What is MITRE ATT&CK?
Before we get into the nitty-gritty of it all, you should know MITRE is a not-for-profit organization that operates federally-funded research and development centers.
Under that umbrella, MITRE ATT&CK (Adversarial Tactics, Techniques, and Common Knowledge) is a tool developed by MITRE Corporation to help an organization assess its security readiness and discover potential vulnerabilities in its defense systems.
Back to basics: The MITRE ATT&CK framework
The MITRE ATT&CK framework is a highly detailed and comprehensive matrix that illustrates how adversaries behave and explains the tactics and techniques you should use to mitigate risk and improve security.
MITRE ATT&CK framework is used by security professionals, red teamers, blue teamers, and threat hunters to better describe threat actor activities.
MITRE began developing ATT&CK in 2013 to primarily help government agencies share a common knowledge base to greatly improve knowledge transfer on advanced threat actors they were tracking.
The Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK) framework was officially released in early 2015 but has gained significant traction in the security space. Due to its popularity and adoption, MITRE has updated the framework several times over the last few years.
Targeting MITRE ATT&CK tactics and techniques with Automox Worklets™
To provide guidance on how to map your cyber hygiene practices to the MITRE ATT&CK framework, we’ve started to create a series of Automox Worklets™. Our goal is to showcase the power and flexibility of these Worklets to bolster your cyber hygiene and prevent or mitigate real-world threats.
The MITRE ATT&CK framework currently consists of 11 distinct tactics:
- Initial Access
- Execution
- Persistence
- Privilege Escalation
- Defense Evasion
- Credential Access
- Discovery
- Lateral Movement
- Collection
- Exfiltration
Each tactic also often has a vast array of corresponding attack techniques potentially utilized by a threat actor to complete that tactic. Currently, there are 291 total techniques corresponding to the 11 tactics previously mentioned.
MITRE provides a very helpful navigator to help visualize the framework along with a very robust knowledge base.
MITRE ATT&CK provides tremendous granularity, and this granularity helps standardize vernacular between red teams and blue teams, reduces friction, and promotes knowledge transfer within an organization.
Utilizing the ATT&CK framework to identify weak areas in your security posture can greatly impact the speed at which an organization can bolster its security posture and cyber hygiene practices.
To give you more information, we've chosen to highlight the first tactic in the ATT&CK matrix, Initial Access, and even more specifically the technique ID:T1078, or Valid Accounts.
MITRE Tactic: Initial Access
Initial Access is the very first stage of an attack and is simply the stage at which an adversary is trying to access your network. Increasing your security defense at this stage can greatly aid in the prevention of compromise. While spearphishing is the most often leveraged technique in this category, we will focus on something an organization has more control over, valid accounts.
MITRE Technique: Valid Accounts
Threat Actors may steal or gain access to the credentials of a specific user or service in several ways. Credentials are often captured during the attacker’s reconnaissance phase, an example of credential theft or compromised login information that comes to mind is the incident involving Disney+. Thousands of accounts were compromised due to the reuse of usernames and passwords and later found to be up for sale on numerous hacking forums.
MITRE Advanced Threat Groups
MITRE also provides a plethora of information on known advanced threat groups. Included in this information are the tactics, techniques, and procedures of these threat groups.
This allows organizations to understand what a threat actor may do next, perform attribution, or even put security controls in place to prevent successful attacks by these groups.
For example, CISA issued a warning for organizations to implement mitigations provided by MITRE ATT&CK on known TTPs utilized by known Iranian groups. Some of the techniques that are often associated with Iranian Groups such as OilRig, APT33, and Leafminer are valid accounts and brute-forcing.
The most recommended mitigation for these techniques is implementing a strong password policy. With our Center for Internet Security (CIS) endpoint management Worklets, maintaining and implementing strong password policies is as easy as clicking a button.
Endpoint Management With Automox Worklets
Automox will be focusing efforts on creating powerful and modular Worklets to help enable IT and SecOPs to meet compliance per CIS controls. Maintaining compliance with these controls can greatly improve your organization’s security posture and help mitigate threats outlined by MITRE ATT&CK.
The first CIS Worklet in our rapid release performs the following:
Password Policy
- Ensure 'Enforce password history' is set to '24 or more password(s)’
- Ensure 'Maximum password age' is set to '60 or fewer days, but not 0’
- Ensure 'Minimum password age' is set to '1 or more day(s)’
- Ensure 'Minimum password length' is set to '14 or more character(s)’*
- Ensure 'Password must meet complexity requirements' is set to 'Enabled'
- Ensure 'Store passwords using reversible encryption' is set to 'Disabled
For step-by-step instruction on running this Automox Worklet, see our Worklet blog here.
Both CIS security controls and the MITRE ATT&CK framework provide crucial intelligence to maintain a strong cybersecurity posture. By practicing good cyber hygiene as directed by the CIS, you can prevent and mitigate real-world threats identified throughout the MITRE ATT&CK framework.
* We recommend a 30-character minimum length password for heightened complexity.
Working with MITRE to maintain good cyber hygiene
In 2008, CIS published a list of 20 controls for protecting a network from cyberattacks. The controls are a relatively short list of high-priority, highly effective defensive actions that provide a priority listing of how every enterprise can improve its cyber defense.
Over time, the security controls have proven that by adopting just the first six controls, 85 percent of attacks can be thwarted. Because the first six have proven especially important, CIS refers to them as “basic cyber hygiene” and encourages every organization to implement them. It's good to familiarize yourself with these basics to make sure your cyber hygiene protocols are effective and relevant.
