How MITRE ATT&CK can help you to defend against Advanced Persistent Threats (APTs)

March 10, 2020

Modern companies are facing constant cyber-threats. Black hat hackers give no sign they would stop. New hacking techniques regularly appear. Detecting advanced persistent threats (APTs) is a challenging mission, as the goals of these attacks are to remain undetected for along time and to steal data, rather than only harm the systems.

According to multiple information security reports, the number of APT attacks is increasing in a notable way, targeting national defenses,manufacturing, and the financial industry. Thus, classic protection techniques are, in many cases, useless. Deploying suitable platforms and solutions can help organizations but they are not enough. Acquiring the required skills to defend against these APTs is essential to protect your organization assets and your clients valuable information.

This article will give you step-by-step guidance to give an overview of how to use the MITRE ATT&CK framework to defend against advanced persistent threats (APTs). We are going to explore the following points:

  • What is a threat?
  • What is an advanced persistent threat?
  • The Cyber Kill Chain
  • How MITRE ATT&CK can help you to defend against Advanced PersistentThreats

What is a threat?

Before diving-in into the MITRE ATT&CK framework, let’s explore some important terminologies. By definition, a threat is a potential danger to our assets that could harm the systems. For security professionals, and especially for risk managers, threats play a huge role in analyzing risks. There are many categories of threats in the wild such as: Malicious software like ransomware, distributed denial of service (DDoS), network attacks, zero day exploits, data manipulation, APTs and so on.  

According to TechRadarePro, the average cost of cyber attack now exceeds $1.6 million. So, if you are not well prepared, a successful cyber attack against your company will damage your business.

What is an Advanced Persistent Threat (APT)?

In order to protect your organization, you need to know your enemies and like Sun Tzu in his book “The Art of war” said:

“If you know the enemy and know yourself, you need not fear the result of a hundred battles. If you know yourself but not the enemy, for every victory gained you will also suffer a defeat. If you know neither the enemy nor yourself, you will succumb in every battle.”

TechTarget defines advanced persistent threats as follows:

“An advanced persistent threat (APT) is a prolonged and targeted cyber attack in which an intruder gains access to a network and remains undetected for an period of time. The intention of an APT attack is usually to monitor network activity and steal data rather than to cause damage to the network or organization.”

To discover more about the most dangerous APT groups you can explore this great resource: https://attack.mitre.org/groups/

Also you can check the “Threat Actor Map” to more details and references about APT groups: https://aptmap.netlify.com/#Union%20Panda


Cyber Kill Chain:  

The cyber kill chain is a military-inspired model to describe the steps used by black-hat hackers and adversaries in a cyber attack. It was developed by Lockheed Martin.The model goes through the following steps:

Reconnaissance: In this phase, attackers collect as many pieces of information about the target as possible from different sources because you cannot attack what you don’t know.

Weaponization: In this phase the attackers prepare their attack by generating malware pieces for example and weaponizing payloads.  

Delivery: In this phase the attackers deliver the malware using different channels like emails, USB and so on.

Exploitation: In this phase, the attackers gain access to the systems.

Commandand control (C2): Command channel for remote manipulation of the victim.

Installation: In this phase the attackers install an implant or a backdoor to ensure persistence.

Actions and objectives:  In this phase the attackers achieve the goals of the mission.

The following graph illustrates the different steps of the cyber kill chain:

Image Courtesy: lockheedmartin.com

MITRE ATT&CK Framework:

According to MITRE corporation, MITRE ATT&CK® is a globally-accessible knowledge base of adversary tactics and techniques based on real-world observations. The ATT&CK knowledge base is used as a foundation for the development of specific threat models and methodologies in the private sector, in government, and in the cybersecurity product and service community.

The framework provides four matrices:

  1. PRE-ATTACK
  2. ENTERPRISE
  3. MOBILE
  4. ICS (Industrial Control Systems)

The following matrix is a snippet from the “Enterprise Matrix”:

You can find the full matrix here:

https://attack.mitre.org/matrices/enterprise/


As you can notice, it contains 12 tactics:

  1. Initial Access
  2. Execution
  3. Persistence
  4. Privilege Escalation
  5. Defense Evasion
  6. Credential Access
  7. Discovery
  8. Lateral Movement
  9. Collection
  10. Command and Control
  11. Exfiltration
  12. Impact

But what do we mean by Tactics and Techniques?
The pyramid of pain shows the relationship between the types of indicators found when dealing with adversaries. By indicators, I mean Hash values, IP addresses, Domain names, Network/host artefacts, tools and Tactics, techniques and procedures (TTPs). Tactics, Techniques and procedures (TTPs) are how the attackers are going to achieve their mission. A tactic is the highest level of attack behaviour.

The following graph illustrates the pyramid of pain:

Image Courtesy: carbonblack.com

For example, one of the techniques is “Drive-by Compromise”:

By now, we have acquired a fair understanding of the MITRE ATT&CK framework. This framework is a powerful resource to help your security team to defend against APTs. By studying the tactics and techniques used by advanced persistent threats you can plan your safeguards and you will be more prepared to protect your organization. Let’s take for example APT37. According to https://attack.mitre.org/groups/:


“APT37 is a suspected North Korean cyber espionage group that has been active since at least 2012. The group has targeted victims primarily in South Korea, but also in Japan, Vietnam, Russia, Nepal, China, India, Romania, Kuwait, and other parts of the Middle East. APT37 has also been linked to following campaigns between 2016-2018: Operation Daybreak, Operation Erebus, Golden Time, Evil New Year, Areyou Happy?, FreeMilk, Northern Korean Human Rights, and Evil New Year2018.“

Moreinformation about APT37 can be found here: https://attack.mitre.org/groups/G0067/


Once you collect information about the APT you can use the MITRE ATT&CK navigator to highlight the used techniques:

You can even export an svg version of the matrix:

If you want to get more informations about the used techniques in APTs you can also check MITRE Cyber Analytics Repository and the CARExploration Tool (CARET)

Now you can start deploying and planning the required mitigations and safeguards based on some classification metrics. The MITRE Enterprise Mitigation matrix can be a good reference to follow as a start.


References and Credits:

  1. Cyber Kill Chain: https://www.lockheedmartin.com/en-us/capabilities/cyber/cyber-kill-chain.html
  2. What are advanced persistent threats? https://searchsecurity.techtarget.com/definition/advanced-persistent-threat-APT
  3. https://attack.mitre.org
  4. Using MITRE ATT&CK to defend against Advanced Persistent Threats: https://www.peerlyst.com/posts/using-mitre-att-and-ck-to-defend-against-advanced-persistent-threats-chiheb-chebbi?trk=search_page_search_result