MITRE has released an April 2019 update to its ATT&CK framework. It’s been a year since the last major update featuring a new tactic.
There are a number of changes for this year: the most major being the addition of a 12th Tactic, Impact, which contains 14 new Techniques. There are also seven new Techniques under existing Tactics, as well as a number of other minor changes.
The Impact Tactic covers integrity and availability attacks against enterprise systems. The 14 Techniques included in this update are as follows:
- Data Destruction
- Data Encrypted for Impact
- Disk Content Wipe
- Disk Structure Wipe
- Endpoint Denial of Service
- Firmware Corruption
- Inhibit System Recovery
- Network Denial of Service
- Resource Hijacking
- Runtime Data Manipulation
- Service Stop
- Stored Data Manipulation
- Transmitted Data Manipulation
Of particular significance here are Techniques that describe behavior related to ransomware, DoS/DDoS attacks, and illicit cryptocurrency mining, which, according to Verizon’s 2019 Data Breach Investigations Report, are increasing in prevalence or severity.
T1486: Data Encrypted for Impact
Adversaries may encrypt data on target systems or on large numbers of systems in a network to interrupt availability to system and network resources. They can attempt to render stored data inaccessible by encrypting files or data on local and remote drives and withholding access to a decryption key. This may be done in order to extract monetary compensation from a victim in exchange for decryption or a decryption key (ransomware) or to render data permanently inaccessible in cases where the key is not saved or transmitted.
T1486 describes behavior most commonly associated with ransomware; and, given that 39% of all identified malware in 2018 was classified as ransomware, this Technique is a welcome update.
T1496: Resource Hijacking
Adversaries may leverage the resources of co-opted systems in order to solve resource intensive problems which may impact system and/or hosted service availability.
One common purpose of Resource Hijacking is to validate transactions of cryptocurrency networks and earn virtual currency. Adversaries may consume enough system resources to negatively impact and/or cause affected machines to become unresponsive. Servers and cloud-based systems are common targets because of the high potential for available resources, but user endpoint systems may also be compromised and used for Resource Hijacking and cryptocurrency mining.
T1496 describes a relatively new security threat which prominently involves cryptocurrency miners discreetly hijacking your compute power to mine bitcoin or other cryptocurrencies.
T1498: Network Denial of Service and T1499: Endpoint Denial of Service
Adversaries may perform Network/Endpoint Denial of Service (DoS) attacks to degrade or block the availability of services to users.
T1498 and T1499 describe DoS/DDoS attacks against networks and endpoints. This is valuable information as we see more and more of this type of attack coming from unsecured IoT botnets.
Defense Evasion, Discovery, Persistence, and Command and Control combined have been updated with seven new Techniques:
- Compile After Delivery (Defense Evasion)
- Domain Generation Algorithms (Command and Control)
- Domain Trust Discovery (Discovery)
- Execution Guardrails (Defense Evasion)
- Group Policy Modification (Defense Evasion)
- Systemd Service (Persistence)
- Virtualization/Sandbox Evasion (Defense Evasion, Discovery)
Particularly interesting Techniques here are associated with sophisticated attacks such as malicious source code payloads, which are compiled only after delivery and is tough to mitigate, as well as execution guardrails and virtualization evasion to avoid detection and, thus, analysis.
Additionally, there are a host of minor changes which range from technique content updates to adjusting naming schemes. For instance, T1036: Masquerading (Defense Evasion) has been updated to include my description of the right-to-left override trick, which I briefly mention in my post on hiding registry entries.
A list of all the changes can be found at https://attack.mitre.org/