Jen Burns, lead cybersecurity engineer at MITRE, walks us through the MITRE ATT&CK© Framework and discusses some important changes brought by a July 2020 update. She then highlights what the security community can expect to see in a couple of upcoming updates before sharing how individuals can get involved with the MITRE ATT&CKFramework going forward.
Tim Erlin: Welcome to the Tripwire Cybersecurity Podcast. I’m Tim Erlin, vice president of product management and strategy at Tripwire. Today, I am joined by Jen Burns, who is a lead cybersecurity engineer at MITRE and the cloud lead for the MITRE ATT&CK Framework. Welcome, Jen.
Jen Burns: Thank you.
What Is the MITRE ATT&CK Framework?
TE: Before we get started, can you give us a brief reminder of what the ATT&CK Framework is and why MITRE created it?
JB: At its core, ATT&CK is a knowledge base of adversary behavior. It’s a framework that brings together the different things that adversaries do whether it’s before they’ve compromised the network, how they get in or what they do after they’ve gotten in.
One of the most important things about ATT&CK is that it’s based on real world or what we call “in the wild” observation of adversaries. So, it’s not theoretical, and it doesn’t cover like everything that an adversary could do. It covers what adversaries are doing or have done in the real world. It’s also open source and globally accessible. And a lot of its content is community-driven and contributed from people like researchers, intel analysts and other folks outside of MITRE.
ATT&CK was originally developed based on this need to categorize adversary behavior within a research environment at MITRE. That was called FMX. FMX was kind of like a living lab. It allowed MITRE researchers to emulate adversaries in a heavily monitored environment and perform things like threat hunting exercises. Really, it was for those MITRE researchers to be able to answer the question, “How are we doing at detecting adversary behavior?” And they found that categorizing that behavior across relevant, real world adversary groups was useful. ATT&CK in its initial form ended up being created and used by both the adversary simulation team and the defender team within FMX. That team realized this would be useful for the entire security community. So, the first ATT&CK model was publicly released in 2015.
Changes in the ATT&CK Framework
TE: Let’s talk about an update to the framework that’s just been released. How long ago was that update released, and what’s the major change that’s included in it?
JB: The release was on July 8th. We released ATT&CK with sub-techniques. Sub-techniques in a nutshell are basically more specific techniques. So, techniques in ATT&CK represent more of a broad action an adversary may take to achieve a tactical goal. Something like process injection. While a sub-technique is a more specific adversary action. With a process injection example, the technique process injection now has I believe 11 sub-techniques that cover the different variations of how adversaries have injected code into processes via process hollowing or using a DLL injection. We’ve had a lot of folks ask why we didn’t call some techniques “procedures.” The simple answer there is that we already had procedures in ATT&CK. Techniques and sub-techniques have their own separate set of map procedures. They aren’t procedures themselves.
TE: And tell me again what the difference between a technique and a procedure is. It sounded to me the procedure is what’s actually happened in the wild for taking advantage of that technique or sub technique. Is that right?
JB: Yeah, that’s accurate. Basically, it’s an example of that technique being used in the wild.
TE: You gave an example of process injection, which has sub-techniques. Is there an example of a technique that didn’t end up with sub-techniques that just stands by itself?
JB: Yeah. Something that didn’t get sub-techniques is transfer data to a cloud account because that’s a very general yet somehow specific technique. There’s nothing within that would require a sub-technique being broken out.
TE: Interesting. And then the process injection, what were some of the sub-techniques that got included there?
JB: That’s a good question. DLL injection is one. Proc memory, process hollowing, and process doppelgänging. Things that you carry them out in a more specific way.
TE: So, now that this change has taken place and some techniques are out there, how are they specifically useful to the users in the community?
JB: Folks who were already using ATT&CK unfortunately might have to go some through some “remapping purgatory” to remap to sub techniques, but based on feedback we’ve already gotten, we believe sub-techniques are going to be a positive change for the community for a few reasons. We fixed a lot of the abstraction issues that were the initial problem that people pointed out with ATT&CK. It makes it easier to convey things like the complexity of techniques for something like a coverage assessment. Being able to generate a more granular score, so to speak, based on these individual sub-techniques is going make a huge difference.
TE: It seems like sub-techniques make a ton of sense and that the benefit is really there for anybody who’s using the framework to assess coverage. Anything else that’s new with ATT&CK that we should talk about?
JB: Yeah. So, there’s a couple of things have happened in the past. And then I’ll tell you about a few updates that are up and coming.
One of the more recent things is we released results from round two of our ATT&CK evaluations, and those can be found on attackevals.mitre.org. In that evaluation, we emulated APT-29. And this was a really big effort from the ATT&CK team as a lot of the folks that work on ATT&CK proper are also involved with attack evaluations. And if you’re not familiar with ATT&CK evaluations, it’s basically where we evaluate cybersecurity products using an open methodology that we developed that’s based on ATT&CK, and then we make the results publicly available. And then we also announced round three for evaluations, where we’ll be emulating Carbanak and FIN7.
Future updates that are on deck, one is the merger of PRE-ATT&CK into ATT&CK. And if you’re not familiar with PRE-ATT&CK, it was originally derived from the first two stages of the seven-stage cyberattack lifecycle, which are recon and weaponize. So, we decided to scope it down into techniques that are three things: technical, visible to some defenders and have evidence of adversary use. In a future ATT&CK update, we’ll be releasing the results of that merger. And that’s most likely going to be the addition of two tactics to the ATT&CK matrix. Those would be reconnaissance and resource development.
Another thing going on is we’re working on revamping our data sources in ATT&CK with an initial release of source definitions slated to go live to GitHub. And we’re also hoping to release technique coverage for network devices such as routers.
TE: There are these more structural updates to the framework, but there also have to be updates to just the procedures and the evidence from the wild. How do those work?
JB: Yeah, so a lot of it is through open-source intel reports. We have a team that basically analyzes new reports to add new content into ATT&CK. It’s a little different on the cloud side. We don’t really have much open-source intel on that. So that’s a lot of just talking to folks who have visibility in that area and learning what’s actually going on to add new techniques and things of that nature.
How to Get Involved with the MITRE ATT&CK Framework
TE: Interesting. Alright, we mentioned the community involvement which is really core to ATT&CK and a lot of the stuff that MITRE does. If someone wanted to get involved with ATT&CK, how would they do so? What are some of the options?
JB: Yeah, so one way to get involved is just to submit contributions to ATT&CK. We have a Contribute page on our website that outlines how to make a contribution and explains what we’re looking for. We’re looking for examples of in-the-wild behavior of adversaries right now.
We’re also just constantly looking for any feedback you might have. We want to make sure that ATT&CK is, you know, fitting the community’s needs. So, folks can feel free to reach out to us at any point at email@example.com with things like the way you’re using ATT&CK areas, where you could see improvements made, anything of that nature. We’re also looking for your success stories on how you use ATT&CK other than it helping us feel good about ourselves and what we’re doing. It’s pretty important to get that information out there. So other folks can, you know, see how they may be able to successfully apply ATT&CK. If you’re just getting started with ATT&CK, we also have some resources there on our website.
TE: Awesome. It sounds like there are lots of ways to get involved. Do you find that that it’s difficult for practitioners to share real-world evidence of ATT&CK activity based on their organization? Are people restricted from doing that?
JB: We try to make it as easy as possible for folks to make contributions to ATT&CK. So, say a particular APT is doing something within your environment with a customer. We wouldn’t necessarily need the information about the customer. We would just want to know, “Hey, this particular technique is being carried out.” We tried to break down those barriers to an extent, but I think that in some cases, there’s just no getting around it based on what your company has in place. Also, sometimes we’ll be willing to do things like sign NDAs, pretty much anything we can do to make sharing easier.
TE: So, there’s some options there. For any organization, obviously you get more out of ATT&CK the more you share into it. And it’s that sharing of intel that really drives the evidence-based approach.
JB: Yeah, absolutely. Totally agree with that.
TE: That makes sense. Alright. Well, Jen, I want to thank you for spending some time with us. And thanks everyone for spending a little time with us and listening to the Tripwire Cybersecurity Podcast. Please feel free to join us for the next episode as well.
JB: Thank you.