Following last year’s exceedingly successful inaugural MITRE ATT&CK™ conference, this year’s highly anticipated ATT&CKcon 2.0 conference will be held from Oct 28-30 at MITRE’s McLean headquarters. MITRE’s always open to hearing feedback about the limitations of the ATT&CK framework and how to make ATT&CK more useful. Today, I want to look at the structure of ATT&CK content.
Part I: ATT&CK—A Taxonomy of Adversarial Behavior
The MITRE ATT&CK framework is often described as a taxonomy of adversarial behavior based on real-world observation of APT campaigns. The goal is to standardize our knowledge and understanding of cybersecurity from an adversary’s perspective. Specific behaviors or actions, called techniques, classified under categories, called tactics, which reflect various phases of an adversarial attack lifecycle—like Lockheed’s cyber kill chain but with an emphasis on perspective and finer granularity.
For example, by using utilities such as the Windows Task Scheduler or by placing an entry in the Startup Folder, adversaries can maintain a presence on a system even through a reboot. These are two techniques classified under the common tactic Persistence, and persistence is an important tactical concept because adversaries often need to maintain access to a system, through interruptions, in order to carry out their objectives. Tactics categories include Discovery, Initial Access, Execution, Lateral Movement, and Exfiltration among others. Some techniques are classified under multiple tactics as some actions can have multiple functions. Bypassing User Account Control, for instance, is both a way to Escalate Privilege and a way to Evade Defenses. People, including myself, love the philosophy of ATT&CK. A domain taxonomy is tremendously valuable because it gives us a classification of information to better communicate, collaborate, account for, and reason about the domain in a scientific manner. ATT&CK is particularly useful as a standardization for threat intelligence, threat hunting, adversary emulation, and analysis and evaluation of computer network defense. However, the structure of ATT&CK can be improved, and at the top of my ATT&CK wish list is for more principled, coherent, and meaningful structure. In the most recent April update, we’ve added 28 new techniques and a new tactic to the enterprise matrix, for a total of 244 techniques grouped under 12 tactics. As the framework grows, the matrix—tactic and technique—structure becomes harder to work with. The most obvious structural problem is with inconsistent abstraction where some techniques are more general than others and some techniques naturally falling under the scope of other techniques. At the top, ATT&CK contains 3 matrices, ATT&CK for Enterprise, Pre-ATT&CK, and ATT&CK Mobile, a list of adversarial groups mapped to techniques, and a list of software used by those groups. Here’s a snapshot of the current ATT&CK Matrix for Enterprise and its mid-level structure:
Within a Technique, there’s a unique ID, a definition or description, associated Tactic, affected platforms, prototypical examples, mitigation and detection information, a list of adversarial groups and software known to use the behavior, and a link to the related CAPEC entry. Here’s a snapshot of Account Discovery as an example:
Further, each Group entry contains a unique ID, a description of the group, associated naming conventions, and a list of techniques and software used. And each Software entry links back to the techniques exploited and groups who use it. Good stuff.
Let’s look at a couple of examples of basic structural pain points. Masquerading describes the behavior of manipulating or abusing a name or location of an executable or file in order to hide malicious function from detection. Masquerading encompasses an enormous variety of ways to carry out the behavior. On the other hand, there are three distinct spear phishing entries listed under Initial Access, Spearphishing Attachment, Spearphishing Link, and Spearphishing via Service, which separately cover different ways to spear phish. There is an unevenness of abstraction between techniques. This suggests ad hoc principles in determining what Techniques to add to ATT&CK. Additionally, there are some techniques that ought to be subcategorized as types or instances of other techniques. PowerShell is a powerful and ubiquitous shell and scripting language framework, and it’s used by adversaries and defenders alike to perform a wide array of actions on Windows systems. But, a separate Scripting entry describes various actions adversaries perform using scripting languages generally. Taxonomically, PowerShell is a species of Scripting. There are also entries for AppleScript and Logon Scripts, all of which categorized under various Execution, Persistence, Defense Evasion, and Lateral Movement tactics while Scripting is listed only under Defense Evasion and Execution. If these specific types of scripting techniques are a sub-type of scripting in general, then, by transitivity of sub-typing, scripting should be associated with any tactic that the sub-techniques are associated with. Again, evidence of ad hoc principles at play.
There are at least two reasonable responses to these problems, and they are not mutually exclusive: (1) limit the amount of content that makes it to the framework and (2) introduce more rich, principled structure to organize the content. Heavily curating the content can go a long way toward solving the problem of ATT&CK growing too big and cumbersome. The design philosophy of ATT&CK explicitly distinguishes it from an exhaustive list of attack vectors such as the CWE or an enumeration of verified vulnerabilities as with the CVE. However, the drawback is that there may exist critical gaps in the coverage of adversarial behavior, and it doesn’t address the ad hoc nature of the content. I prefer introducing rich, principled structure to organize ATT&CK content, bringing ATT&CK and cybersecurity toward science more than artform. MITRE recognizes the structure problem and plans to implement sub-techniques later this year. While that’s a necessary first step, I have more ambitious ideas, which go beyond solving the immediate structural problems: use ontological principles and prototypes in building and structuring the content of ATT&CK. It’s the scheme for which the work put into ATT&CK already represents an excellent foundation—and in my view, ATT&CK is a burgeoning ontology of adversarial behavior—and can be taken up incrementally and in varying matters of degree. In the next part, we’ll look at why ATT&CK has much more in common with a domain-specific ontology than a taxonomy.