Illusive Blog November 1, 2019

MITRE ATT&CK Framework - How Illusive Foils Attacker Decision-Making

By Matan Kubovsky

For a cyber attacker, every organization is a potential target. Attack frequency and degrees of severity vary with the attacker’s skill level, the assets they want, choice of tactics, and the sophistication of their targets’ defenses. With attacks constantly in the headlines, it’s no wonder security teams might feel overwhelmed. But in reality, not all threats are equal. Not all threats are relevant to all organizations. And not all threats are known.

As organizations have experienced first-hand that regulatory compliance and adherence to security frameworks does not in itself guard against successful attacks, there has been growing interest in taking more threat-centric approaches. Understanding attackers’ motives, their typical behavioral patterns, and how they work is critical to prioritizing and optimizing defenses for the most likely attacks. This is especially challenging since the tactical details of how threat actors operate changes continuously. That’s why the MITRE Corporation’s Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK) framework has rapidly become recognized as an invaluable tool for evolving organizations’ defense capabilities.

MITRE ATT&CK is a globally accessible knowledgebase of adversary tactics and techniques based on real-world observation, community threat intelligence, and analysis of known threat actors. It is used as a foundation for developing specific threat models and methodologies in the private sector, in government, and in the cybersecurity product and service community.

Organized in several matrices, the Enterprise Matrix includes 12 categories of tactics and their impact that span Windows, Mac, and Linux platforms: Initial Access, Execution, Persistence, Privilege Escalation, Defense Evasion, Credential Access, Discovery, Lateral Movement, Collection, Command and Control, Exfiltration, and Impact. Under each tactic category, the matrix provides much more detail about various techniques used in these tactics.

Using the MITRE ATT&CK Framework

Business risks and cyber risks are inextricably linked; being risk-focused means being threat-focused. The MITRE ATT&CK framework enables you to focus on specific threats that are most relevant to your business assets and align defenses accordingly. MITRE Corporation published Finding Cyber Threats with ATT&CK-Based Analytics, a methodology that can be used to conduct defensive gap analysis, evaluate security products, build and tune security technologies for maximum risk reduction in a particular environment.

Thwart the attackers TTPs, but also thwart their decision-making

Many security products take a legacy controls-oriented approach to cybersecurity and are designed to enable various best practices that evolved within discrete cybersecurity domain areas. They may effectively neutralize specific malicious tools, tactics, and procedures (TTPs), however, it can be difficult for many of these technologies to retain their relevance as attacker methods change. For example, UEBA security tools look for abnormal network behavior in an attempt to detect attackers, but struggle when attacker behavior is seemingly ordinary (i.e. during business hours, from a legitimate user credentials, etc.).

Illusive, on the other hand, is designed from the ground up specifically to thwart the underlying process of the attack—the decision-making process attackers must carry out in order to successfully execute their campaigns. This means that by investing in Illusive, organizations gain protection that is agnostic to specific attack tools.

Illusive helps defenders preempt, detect, and respond to attackers—internal or external—once they are inside the network. The Illusive platform can detect and thwart threat tactics in four of the MITRE ATT&CK Enterprise matrix categories—ones essential to the overall lateral movement process executed in most attacks and without which cannot be executed, as the attackers remain paralyzed on a single machine.

  • Credential access: With Illusive, you can preemptively discover cached credentials and connections that form pathways to critical systems and eliminate these artifacts in keeping with defined policies. Example – Credentials from Web Browsers
  • Discovery: Illusive plants a dense web of lightweight deceptions across all endpoints, which, early in the attack process, detect the tactics attackers use to discover and map the environment. Examples – Network Sniffing or File and Directory Discovery
  • Lateral movement: As attackers attempt to move laterally, they activate Illusive deceptions and engage with decoys, which triggers Illusive collection of real-time forensics and attack intelligence. Through endpoint deceptions, attackers can also be routed to decoy systems for observation. Examples – Pass the Hash or Remote Desktop Protocol movement
  • Collection: Illusive’s deceptions are indistinguishable from real artifacts that attacker mine from the environment, and are thus swept into the attacker’s data collection. Example – Email Collection

Illusive has conducted a granular mapping of our product capabilities against the ATT&CK Framework. Download the free paper.

UPDATE – Since this post was first published, MITRE has issued a technical white paper fully endorsing the implementation of Deception Technology. Download the report, entitled The Cyberspace Advantage: Inviting Them In 

In addition, watch our webinar with special guest MITRE, Stop Advanced Ransomware Now: MITRE Shield’s Active Defense and Illusive Lateral Movement Prevention.