You Can Help Improve MITRE’s ATT&CK Matrix
I’ve been a fan of MITRE’s ATT&CK? matrix (https://attack.mitre.org/) since it was publicly released in 2015. Below is a snippet of the larger table that now contains 12 adversarial stages of attacks with over 185 individual elements.
It is one of the best attempts to put an encompassing taxonomy and framework around cyber attack techniques and motivations. If you’re going to encourage a global set of unrelated cyber defenses into better addressing common problems, it helps to have a common set of names, descriptions, and understandings. Many organizations tried to accomplish something similar in the past, but for some reason, they didn’t resonate or stick the way the ATT&CK matrix has. For all intents and purposes, it seems to finally be the model that people can agree on.
The ATT&CK Matrix most of us are used to seeing is a graphical summary depiction of adversarial tactics and techniques reported by in-the-field practitioners. It summarizes attack techniques to help improve the solutions and responses. You can read about ATT&CK’s history and philosophy here (https://attack.mitre.org/docs/ATTACK_Design_and_Philosophy_March_2020.pdf) and even contribute your own ideas and suggestions for improvement here: https://attack.mitre.org/resources/contribute/. That’s one of its biggest benefits. It’s a living document proactively asking for input from practitioners.
MITRE breaks down most actions and methods into techniques and is working on sub-techniques. Initially, MITRE just focused on techniques, which summarized a broad way that attackers could do something, say credential dumping. Now, they are adding sub-techniques, which describe all the different ways the technique could be done. For example, with the credential dumping, sub-techniques could include specific tools and methods against specific types of authentication stores, say pwdump and Mimikatz for Microsoft Windows systems. A better description of techniques versus sub-techniques is given here: https://medium.com/mitre-attack/attack-sub-techniques-preview-b79ff0ba669a. What MITRE is doing with sub-techniques is great.
Call to Action
The MITRE ATT&CK matrix is great, but it needs improvement. They advertise as best as they can for contributions and recommendations. If you have a good amount of experience in a particular area I encourage you to review the existing matrix and get involved and make recommendations if you see any areas that may need improvement. Get involved! I am.
MITRE ATT&CK Initial Access Techniques
A lot of my current attention is focused on the ways a hacker or their malware creation can break into a system – something I call a root cause exploit. MITRE calls them initial access techniques. The MITRE ATT&CK matrix currently lists 11 initial access techniques used by cyber adversaries. They are:
· Drive-by Compromise
· Exploit Public-Facing Application
· External Remote Services
· Hardware Additions
· Replication Through Removable Media
· Spear Phishing Attachment
· Spear Phishing via Service
· Spear Phishing Link
· Supply Chain Compromise
· Trusted Relationship
· Valid Accounts
As much as I like the MITRE ATT&CK matrix, the currently listed initial access techniques are not inclusive.
I say this as a 30-year computer security professional who loves tracking individual cyberattack techniques over multiple decades and projects. In each project, my goal has been to comprehensively describe and categorize cybersecurity threats. For over 20 years, I tracked every possible way that malware could remain persistent on Microsoft Windows (and initially DOS) computers. I came up with dozens of ways over the years, and eventually shared what I had learned with Mark Russinovich during one of his early upgrades of his awesome Autoruns utility (https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns). The figure below shows a snippet of Autoruns actively running. He added the ideas I had that he didn’t already have, and since then, many more dozens over the years.
If you haven’t checked out Autoruns, it’s a free Sysinternals/Microsoft utility that will show you all the known places where programs on your system, including malware, can hide on a Windows system to remain in control of a computer during reboots (known as persistence). It’s pretty darn cool, informative, and useful. I run it on my personal systems at least once a month. Want to know why it takes your system so long to boot or for Windows to come up after you login? Run Autoruns. Want to know if your system has a running malware program? Run Autoruns. It includes an option to check suspicious programs against Google’s VirusTotal (www.virustotal.com), although I really prefer Microsoft’s/Sysinternals’ Process Explorer (https://docs.microsoft.com/en-us/sysinternals/downloads/process-explorer) for a quick 15-second check of the same (https://www.infoworld.com/article/3014323/security/a-free-almost-foolproof-way-to-check-for-malware.html). In years past, when a friend asked me to look at their computer to see if it was infected, I could count on wasting 1-2 hours. Now I just fire up Process Explorer and I know the answer in 15 seconds. It has given me back a big part of my personal life.
In another project, I also tracked every file type (e.g., DOC, XLS, EXE, etc.) that could be used by malware to execute harmful code. I even know how to use a TXT file to compromise your system. A decade into this project, I had over 150 file extensions and learned that it would be easier to describe which file types hadn’t been used maliciously by hackers or malware. The latter list was smaller than the former. Eventually, I gave up on that tracking document because so many file types ended up on the original list that it just didn’t make sense to track. It’s just easier to say be aware of all file types.
My Initial Access List
But my longest tracking list project has been a comprehensive list of the ways that a hacker or malware program can gain initial access to a computer or device – just like the ATT&CK matrix list of initial access techniques. The list itself isn’t long…only ten items long, but I’ve been adding to and revising the list for over 3 decades. I’ve come up with over a hundred ways a system could be compromised (i.e., sub-techniques), but I kept the summary techniques list short so I can use it in slides and presentations.
I’ve often made my “definitive, final†list of initial access attack vectors that I thought could not be improved on and then later on, had to modify it again too many times to count. Each time I’d make an updated list of initial root causes, I’d make my list and send it out to every computer security expert I knew and asked them to make suggestions and find gaps. I intended my lists to be 100% comprehensive so that no one can list an attack type I haven’t considered. Sometimes my “final†list sits there for years and I can’t find anything that it doesn’t include. And then one day a (new-to-me) initial access attack vector gets mentioned by someone else…nothing extraordinary…just something I failed to consider, and I have to update my list again. Although for the last five years, I’ve only done a small amount of updating and changing. It has gotten a lot more focused over the years.
Once it stopped getting frequently updated, I eventually felt comfortable enough to make my initial access list the cornerstone of what I consider my magnum opus book – A Data-Driven Computer Security Defense (https://www.amazon.com/Data-Driven-Computer-Defense-Way-Improve/dp/1092500847). It has sold over 30,000 copies and now is on its second edition (cover shown below).
It lists the main ways that any entity or system can be hacked. The main conclusion is that all organizations need to find out how they are initially compromised the most and focus on closing those initial attack vectors. If more defenders focused on closing their most popular root exploit holes, there would be less successful hackers and malware. For my self-declared “magnum opusâ€, what it teaches is pretty simple and straightforward: Find out how you are attacked the most and mitigate those things first and best. But sadly, most organization don’t do it. They get blinded by the sheer number of potential attacks they are told they must fear and resolve every day, and miss focusing on the most important stuff.
Here’s my current Data-Driven Defense (DDD) root cause exploit list:
· Programming Bug (patch available, but not patched or zero day)
· Social Engineering
· Authentication Attack
· Human Error/Misconfiguration
· Eavesdropping/MitM
· Data/Network Traffic Malformation
· Insider Attack
· Third Party Reliance Issue (vendor/dependency/watering hole)
· Physical Attack
· Brand New Attack Vector (w/o current/default mitigation)
Like any comprehensive list with an ever-growing population of techniques, it’s a living document. Like the MITRE ATT&CK matrix, it grows and improves. Only I know my list of initial access vectors is more comprehensive.
Let’s start with comparing MITRE’s ATT&CK initial access vectors to my list in the figure below:
You can see MITRE has some technique gaps. The techniques MITRE completely misses include:
· Eavesdropping attacks (like wireless sniffing, man-in-the-middle attacks, etc.)
· Data malformation (although it could be loosely represented in “Exploit Public-Facing Applicationâ€). But I can do data malformations, like buffer overflows, using email quite easily.
· Network Traffic Malformation essentially represents network-based Denial-of-Service (DoS) attacks and things like Smurf attacks. What about EMI attacks that can be used to attack and make inoperable nearly any electrical component? None of the MITRE techniques seem to mention availability issues, like those caused by network traffic malformation.
· The MITRE ATT&CK technique of “Trusted Relationships†could be extended to consider insider attacks, but does not refer to that today. Right now, it only includes third-party vendors and contractors.
· MITRE ATT&CK’s two physical attacks, Hardware Additions and Replication through Removable Media, don’t seem to consider any other possible physical attack types. How about if I just take your asset? That’s about as simple as it gets. Or how about I get your smartcards and use power differential attacks to compromise the secret key? Or use an electron microscope to view the secret key on the molecular level? Or use canned air to freeze memory chips to recover secret keys?
The social engineering section needs to be beefed up as well. Social engineering and phishing is responsible for 70% to 90% of all malicious breaches (https://blog.knowbe4.com/70-to-90-of-all-malicious-breaches-are-due-to-social-engineering-and-phishing-attacks). MITRE’s ATT&CK matrix accounts for social engineering using just three initial access methods: Spear Phishing Attachments, Spear Phishing Links, and Spear Phishing via Service. Ignoring why they are using the specific term, spear phishing, instead of just phishing (which is hundreds of times more popular), it ignores all other possible types of social engineering including: Smishing and Vishing. I can think of dozens of sub-techniques for social engineering. I can think of a dozen different sub-techniques for most of their techniques that they don’t already have covered. I’m getting involved to see if I can improve the ATT&CK matrix. You can, too.
Go here: (https://attack.mitre.org/resources/contribute/).
I want to encourage readers to review MITRE’s ATT&CK matrix. It’s a great tool and only getting better. If you see something missing, contribute a recommendation. Community projects like this can only get better the more that knowledgeable people get involved. Help make the ATT&CK matrix even better.