MITRE ATT&CK: A Rosetta Stone for the Cyber Security Ecosystem

In July, VMRay released version 3.1 of VMRay Analyzer, our flagship platform for automated malware analysis and detection. Among several major enhancements, 3.1 mapped our existing VMRay Threat Indicators (VTIs) to MITRE ATT&CK, the industry-standard framework and knowledge base of adversary tactics and techniques, threat groups, and related software and tools.

As a result of this mapping, VMRay Analyzer can now “speak” MITRE ATT&CK when describing adversarial behavior and threat group activity at every phase of the malware analysis and detection process. (Many security vendors have undergone a similar mapping process with their own products and services.)

Whether VMRay is analyzing Mac or Windows threats, that common lexicon:

  • Starts with incoming malware alerts sent to VMRay by ATT&CK-enabled firewalls, gateways and endpoints
  • Extends to information on rapid reputation matches and static analysis of malware samples, as part of VMRay’s multi-layered Now, Near, Deep architecture
  • Encompasses the detonation and dynamic analysis of suspect files and URLs as they safely execute in VMRay’s sandbox
  • Culminates with detection results that can be seamlessly shared with ATT&CK-enabled systems across the cyber security ecosystem. Many of these systems make block/allow decisions or prompt a further investigation, based on VMRay Analyzer results.

The VMRay Analysis Report shown in Figure 1 shows how tightly the MITRE and VMRay platforms interoperate.

  • The red-flagged report header (#1) shows that VMRay has determined that a suspect file is harmful spyware and assigned it an overall severity score of 100/100.
  • Traditional VMRay threat indicators (VTIs)—which preceded the MITRE mapping—are ranked, based on the severity of individual analysis scores (#2).
  • The MITRE ATT&CK Enterprise matrix at the bottom of Figure 1—a new feature in VMRay—reflects the same color coding as the corresponding VTIs, but expressed as MITRE ATT&CK techniques (#3).
VMRay Analysis report highlighting malicious behaviors triggered by a Spyware sample
Figure 1: A VMRay Analysis report highlighting malicious behaviors triggered by a Spyware sample[</figcaption] >

We also extended our VMRay search interface. Users can now search across any samples analyzed in version 3.1 or later to find executables that trigger specific ATT&CK techniques (Figure 2). They can also identify the techniques encountered most frequently, information that can inform efforts to strengthen defensive responses.

Extended Search (MITRE ATT&CK)
Figure 2: An extended search for executables that use Process Injection[

For VMRay’s existing customers, the addition of built-in mapping to the MITRE ATT&CK framework further streamlines our high-volume, highly automated malware analysis and detection process. It also facilitates broad platform interoperability with the security ecosystem. For example, organizations that are already using ATT&CK but are new to VMRay can more easily integrate our industry-best malware analysis and detection platform into their security environment.

Painting the Big Picture

More broadly, MITRE ATT&CK enables organizations to begin painting a much larger and more comprehensive picture of the threats they are dealing with than was possible even a few years ago. The framework provides a strong foundation for mapping defenses to reveal where security gaps exist; developing threat models based on real-world adversary behaviors and threat groups; and creating methodologies to strengthen cyber security.

As we’ll discuss later, use cases may include enriching detections and investigations, threat modeling, threat hunting, and developing adversary emulation plans and pen tests.

An Overview & Brief Tour of MITRE ATT&CK

Introduced by the MITRE Corp. in 2013, ATT&CK is a comprehensive, globally accessible knowledge base whose name is an acronym for Adversary Tactics, Techniques & Common Knowledge.  Based on observations of real-world threats and attacks, the framework is generally aligned with Lockheed Martin’s Cyber Kill Chain.

Lockheed Martin's Cyber Security Kill Chain
Figure 3: Lockheed Martin’s Cyber Security Kill Chain[

As a useful way to understand the structure, content and real-world value of MITRE ATT&CK, we’ll take a brief tour of the knowledge base: both at a high level and by drilling down to reveal the depth and detail of the underlying information on adversary behaviors, threat actors and tools.

Then, by viewing ATT&CK through the lens of VMRay Analyzer, we’ll show how threat indicators uncovered during a real-world malware analysis map to ATT&CK tactics and techniques in a way that makes the information more easily shareable across diverse security systems and multiple use cases.

Tactics and Techniques are an Adversary’s Building Blocks

As ATT&CK’s red menu bar suggests, there are multiple ways to navigate the detailed information captured in the framework. However, its primary organizing structure consists of three matrices that identify and describe tactics and techniques for compromising networks:

  • The MITRE PRE-ATT&CK matrix addresses the first two phases of the Lockheed Martin kill chain: Reconnaissance of the target and Weaponization of the payload.
  • The Enterprise matrix Figure 3 describes tactics and techniques that apply to Windows, Linux and macOS systems. This matrix covers the remaining five phases of the kill chain:  Delivery, Exploitation, Installation, Command and Control, and Actions on Objectives.
  • The Mobile matrix is similar to its Enterprise counterpart but only applies to the iOS and Android operating systems.

Tactics are the technical objectives the attacker wants to achieve. The tactics defined in the Enterprise ATT&CK matrix are displayed below, across the top row of Figure 4, and also listed in Figure 5. Techniques—shown in the blue text—explain how a specific tactic is achieved: the methods are chosen and the sequence of steps the group takes to complete that specific objective.

ATT&CK Enterprise Matrix
Figure 4: The ATT&CK Enterprise matrix applies to Windows, Linux and macOS environments.[

The framework also links adversary groups to the specific tactics and techniques they employ and to the software, malware, and tools they use to design and carry out campaigns.

Drilling Down on Tactics and Techniques: Credential Access

As Figures 5-7 illustrate, users can easily drill down in ATT&CK to gain a deeper understanding of adversary behaviors. Here, we step into the shoes of an analyst we’ll call Taylor and peruse ATT&CK’s list of Enterprise Tactics (Figure 5).

Tactics defined in the ATT&CK Enterprise matrix
Figure 5: Tactics defined in the ATT&CK Enterprise matrix[

There are 12 tactics altogether, but Taylor’s immediate focus is on Credential Access (TA0006) because that showed up in a VMRay Analyzer Report that’s being reviewed.

Adversary techniques for gaining Credential Access
Figure 6: Adversary techniques for gaining Credential Access[

Figure 6 shows some of the 19 techniques an adversary might use in gaining credential access: Account Manipulation, Brute Force, Credential Dumping and so on. Suspecting the adversary was hunting for files containing passwords, Taylor clicks on Credentials in Files (T1081) to access examples of real-world attacks that have used this particular technique and a list of known mitigations  (Figure 7).

Mitigations and real-world examples of Credentials in Files
Figure 7: Mitigations and real-world examples of Credentials in Files[

The View from VMRay

Having taken a quick tour of how tactics and techniques are broadly organized in MITRE ATT&CK, Taylor switches over to a VMRay Analysis report on the actual intrusion being investigated. Figure 8 below shows the highlighted adversary techniques detected by VMRay Analyzer when the malware executed in the sandbox. The resulting behaviors include stealing credentials, capturing input (typically using a key logger), and sending the data home to a C2 server.

Adversary techniques triggered by the malware sample analyzed
Figure 8: Adversary techniques triggered by the malware sample analyzed in VMRay[

Taylor is concerned about Credential Access activity, which can expose all kinds of sensitive information: on employees and customers, finances, business plans, intellectual property and so on. So the next step is to click on Credentials in Files.

VTI Matches - ATT&CK Framework
Figure 9: VMRay Threat Identifier (VTI) matches[

As Figure 9 shows, four types of credentials were stolen: for accessing FTP data, email accounts, applications, and browsers. Taylor will eventually drill down on all four threat identifiers but starts with “Reads sensitive FTP data,” knowing that credentials stored within the FTP application allow access to local file shares, which are a favorite target for attackers.

Targeted FTP Client
Figure 10: The targeted FTP client, CoreFTP[

Drilling down further, we see the malware tried to steal the file that the FTP client CoreFTP uses to store its cached credentials (Figure 10). The targeted file is shown in Figure 11, and the API call used to access the file is highlighted in Figure 12.

Stolen File
Figure 11: The stolen file[
API Call
Figure 12: The API call used to access the file[

Continuing the investigation, Taylor will repeat this drill-down process for other malware techniques highlighted in the VMRay Analyzer Report until the scale and impact of the incident are understood and appropriate mitigation measures have been identified.

Adversary Group Portrait

So far we have been discussing ATT&CK through the perspective of tactics and techniques. However, there are many scenarios where defenders or researchers may want to gain an understanding of specific adversary groups. For example, threat hunters may want to identify groups with a history of targeting companies in the defender’s industry–and then proactively look for signs that one or more groups may have already compromised the network.

In the same systematic way the framework catalogs adversary tactics and techniques, it maintains a library of information on dozens of adversary Groups, variously described as threat groups, activity groups, threat actors, intrusion sets, and campaigns. As shown in the example below of the Chinese threat group APT3, ATT&CK describes key campaigns the group has carried out and associated groups or names (Figure 13) as well as commonly used techniques (Figure 14).

Profile of ATP3
Figure: 13: Profile of ATP3, a state-sponsored threat group based in China
Techniques associated with APT3
Figure 14: Techniques associated with APT3[

ATT&CK also catalogs Software—including programs, OS utilities, malware, and tools—the adversary employs (Figure 15); some of these same elements may also be used by a defender, pen tester or red teamer working to strengthen defenses.

APT3 Software_Tools
Figure 15: ATP3’s arsenal of software, malware and tools.[

Use Cases: Like the Rosetta Stone

As MITRE ATT&CK becomes more widely applied by enterprises and cybersecurity providers, it functions like the Rosetta Stone: translating the details of threat behavior in a way that’s understandable to disparate systems. Standardizing tools, services and defensive controls on ATT&CK widen opportunities to unified way across multiple use cases.

  • Detection, Response and Threat Modeling: By providing a common taxonomy of attack behavior, MITRE ATT&CK enables security operations centers and incident response teams to work together more effectively to strengthen and unify existing detection and response measures. More broadly, ATT&CK contributes to threat modeling through the ability to infer large-scale threat models from the accumulation of individual security incidents and forensic investigations.
  • Threat hunting: By mapping existing defenses to MITRE ATT&CK, security teams can develop a roadmap of defensive gaps to find attacker activity that was previously missed. Generally, the first step is to understand and mitigate attacks that target the organization on a daily basis. However, a hunt might also be triggered by detection of a previous compromise, with forensics used to determine its impact and source. In a third scenario, mentioned above, the starting point could be identifying threat groups that typically target your industry.
  • Adversary Emulation plans: Prototype documents in the knowledge base provide direction on how to use publicly available threat information to mimic the behavior of persistent threat groups and more effectively test network security against those specific threats. The process flow chart below (Figure 16) is from a prototype Emulation Plan for APT3, a threat group previously mentioned. APT3’s main interest has been exfiltration of documents (by targeting printers and file shares) and theft of intellectual property.
APT Emulation Plan
Figure 16: An Adversary Emulation Plan based on APT3, which targets political organizations in Hong Kong.[

Additional use cases include:

  • Use red teaming and pen tests to evade network defenses and assess the effectiveness of SOC detection and response.
  • Construct and test behavioral analytics to detect adversarial behavior.

Vendor Evaluations

To encourage cybersecurity providers and would-be users alike to accelerate their adoption of ATT&CK, MITRE has created a structured, non-competitive process to evaluate ATT&CK-enabled offerings from leading vendors and is making the results publicly available.  Using simulated attacks that mimic the adversary behavior of real threat groups (including APT3, frequently mentioned in this post) the evaluations show how a given product handled the specific threat techniques used during the test. Figure 17 shows the results for an evaluation of Carbon Black.

ATT&CK Vendor Eval - Carbon Black
Figure 17: Evaluation results for Carbon Black, a VMRay partner[

To date, roughly three dozen evaluations have been completed, are in progress or are planned, with 20-plus providers committed to taking part. The list includes many well-known and respected names: RSA, McAfee, Symantec, Kaspersky Labs, Trend Micro, SentinelOne, Malwarebytes and others.

Looking Ahead

Beyond the comprehensive nature of the MITRE ATT&CK knowledge base, VMRay believes its potential to unify and strengthen cyber security derives from three core characteristics: its openness, interoperability, and community. We applaud our own partners, such as Carbon Black and Splunk, who are making their platforms and processes ATT&CK-friendly.

For example, with the recent update to the VMRay Analyzer Add-on for Splunk, VMRay sends its analysis results with ATT&CK mappings so the data can be seamlessly shared and made actionable across Splunk’s security ecosystem.