Playing defense is always more difficult than being on the attack, because defense is always reactive on some level. This concept is especially true in cybersecurity, where adversaries can take as many shots as they want at an organization, while the poor security team has to be perfect every time to prevent a successful attack.
Because of this natural disadvantage, security teams should always be on the lookout for ways to become more proactive by predicting and anticipating their adversaries’ next moves. Using a kill chain framework helps security teams get inside the heads of their adversaries and understand their intent. The variation of this concept that I have found to be the most valuable is the MITRE ATT&CK matrix, because of its rich database of real-world cyber attack data.
The Kill Chain
The kill chain originated as a military concept to describe the stages of an attack and was adapted into the intrusion kill chain (or “cyber kill chain”) by Lockheed Martin in 2011 to describe attacks against computer networks. In its original form, the cyber kill chain has seven phases that outline an attack:
1. Reconnaissance
2. Weaponization
3. Delivery
4. Exploitation
5. Installation
6. Command and Control
7. Actions on Objective
These phases are like a hypothetical playbook for adversaries, which security teams can use to anticipate and contextualize attacks. Many organizations now use a kill chain framework in some way, and while it is valuable as a high-level concept, it does not include any detail on exactly how attackers achieve the goals of each phase, therefore leaving lots of room for security researchers to elaborate on its basic structure.
What Makes ATT&CK Different
Between 2013 and 2015, the not-for-profit security corporation MITRE developed their own version of a cyber kill chain, which they call ATT&CK (adversarial tactics, techniques & common knowledge). ATT&CK focuses on post-compromise detection, as opposed to the cyber kill chain, which begins with the adversary conducting reconnaissance on their target.
Instead of phases, ATT&CK breaks down incidents into 12 “tactics” (what the adversary is trying to do), each accompanied by numerous “techniques” (how the adversary is doing it). Tactics include Execution, Defense Evasion, and Lateral Movement. Techniques are more specific, such as PowerShell, Modify Registry, and Remote Desktop Protocol. The result is a massive matrix of adversary behavior, based on MITRE’s study of real-world cybersecurity incidents.
The Value of Using the ATT&CK Matrix in Security Operations
Successful cyber attacks need time to unfold, but organizations generally take a long time to detect an attack and recognize what is happening. The good news is that if the organization can detect and disrupt the attack at any phase, it will be unsuccessful, even if the network has already been compromised. For example, an adversary’s goal will not be just to escalate privileges within a target’s systems, but rather to use those privileges for the end goal of exfiltrating data.
Using the ATT&CK framework in your analysis of cybersecurity incidents allows you to make connections between different tactics and techniques. This helps security teams identify ongoing attacks before they are completed and gives the security team a good idea of what the adversary has already done and what they are likely to do next.
The ATT&CK framework is particularly valuable for detecting attacks because it is a behavior-based model, not a signature-based model. Because ATT&CK predicts common behaviors, it isn’t fooled by zero-day attacks, indicators of compromise that are modified by adversaries to avoid detection, or other weaknesses of signature-based systems.
ATT&CK’s “techniques” are also set apart from conventional IOCs because a technique might be a legitimate action that is done for malicious purposes. In other words, once an adversary has compromised a system and gained privileges, they might not need to do anything else that would trip the alarms of conventional security tools. ATT&CK techniques describe the actions that the adversary might take next, even though they might look like normal activity.
MITRE’s extension of the cyber kill chain concept takes the conceptual value of breaking incidents into phases and combines it with behavior-based research that rivals the best threat intelligence sources. Whether it is built-in to your detection and response tools, or just a way to standardize how your security team talks about advanced persistent threats, the MITRE ATT&CK matrix should find a place in your security operations.
