In July, VMRay released version 3.1 of VMRay Analyzer, our flagship platform for automated malware analysis and detection. Among several major enhancements, 3.1 mapped our existing VMRay Threat Indicators (VTIs) to MITRE ATT&CK, the industry-standard framework and knowledge base of adversary tactics and techniques, threat groups, and related software and tools.
As a result of this mapping, VMRay Analyzer can now “speak” MITRE ATT&CK when describing adversarial behavior and threat group activity at every phase of the malware analysis and detection process. (Many security vendors have undergone a similar mapping process with their own products and services.)
Whether VMRay is analyzing Mac or Windows threats, that common lexicon:
The VMRay Analysis Report shown in Figure 1 shows how tightly the MITRE and VMRay platforms interoperate.
We also extended our VMRay search interface. Users can now search across any samples analyzed in version 3.1 or later to find executables that trigger specific ATT&CK techniques (Figure 2). They can also identify the techniques encountered most frequently, information that can inform efforts to strengthen defensive responses.
For VMRay’s existing customers, the addition of built-in mapping to the MITRE ATT&CK framework further streamlines our high-volume, highly automated malware analysis and detection process. It also facilitates broad platform interoperability with the security ecosystem. For example, organizations that are already using ATT&CK but are new to VMRay can more easily integrate our industry-best malware analysis and detection platform into their security environment.
More broadly, MITRE ATT&CK enables organizations to begin painting a much larger and more comprehensive picture of the threats they are dealing with than was possible even a few years ago. The framework provides a strong foundation for mapping defenses to reveal where security gaps exist; developing threat models based on real-world adversary behaviors and threat groups; and creating methodologies to strengthen cyber security.
As we’ll discuss later, use cases may include enriching detections and investigations, threat modeling, threat hunting, and developing adversary emulation plans and pen tests.
Introduced by the MITRE Corp. in 2013, ATT&CK is a comprehensive, globally accessible knowledge base whose name is an acronym for Adversary Tactics, Techniques & Common Knowledge. Based on observations of real-world threats and attacks, the framework is generally aligned with Lockheed Martin’s Cyber Kill Chain.
As a useful way to understand the structure, content and real-world value of MITRE ATT&CK, we’ll take a brief tour of the knowledge base: both at a high level and by drilling down to reveal the depth and detail of the underlying information on adversary behaviors, threat actors and tools.
Then, by viewing ATT&CK through the lens of VMRay Analyzer, we’ll show how threat indicators uncovered during a real-world malware analysis map to ATT&CK tactics and techniques in a way that makes the information more easily shareable across diverse security systems and multiple use cases.
As ATT&CK’s red menu bar suggests, there are multiple ways to navigate the detailed information captured in the framework. However, its primary organizing structure consists of three matrices that identify and describe tactics and techniques for compromising networks:
Tactics are the technical objectives the attacker wants to achieve. The tactics defined in the Enterprise ATT&CK matrix are displayed below, across the top row of Figure 4, and also listed in Figure 5. Techniques—shown in the blue text—explain how a specific tactic is achieved: the methods are chosen and the sequence of steps the group takes to complete that specific objective.
The framework also links adversary groups to the specific tactics and techniques they employ and to the software, malware, and tools they use to design and carry out campaigns.
As Figures 5-7 illustrate, users can easily drill down in ATT&CK to gain a deeper understanding of adversary behaviors. Here, we step into the shoes of an analyst we’ll call Taylor and peruse ATT&CK’s list of Enterprise Tactics (Figure 5).
There are 12 tactics altogether, but Taylor’s immediate focus is on Credential Access (TA0006) because that showed up in a VMRay Analyzer Report that’s being reviewed.
Figure 6 shows some of the 19 techniques an adversary might use in gaining credential access: Account Manipulation, Brute Force, Credential Dumping and so on. Suspecting the adversary was hunting for files containing passwords, Taylor clicks on Credentials in Files (T1081) to access examples of real-world attacks that have used this particular technique and a list of known mitigations (Figure 7).
Having taken a quick tour of how tactics and techniques are broadly organized in MITRE ATT&CK, Taylor switches over to a VMRay Analysis report on the actual intrusion being investigated. Figure 8 below shows the highlighted adversary techniques detected by VMRay Analyzer when the malware executed in the sandbox. The resulting behaviors include stealing credentials, capturing input (typically using a key logger), and sending the data home to a C2 server.
Taylor is concerned about Credential Access activity, which can expose all kinds of sensitive information: on employees and customers, finances, business plans, intellectual property and so on. So the next step is to click on Credentials in Files.
As Figure 9 shows, four types of credentials were stolen: for accessing FTP data, email accounts, applications, and browsers. Taylor will eventually drill down on all four threat identifiers but starts with “Reads sensitive FTP data,” knowing that credentials stored within the FTP application allow access to local file shares, which are a favorite target for attackers.
Drilling down further, we see the malware tried to steal the file that the FTP client CoreFTP uses to store its cached credentials (Figure 10). The targeted file is shown in Figure 11, and the API call used to access the file is highlighted in Figure 12.
Continuing the investigation, Taylor will repeat this drill-down process for other malware techniques highlighted in the VMRay Analyzer Report until the scale and impact of the incident are understood and appropriate mitigation measures have been identified.
So far we have been discussing ATT&CK through the perspective of tactics and techniques. However, there are many scenarios where defenders or researchers may want to gain an understanding of specific adversary groups. For example, threat hunters may want to identify groups with a history of targeting companies in the defender’s industry–and then proactively look for signs that one or more groups may have already compromised the network.
In the same systematic way the framework catalogs adversary tactics and techniques, it maintains a library of information on dozens of adversary Groups, variously described as threat groups, activity groups, threat actors, intrusion sets, and campaigns. As shown in the example below of the Chinese threat group APT3, ATT&CK describes key campaigns the group has carried out and associated groups or names (Figure 13) as well as commonly used techniques (Figure 14).
ATT&CK also catalogs Software—including programs, OS utilities, malware, and tools—the adversary employs (Figure 15); some of these same elements may also be used by a defender, pen tester or red teamer working to strengthen defenses.
As MITRE ATT&CK becomes more widely applied by enterprises and cybersecurity providers, it functions like the Rosetta Stone: translating the details of threat behavior in a way that’s understandable to disparate systems. Standardizing tools, services and defensive controls on ATT&CK widen opportunities to unified way across multiple use cases.
Additional use cases include:
To encourage cybersecurity providers and would-be users alike to accelerate their adoption of ATT&CK, MITRE has created a structured, non-competitive process to evaluate ATT&CK-enabled offerings from leading vendors and is making the results publicly available. Using simulated attacks that mimic the adversary behavior of real threat groups (including APT3, frequently mentioned in this post) the evaluations show how a given product handled the specific threat techniques used during the test. Figure 17 shows the results for an evaluation of Carbon Black.
To date, roughly three dozen evaluations have been completed, are in progress or are planned, with 20-plus providers committed to taking part. The list includes many well-known and respected names: RSA, McAfee, Symantec, Kaspersky Labs, Trend Micro, SentinelOne, Malwarebytes and others.
Beyond the comprehensive nature of the MITRE ATT&CK knowledge base, VMRay believes its potential to unify and strengthen cyber security derives from three core characteristics: its openness, interoperability, and community. We applaud our own partners, such as Carbon Black and Splunk, who are making their platforms and processes ATT&CK-friendly.
For example, with the recent update to the VMRay Analyzer Add-on for Splunk, VMRay sends its analysis results with ATT&CK mappings so the data can be seamlessly shared and made actionable across Splunk’s security ecosystem.