Mapping Your Cyber Hygiene to the MITRE ATT&CK Framework

Both the Center for Internet Security (CIS) security controls and the MITRE ATT&CK framework provide crucial intelligence to maintain a strong cybersecurity posture. By practicing good cyber hygiene as directed by the CIS, you can prevent and mitigate real-world threats identified throughout the MITRE ATT&CK framework.

What is good cyber hygiene?

In 2008, the Center for Internet Security published a list of 20 controls for protecting a network from cyber attacks. The controls are a relatively short list of high-priority, highly effective defensive actions that provide a priority listing of how every enterprise can improve their cyber defense. Over time, the security controls have proven that by adopting just the first six controls, 85 percent of attacks can be thwarted. Because the first six have proven especially important, CIS refers to them as “basic cyber hygiene” and encourages every organization to implement them.

What is the MITRE ATT&CK framework?

MITRE is a not-for-profit organization that operates federally funded research and development centers. The MITRE ATT&CK framework is a highly detailed and comprehensive matrix that  illustrates how adversaries behave and explains the tactics and techniques you should use to mitigate risk and improve security.

MITRE ATT&CK framework is used by security professionals, red teamers, blue teamers, and threat hunters to better describe threat actor activities. MITRE began developing ATT&CK in 2013 to primarily help government agencies share a common knowledge base to greatly improve knowledge transfer on advanced threat actors they were tracking. The Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK) framework was officially released in early 2015 but has gained significant traction in the security space. Due to its popularity and adoption, MITRE has updated the framework several times over the last few years.

Targeting MITRE ATT&CK tactics and techniques with Automox Worklets™

To provide guidance on how to map your cyber hygiene practices to the MITRE ATT&CK framework, we’ve started to create a series of Automox Worklets™. Our goal is to showcase the power and flexibility of these worklets to bolster your cyber hygiene and prevent or mitigate real-world threats.

The MITRE ATT&CK framework currently consists of 11 distinct tactics:

  • Initial Access
  • Execution
  • Persistence
  • Privilege Escalation
  • Defense Evasion
  • Credential Access
  • Discovery
  • Lateral Movement
  • Collection
  • Exfiltration

Each tactic also often has a vast array of corresponding attack techniques potentially utilized by a threat actor to successfully complete that tactic. Currently, there are 291 total techniques corresponding to the 11 tactics previously mentioned. MITRE provides a very helpful navigator to help visualize the framework along with a very robust knowledge base. MITRE ATT&CK provides tremendous granularity, and this granularity helps standardize vernacular between red teams and blue teams, reduces friction, and promotes knowledge transfer within an organization.

Utilizing the ATT&CK framework to identify weak areas in your security posture can greatly impact the speed in which an organization can bolster their security posture and cyber hygiene practices.

For the first blog of this series we have chosen to highlight the first tactic in the ATT&CK matrix, Initial Access, and even more specifically the technique ID:T1078, or Valid Accounts.

MITRE Tactic: Initial Access

Initial Access is the very first stage of an attack and is simply the stage at which an adversary is trying to access your network. Increasing your security defense at this stage can greatly aid in the prevention of compromise. While Spearphishing is the most often leveraged technique in this category, we will focus on something an organization has more control over, valid accounts.

MITRE Technique: Valid Accounts

Threat Actors may steal or gain access to credentials of a specific user or service in a number of ways. Credentials are often captured during the attacker’s reconnaissance phase, a recent example of credential theft or compromised login information that comes to mind is the recent incident involving Disney+. Thousands of accounts were compromised due to the reuse of usernames and passwords and later found to be up for sale on numerous hacking forums.

MITRE Advanced Threat Groups

MITRE also provides a plethora of information on known advanced threat groups. Included in this information are the tactics, techniques, and procedures of these threat groups. This allows organizations to understand what a threat actor may do next, perform attribution, or even put security controls in place to prevent successful attacks by these groups.

Due to recent activity in Iran, CISA issued a warning for organizations to implement mitigations provided by MITRE ATT&CK on known TTPs utilized by known Iranian groups. Some of the techniques that are often associated with Iranian Groups such as OilRig, APT33, and Leafminer are valid accounts and brute-forcing. The most recommended mitigation for these techniques is implementing a strong password policy. With our CIS endpoint hardening worklets maintaining and implementing strong password policies is as easy as clicking a button.

Endpoint and System Hardening With Automox Worklets

Automox will be focusing efforts on creating powerful and modular worklets to help enable IT and SecOPs to meet compliance in accordance with CIS controls. Maintaining compliance with these controls can greatly improve your organization’s security posture and help mitigate threats outlined by MITRE ATT&CK.

The first CIS worklet in our rapid release performs the following:

Password Policy

  • Ensure 'Enforce password history' is set to '24 or more password(s)’
  • Ensure 'Maximum password age' is set to '60 or fewer days, but not 0’
  • Ensure 'Minimum password age' is set to '1 or more day(s)’
  • Ensure 'Minimum password length' is set to '14 or more character(s)’
  • Ensure 'Password must meet complexity requirements' is set to 'Enabled'
  • Ensure 'Store passwords using reversible encryption' is set to 'Disabled

For step-by-step instruction on running this Automox Worklet, see our Worklet blog here. To see this worklet in action, view our January Patch Tuesday webinar.

Automox for Easy IT Operations

Automox is the cloud-native IT operations platform for modern organizations. It makes it easy to keep every endpoint automatically configured, patched, and secured – anywhere in the world. With the push of a button, IT admins can fix critical vulnerabilities faster, slash cost and complexity, and win back hours in their day. 

Grab your free trial of Automox and join thousands of companies transforming IT operations into a strategic business driver.

Dive deeper into this topic