software. By generic, I mean that we didn't associate the weapon with any adversary plan. We were just looking to detect and prevent bad things on the network. To counter the deployment, network defenders would stack one or more blocking tools between the boundary of our digital environments and our crown jewels, like firewalls, intrusion prevention systems, and anti-virus software. The idea was that if the first tool failed to prevent the deployment of the offensive weapon, then the second prevention tool in the stack would catch it. If that one failed, then the third one would be successful. That's what defense in depth means: multiple ways to prevent bad things from happening. The number of defensive tools you had in the security stack depended on your internal budget. The kill chain paper's great insight was that all cyber adversaries, regardless of their motivation, have to complete a set of tasks in order to accomplish their goal. And their goal -- whatever it is -- doesn't really matter in terms of devising a defensive strategy. Whether it's crime, espionage, hacktivism, low-level-cyber-conflict, or just mischief-making for the fun of it, every hacking crew has to follow this general model. Instead of cybersecurity professionals trying, and mostly failing, to block all of the generic hacking weapons in existence with the defense-in-depth strategy, we would instead design prevention controls for known adversary campaigns and install them at every stage of the attack chain. The brilliance of this model is that the hacker team has to be 100% successful in avoiding all of those prevention controls in order to accomplish their goal. They can't make one mistake. The defenders, on the other hand, only have to be successful once somewhere along the attack chain. If we are, we can break the attack sequence. We can kill the attack. That's why the paper's title says that it's "informed by analysis of adversary campaigns and intrusion kill chains." By doing a post-mortem on victim zero and other subsequent victims, cyber intelligence analysts can construct the attack sequence in the aftermath and potentially identify multiple locations along the chain where we can kill the attack. That doesn't help victim zero, but it helps every other potential victim that Fancy Bear has in its sights. That's a magnificent and radical insight. It seems obvious to us now that we're 10 years past the initial paper publication, but back then, it was revolutionary. Just a year later, 2011, the Department of Defense published their paper on the Diamond Model. It provides a structure for how cyber intelligence teams can analyze attack sequences and provided a standard language for intelligence analysts to discuss the same campaigns. In the early days of the idea, we were all doing our own thing. It was exceedingly difficult to communicate what I knew about a Lazarus Group campaign with somebody else because we were all speaking different languages. The result was that the Diamond Model became a supporting guidebook for organizations pursuing the kill chain strategy. And then in 2013, MITRE released the first version of the ATT&CK framework. The team recognized the overall value of the kill chain strategic direction but they wanted to convey the actions that individual adversaries make, how one action relates to another, how sequences of actions relate to tactical adversary objectives, and how the actions correlate with data sources, defenses, configurations, and other countermeasures used for the security of a platform and domain. Over time, I started calling these three research efforts the Intrusion Kill Chain Trifecta. [ Music ] When we first started doing this podcast back in 2020, the intrusion kill chain prevention strategy was one of the first topics we covered. In 2022, we covered it again. And of course, when we published the "First Principles" book back in 2023, I dedicated Chapter 4 to the idea. In the book and the podcast, I made the case about why these three research efforts should be considered collectively and not separately. They are three significant elements coming together. One is a strategy document, the Lockheed Martin paper. One is an operational construct for defensive action, the MITRE framework. And one is a methodology for cyber threat intelligence teams, the Diamond Model. You don't choose one model over the other. All of these models work in conjunction with each other. To be clear, though, there wasn't a lot of collaboration between the research groups. The Lockheed Martin people weren't saying, "Hey, we're doing the strategic piece. DOD, you work on the intelligence piece. And MITRE, you build an intelligence wiki." No, different parts of the infosec profession were all thinking along the same lines, working independently, and coming to different conclusions. The situation was similar to the old Buddhist parable, where six blind men examined the same elephant. Each man was convinced that what he experienced was the correct interpretation when really, it was only a piece of the whole. Frank Duff is the chief innovation officer at a startup called Tidal Cyber. Their mission is to make it practical and affordable for all enterprises to adopt MITRE ATT&CK. And full disclosure here, I advise Tidal Cyber, so take whatever I say here with a grain of salt. Before Tidal Cyber, though, Frank spent 20 years working for MITRE, and the last 10 years supporting the ATT&CK project. Here's Frank.

Frank Duff: It was serendipitous, I guess, is the way of looking at it, right? Coincidental that a lot of these things happened, like any good standard, right? You had everybody doing their own standard, I guess, at the time, right? They're all kind of pushing the same philosophies. And they think --

Rick Howard: Smart people thinking the same kind of things, and how would they make that happen is kind of how I see it, yeah.

Frank Duff: Exactly. Exactly. And I think that there, right, there was this common need, right? And the community is a close-knit community. So I think a lot of people recognize this common need to create taxonomy. But I think there is always the challenge in moving from one to the other, right? Like, your application of the Diamond Model is looking at a very specific -- how thready is the threat kind of concept, right? And yes, you're trying to describe it, but it's trying to solve a slightly different problem. Or the kill chain was a great way of making it so that people could realize kind of the steps that an adversary would have to take. But then with attack, it's like, all right, well, those steps don't always happen linearly. I don't think that it's a you pick one kind of thing, which I know that you're a strong believer in, right? It's I think those things continue to excel at what they were developed to do. And they're all great pieces of making it so that you communicate, making it so that you can prioritize and the like.

Rick Howard: Amy Robertson has been working at MITRE for the past six years as a cyber threat intelligence engineer, and the last four years as the ATT&CK Engagement lead. She concurs with Frank. She says you take the output of the ATT&CK wiki as inputs to the Diamond Model and the outputs of the Diamond Model support the kill chain strategy.

Amy Robertson: I would view them more as complementary. So I do think that they have different purposes, essentially. So, you know, attack documents have more detailed adversary behavior as well. For example, the Diamond Model is more helpful if you're trying to get a better understanding of how to cluster intrusions, potentially how to use it for attribution. But, you know, attack map techniques are going to be a useful source of input into the Diamond Model as you're using it to analyze adversary capability. So I think those are complementary. I do not think that you have to use them separately. You can use them together. I think that that makes a really good pairing. And then similarly, the kill chain, it's set -- attacks are set a little bit lower of a definition because again, we're describing adversary behaviors, we're describing how they're doing things, and so instead of that kind of more linear model where attack is unordered, we're trying to reflect how an adversary is moving realistically across a network. [ Music ]

Rick Howard: The question then is, where do most of us get the threat intelligence that will inform us about known attack sequences? Well, you can develop it yourself by using the Diamond Model and and reading thousands of security vendor intelligence blogs about this adversary campaign or that one, like the latest ESET report on the Chinese hacker group, Mustang Panda, running attack campaigns against the shipping industry in Europe. And that's our show. Well, part of it. There's actually a whole lot more and it's all pretty great. So here's the deal. We need your help so we can keep producing the insights that make you smarter and keep you a step ahead in the rapidly changing world of cybersecurity. If you want the full show, head on over to the cyberwire.com/pro and sign up for an account. That's the cyberwire.com/pro. For less than a dollar a day, you can help us keep the lights and the mics on and the insights flowing. Plus, you get a whole bunch of other great stuff like ad-free podcasts, exclusive content, newsletters, and personal level of resources like practice tests. With N2K Pro, you get to help me and our team put food on the table for our families and you also get to be smarter and more informed than any of your friends. I'd say that's a win-win. So head on over to the cyberwire.com/pro and sign up today for less than a dollar a day. Now, if that's more than you can muster, that's totally fine. Shoot an email to pro@n2k.com and we'll figure something out. I would love to see you on N2K Pro. Here at N2K, we have a wonderful team of talented people doing insanely great things to make me and the show sound good. I think it's only appropriate you know who they are.

Liz Stokes: I'm Liz Stokes. I'm N2K's CyberWire's associate producer.

Trey Hester: I'm Trey Hester, audio editor and sound engineer.

Elliott Peltzman: I'm Elliott Peltzman, executive director of sound and vision.

Jennifer Eiben: I'm Jennifer Eiben, executive producer.

Brandon Karpf: I'm Brandon Karpf, executive editor.

Simone Petrella: I'm Simone Petrella, the president of N2K.

Peter Kilpe: I'm Peter Kilpe, the CEO and publisher at N2K.

Rick Howard: And I'm Rick Howard. Thanks for your support, everybody.

All: And thanks for listening. [ Music ]