Although ATT&CK is not laid out in any linear order, Initial Access will be the point at which an attacker gains a foothold in your environment. This tactic is a nice transition point from PRE-ATT&CK to ATT&CK for Enterprise. What is different about the techniques within Initial Access is that they are more high-level than some of the other techniques. An attacker will use a different technique to achieve an Initial Access technique.
For example, let’s assume an attacker were to use a Spearphishing Attachment. The attachment itself will have some type of exploit to achieve that level of access, maybe PowerShell or another Scripting technique. If the execution were successful, it would allow them to pivot into other tactics and techniques to achieve their ultimate goal.
Anyone who has been in security for any amount of time will recognize most if not all of these techniques. These are usually what’s discussed most often in news reports and the Verizon Data Breach Investigation Reports. Fortunately, since these are well known, there are a lot of technologies and processes available to both mitigate and detect abuse for each technique.
While the power of the ATT&CK framework comes partly from the mitigation and detection sections of each technique, I like to tie in different frameworks, as well to get a wider breadth of knowledge. For this tactic, I see three of the CIS Controls being useful.
Control 4 is the Controlled Use of Administrative Privileges. This is important due to what will happen after one of these techniques were to be successful. If an attacker can successfully use a valid account or get an administrator to open a spearphishing attachment, they will be able to pivot around to any other technique with relative ease.
Control 7 is the Email and Web Browser Protections. Since many of these techniques involve the use of email and/or a web browser, then the sub-controls in control 7 will be very useful.
The final control I see being useful is Control 16, Account Monitoring and Control. I like this control for this tactic because of the Valid Accounts and Trusted Relationship techniques. Having a good understanding of what accounts should be doing and locking down permissions will help both limit the potential damage of a breach but also unlock the ability to detect abuse of valid accounts within the network.
Take a look at each of the techniques and understand the mitigation and detection aspects of each. Also, read through the CIS controls I mentioned above and get an understanding of how to further mitigate some of these techniques.
Initial Access is the funnel point in which an attacker is going to gain a foothold in your environment. If you can focus energy on stopping an attack sooner rather than later, Initial Access would be a great starting point to do so.
There is also a mapping of CIS controls to the ATT&CK framework available. This can be helpful if you’re already adopting the CIS Controls and are starting down the path of adopting ATT&CK.
Read more about the MITRE ATT&CK Framework here:
- The MITRE ATT&CK Framework: Initial Access
- The MITRE ATT&CK Framework: Execution
- The MITRE ATT&CK Framework: Persistence
- The MITRE ATT&CK Framework: Privilege Escalation
- The MITRE ATT&CK Framework: Defense Evasion
- The MITRE ATT&CK Framework: Credential Access
- The MITRE ATT&CK Framework: Discovery
- The MITRE ATT&CK Framework: Lateral Movement
- The MITRE ATT&CK Framework: Collection
- The MITRE ATT&CK Framework: Exfiltration
- The MITRE ATT&CK Framework: Command and Control