Threat Hunting Using Mitre Att&ck Matrix/Framework

In 2013, the MITRE federal nonprofit research project sought to identify and deliver best practices in defense of verified cyber threats. The intel it provides can be summarized with ATT&CK. ATT&CK is an acronym for Adversarial Tactics, Techniques, and Common Knowledge. Since its 2015 public release, it has helped “security teams in all sectors secure their organizations against known and emerging threats”?(Crowdstrike, 2021). Operating systems that are contained in the framework include Windows, Linux, ICS, macOS, and mobile devices.

The job of a threat hunter is vital because of the proactive service they provide. Their purpose is to find, pursue, and prevent cyber threats for the health of the organization they are affiliated with. They specialize in undiscovered threats that can hide inside data sources. Once they identify the threat, they “gather as much information on threat behavior, goals and methods as possible”?(Lane, 2020).

The ATT&CK matrix is a fantastic resource for threat hunters because they help find bad actors and vulnerabilities that make an organization an attractive target. The matrix is a repository of known hacker strategies and tools. Using the stored knowledge, threat hunters develop and test theories. Threat hunters can also “obtain a broader set of evidence by hunting for adversarial techniques rather than specific signatures”?(VMWare, 2022) allowing them to find a solution backed by thorough research.

Below are categories of threats identified in the Matrix. It is not an exhaustive list, but it does provide a glimpse of the value given to threat hunters.

Reconnaissance: Active Scanning

• Use of network traffic to probe victim infrastructure
• A direct recon approach
• Info gathered used to target victims
• Can be the starting point for more insidious reconnaissance

Resource Development: Acquire Infrastructure

• Use of infrastructure to target victims
• Can be bought/leased/rented
• Example: cloud servers, botnets, 3rd party services
• Bad actors use infrastructure as a platform for the rest of the operation
• Allows bad actors to stay under the web traffic radar because they could blend in by using 3rd party service
• Even if the threat is identified, the infrastructure they use could prevent threat hunters from identifying the identity of the threat actor because of the ease of shutting down or modifying the threat actor’s device

Initial Access: Drive-by Compromise

• Victim visits compromised website and accidentally launches a malicious application via popups
• Once code is triggered, the bad actor could gain access
• Web browser = vulnerable target
• Once gained access, Application Access Tokens and other sensitive applications and information could be stolen

Execution: Command and Scripting Interpreter

• Use of command/script interpreters to launch malicious commands/scripts/binaries
• Use of legit-looking documents with a malicious secondary payload that is downloaded onto the victim’s device
• Can use terminals/shells for execution
• Arbitrary commands can be executed remotely?

Persistence: Account Manipulation

• Actions that prevents bad actor from losing their unauthorized access
• Could include modding credentials/permission groups
• Often leads to enhanced permission levels that escalate to new doors being opened in the system with higher roles for privileged accounts

Privilege Escalation: Abuse Elevation Control Mechanism

• Abuse of built-in controls for privilege escalation
• Bad actors can get around controls meant to prevent unauthorized privilege elevation and gain more permissions in the system than supposed to have

Defense Evasion: Access Token Manipulation

• Modification of access tokens so bad actors can appear to be a different user to perform actions they would not otherwise be able to make and get around access controls
• Use of access tokens to make action look like its coming from a different user
• Gain same level of security as stolen token from other user
• Can elevate permissions all the way to admin or system level and do more damage than they could with their own access tokens

Credential Access: Adversary-in-the-Middle

• Bad actors gets in the middle of 2 more network devices
• Abuse of network protocols and inserting themselves in traffic flow
• Leads to Network sniffing & transmitted data manipulation
• Once gain control of system can force communication to steal information and do more damage such as changing DNS settings preventing/redirecting users to malicious sites to pick up malware

Discovery: Application Window Discovery

• Access gained to list that shows open application windows
• Gives context to an installed keylogger and allows bad actor to know how system is being used

Lateral Movement: Exploitation of Remote Services

• Exploitation of remote service to access internal systems
• Takes advantage of software vulnerability because of programming/operating system/software error
• Once gained access, drops payload and executes code
• Bad actor’s goal is to gain access to remote system
• Could lead to privilege escalation and further exploitation?

Collection: Archive Collected Data

• Data compression/encryption before exfiltration
• Data compression helps hide collected data and makes for a smaller amount to send over network
• Data encryption prevents threat hunters from finding stolen information and allows exfiltration from being detected?

Command and Control: Application Layer Protocol

• Communication through the abuse of application layer protocols
• Threat hunters cannot detect because the bad actors are blending in with normal traffic
• Embedded commands within protocols that are meant to target remote systems

Exfiltration: Automated Exfiltration

• After data is gathered in the collection phase, data is exfiltrated using auto processes
• Sensitive docs could be collected by bad actors

Impact: Account Access Removal

• Abuse of legit accounts to prevent availability to the system and network?
• Account deletion/lock/manipulation to prevent account access
• Example: changed credentials
• Could allow bad actors to log off/reboot to save malicious actions

References

Crowdstrike. (2021, May 27). MITRE ATT&CK FRAMEWORK. Retrieved from https://www.crowdstrike.com/: https://www.crowdstrike.com/cybersecurity-101/mitre-attack-framework/#:~:text=%EE%80%80History%EE%80%81%20of%20%EE%80%80MITRE%EE%80%81%20%EE%80%80ATTACK%EE%80%81%20%EE%80%80Framework%EE%80%81%20%EE%80%80MITRE%EE%80%81%20is%20a,is%20Adversarial%20Tactics%2

Lane, P. (2020, August 12). Your Next Move: Threat Hunter. Retrieved from www.comptia.org: https://www.comptia.org/blog/your-next-move-threat-hunter

MITRE ATT&CK. (2022, March 8). Active Scanning. Retrieved from attack.mitre.org: https://attack.mitre.org/techniques/T1595/

SentinelOne. (2022, July 27). Threat Hunter. Retrieved from www.dhirubhai.net: https://www.dhirubhai.net/jobs/view/threat-hunter-at-sentinelone-3122467597?trk=bingjobs

VMWare. (2022). Using the ATT&CK? Framework to Mature Your Threat Hunting Program. Retrieved from https://www.vmware.com/: https://www.vmware.com/resources/security/using-the-att-framework-to-mature-your-threat-hunting-program.html