What is different about the MITRE ATT&CK for Cloud Matrix?
Within the MITRE ATT&CK for Enterprise matrix you will find a subsection, the MITRE ATT&CK for Cloud matrix, that contains a subset of the tactics and techniques from the broader ATT&CK Enterprise matrix. The MITRE ATT&CK Cloud matrix is different from the rest of the Enterprise Matrix because adversary behavior and the techniques used in a cloud attack do not follow the same playbook as attacks on Windows, macOS, Linux, or other enterprise environments.
MITRE ATT&CK techniques in Windows, macOS, Linux, and other related environments typically involve malware and entering a network that is owned and operated by the target organization.
MITRE ATT&CK techniques in AWS, Azure, Office 365, and other related environments do not typically involve malware, as the target environment is owned and operated by a third-party cloud service provider like Microsoft or Amazon. Without the ability to enter the victim's environment, the adversary will most often leverage native features of the CSP to enter the target victim's account, escalate privileges, move laterally, and exfiltrate data. An example of adversary behavior using the ATT&CK for Cloud framework is illustrated in the following example techniques:
|Initial Access||Adversary spear-phishes the victim, gaining credentials to AWS|
|Persistence||Uses stolen credentials to create a new account|
|Privilege Escalation||Uses valid account to change access permissions|
|Defense Evasion||Creates a new VM instance to bypass firewall rules|
|Credential Access||Steals access token to a database|
|Discovery||Locates target database|
|Lateral Movement||Uses application access token to access database|
|Collection||Mines information from the database|
|Exfiltration||Exfiltrates to adversary account in AWS|
The entire ATT&CK for Cloud matrix can be seen below which shows its subset of the ATT&CK for Enterprise matrix tactics and techniques:
MITRE ATT&CK for Cloud, 2020
MITRE ATT&CK vs. the Cyber Kill Chain
The Lockheed Martin Cyber Kill Chain® is another well-known framework for understanding adversary behavior in a cyber-attack. The Kill Chain model contains the following stages, presented in sequence:
- Reconnaissance – Harvests email addresses, conference information, etc.
- Weaponization – Couples exploit with backdoor into deliverable payload.
- Delivery – Delivers weaponized bundle to the victim via email, web, USB, etc.
- Exploitation – Exploits a vulnerability to execute code on a victim's system.
- Installation – Installs malware on the asset.
- Command & Control (C2) – Includes command channel for remote manipulation.
- Actions on Objectives – Using 'Hands on Keyboards' access, intruders accomplish their original goals.
Lockheed Martin gives more detail on their Cyber Kill Chain framework in this graphic3
How Do You Use the MITRE ATT&CK Matrix?
The MITRE ATT&CK framework can help an organization in several ways. In general, the following are applicable benefits to adopting MITRE ATT&CK:
- Adversary Emulation: Assesses security by applying intelligence about an adversary and how they operate to emulate a threat. ATT&CK can be used to create adversary emulation scenarios to test and verify defenses.
- Red Teaming: Acts as an adversary to demonstrate the impact of a breach. ATT&CK can be used to create red team plans and organize operations.
- Behavioral Analytics Development: Links together suspicious activity to monitor adversary activity. ATT&CK can be used to simplify and organize patterns of suspicious activity deemed malicious.
- Defensive Gap Assessment: Determines what parts of the enterprise lack defenses and/or visibility. ATT&CK can be used to assess existing tools, or test new tools prior to purchasing, to determine security coverage and prioritize investment.
- SOC Maturity Assessment: Similar to Defensive Gap Assessment, ATT&CK can be used to determine how effective a security operations center (SOC) is at detecting, analyzing, and responding to breaches.
- Cyber Threat Intelligence Enrichment: Enhances information about threats and threat actors. ATT&CK allows defenders to assess whether they are able to defend against specific Advanced Persistent Threats (ATP) and common behaviors across multiple threat actors.
Implementing MITRE ATT&CK typically involves either manual mapping or integration with cybersecurity tools, the most common of which are Security Information and Event Management (SIEM), Endpoint Detection and Response (EDR), and Cloud Access Security Broker (CASB).
Using MITRE ATT&CK with a SIEM involves aggregating log data from endpoints, networks, and cloud services, identifying threats and mapping them to MITRE ATT&CK. Changes to security posture are then conducted in the security tools providing their log data, (i.e., EDR or CASB).
Using MITRE ATT&CK with EDR involves mapping events observed by the endpoint agent, allowing defenders to determine the phases of a threat event, assess associated risk, and prioritize response.
Using MITRE ATT&CK with a CASB involves first filtering out suspicious and threat behavior from millions of cloud events with User and Entity Behavior Analytics (UEBA), combining those events with DLP, Vulnerability, and Misconfiguration incidents, and mapping to MITRE ATT&CK. From the CASB, defenders can adjust cloud security policy to block adversary behavior.
MITRE ATT&CK Resources
The following resources are available to dive deeper into implementing MITRE ATT&CK:
- Cloud Threat Investigation 101: Hunting with MITRE ATT&CK
- UC Berkeley CLTC: MITRE ATT&CK as a Framework for Cloud Threat Investigation
- Expanding and Embracing the MITRE ATT&CK Framework