MITRE Attack Design & Philosophy Essay

Posted by on | Featured

MITRE Attack Design & Philosophy

MITRE ATT&CK

Illustration: Pexel, Anete Lucina

ATT&CK Framework Abstract:

By reading the popular white paper called “MITRE Attack Design & Philosophy” one can be armed with the knowledge that this framework was created out of sheer necessity to be able to classify how threat actors can be better categorized as part of a larger project called Fort Meade Experiment. Many may be aware of the different well recognized project the MITRE Corporation leads but others just know it as the company who put together the ATT&CK matrix and is commonly discussed day-to-day through the security industry and at most conferences. The ATT&CK framework stands for Attackers Tactics, Techniques, and Common Knowledge and its used in the various sectors that deal with information technology to determine what potential methods adversaries may use along their attack lifecycle. MITRE is known for their rigorous research and white papers that they produce that aid companies as they are normally involved with the latest trends in technology such as adversary emulation, machine learning, and common risk assessment methods. Through research it can be discovered that this body of knowledge was meant for the world to further understand what adversaries were being carried out from real world analysis that led to the “assume breach” mindset. It was first put together in 2013 and had the scope of only focusing on windows systems. Once it was released to the world two years later, there was a great response from the community which led to its expansion of techniques and addition of 3 more tactics. There are a few other popular resources that help defenders understand attack methods although the matrix has taken off due to the fact that many threat hunting teams and red teams are using the techniques in ATT&CK as a reference point. It differs from other frameworks as it’s not theoretical and it’s heavily derived from available information and reports that were gathered at the time of creation. The goal of defenders is to be able to mitigate attacks regardless of where their adversary is in their lifecycle, by having a breakdown such as the matrix it allows for a defined scope of research and for juniors to catch up to speed in an organized manner. ATT&CK can help out when creating metrics and reports to be able to apply countermeasures for non-technical folks. 

ATT&CK is post-exploit focused. I’ll help you explain the concept of “post-exploit” as if you were describing it to a group of high-level, non-technical managers. 

Post-exploitation boils down to the attack commands or methods used by a cyber-criminal once they gain access to their target system. Prior to jumping deeper into the post-exploitation concept that ATT&CK aims to share with the world, the audience must be familiar with the Lockheed Martin Cyber Kill Chain phases. The Cyber Kill Chain which is derived from the military in its terminology, includes the seven phases of a cyber attack’s lifecycle. The first four are focused on how an attacker is able to collect information, use it to his advantage, get it to its victim and gain access to their network or infrastructure; there are a few more steps but the ATT&CK Framework picks up at the phase where the adversary gains initial access.

Statistics for 2018 show that the average time it takes for a company to figure out it’s had a data breach is roughly around 190 days plus. Previously it was loosely stated that many networks could have been compromised for years although having the data helps clear any confusion as to why the concept of “post-exploitation” has become a hot topic.  “It’s not a matter of if, but when we’re breached” is a common mentality that has been overstated in the industry so it helps defenders know that the bad guy will get on the system regardless, the battleground consists of the steps taken to go from there.

The post-exploitation mindset allows defenders to focus on tactics and techniques across their networks and endpoint systems to look for behaviors that may be related to those included in the MITRE ATT&CK Matrix. This allows a company to improve their cyber skills and understand what’s going on across their collective devices that their business operates on to create profit. There are many things that a bad guy can do once they’re on the system just as keep their access for a long period of time by simply sitting on systems that are not being monitored as they are considered trusted by its owners and users.

From there the attacker can slowly gather information on the network to be able to improve their abilities and actions that are allowed on the systems they’re taking advantage of, this is known as privilege escalation. Once that action is performed or prior to performing an attack dealing with increasing their permissions they might have also tried doing it in a method to not set off any alarms categorized under defense evasion. This is the key item that differentiates the skill set of said threat actors; if they’re new or sloppy they typically don’t mind leaving evidence behind. If it’s a highly trained individual, they will slowly crawl their way around the company systems in attempts to evade every protection solution.

After all, once they’re on the network they will see what protection if any has been installed to understand what they’re up against. To further expand on the defense evasion, it’s common for the malware which is being delivered to the target to be encoded in such a way that it’s undetectable by common AV and security solutions as its signature has been altered and does not yet have a record in common databases.

In order for a defender to be able to respond and limit the area of possible attack they must understand how their opponent thinks and will attack. A framework like ATT&CK provides the springboard for many professionals to quickly reference and learn about all of the specific methods that may be used against them. 

We will explore 2 tactics under “Defense Evasion” 

What is defense evasion? The concept of defense evasion is a tactic that must be performed by an adversary, red team, or penetration test in order to not set off any potential alarms or traps left behind by the blue teams who defend and monitor all systems of a network. There are many security tools in the market which check for similar signatures and attacks that have been previously identified, what the adversary does is that they have to modify their code in order to alter it to a way that it performs the original goal but does not appear as malicious to security solutions. As it was previously mentioned, encoding the shellcode used for exploits is a common way to get to the original objective without getting noticed.

Tactic #1

Process hollowing occurs when a process is in a suspended state which means that it’s been transferred to the disk, the process then has no memory assigned (unmapped) to it then it injects a malicious code to the process instead and runs as the original one without looking suspicious initially.

A popular observed process of hollowing malware is Hancitor, a Windows-based downloader.  In one example found online, the delivery of Hancitor came from malicious links in the body of an email message which sent users to compromised websites hosting the Hancitor Word document.  If the email recipient decides to visit the malicious website, download the document, and open it, the user will be confronted with an embedded image that provides instructions for how to enable and supposedly view the content.

The document instructs the user to select the “Enable Content” button which will allow the malicious macro code to run.  

The macro itself consists of three components:

  1. Form that contains the encoded shellcode as text values embedded into various form control properties.
  2. Macro containing the main logic of the malicious code
  3. Additional module that includes functionality for decoding the embedded shellcode.

These individual components have randomly generated names that vary depending on the sample under analysis. The main logic of the macro code is set off with a call to the “Document_Open()” function which is initiated when MS Word opens the document, or the user enables macros. The code includes randomly named variables and contains a large amount of unnecessary code designed to frustrate the analysis process.  As the code executes, it will extract, de-obfuscate, and run shellcode from text values contained within the form. To do so, it makes use of several Windows API functions to allocate space in memory, write the decoded binary to that memory, and transfer control to the shellcode.

Tactic #2

Another common defense evasion technique is called DCShadow or DCSync Attack which has been heavily documented by Red Team Operators. “DCShadow takes advantage of Active Directory data by registering a rogue Domain Controller by emulating an authorized server.

The only requirement to perform this technique in a successful way requires getting access to an account that has permissions to replicate directory changes. A tool such as the Active Directory Access Control List scanner can be used to find accounts with this configuration.

Once access to that account has been compromised the attack can be carried out using Mimikatz and extracting the Kerberos hash then proceeding to generate a golden ticket which allows an adversary to evade defenses by getting approved credentials through the Windows architecture designed by Microsoft. The “rundll32.exe” native program can be used to run malicious code as it’s normally a whitelisted item and runs with high privileges. A common theme is that if a process, program, or account is compromised to perform any action it will run with those privileges allowing defenses to be bypassed.

We will explore 2 tactics under “Lateral Movement” 

What is Lateral movement? This is when an adversary or authorized security professional is able to gain initial access from one system to the next remotely without having to further exploit systems. Successful lateral movement enables the bad guy to easily roam the network and its system by performing additional internal reconnaissance to discover high value targets. The easiest analogy that comes to mind is someone finding an open window going inside the house then, finding car keys on the table which then they use to drive the car to their original destination. If a person doesn’t pay a toll, it will be traced back to the person who owns the plates of the car. 

Best practices recommend that critical systems be designed in a way where only authorized resources have access or have the ability to log onto them remotely. Which would limit it being abused as a jump host by an unauthorized individual.

Tactic #1

Passing-The-Hash has been the most common technique for the last decade by ethical hackers, threat actors, and professionals but it is slowly fading out is. Modern systems have enhanced monitoring and logging which is making it harder to pass the hash. When the attack is successful the next step is pillaging through its directories, cron jobs, locations where configuration files live. 

Mimikatz is a tool that can be executed on memory to pull hashes out of the Local Security Authority Subsystem Service normally known by “lsass.exe”. After those hashes have been dumped through tools like Mimikatz, then that file is exfiltrated back to the command and control server. Tools in Kali such as “PTH-WINEXE” allow an individual to only provide the IP Address, Account Name, select protocol used such as Server Message Block (SMB) or Remote Desktop Protocol (RDP) and provide the hash to attempt a remote session with the host being targeted with hands on keyboard access.                                                                       

Tactic #2   

Stealing Application Access Tokens is another technique in the MITRE ATT&CK Framework under lateral movement. One of the common commands which I’ve used on Penetration Tests has been running the command “CMDKEY /LIST” and it will list any passwords in memory that are saved on the computer. this has allowed me to gain access to additional machines. Finding passwords can be done by using open source tools or by running utilities that already system on the system.
 

Command and Control Primer

The concept of Command and Control shows defenders who are protecting their network how their adversaries will send packets amongst systems they use for nefarious actions and the network their targeting. Detecting this type of traffic can be rather difficult for a novice security operator if they’re not used to network traffic analysis and how malicious traffic can masquerade itself under protocols used every day by large companies. 

Identifying Command and Control or “C2” infrastructure on the network is the common job of the Security Operations Center, Incident Responders, and the new team which has been introduced such as the hunt team. The most popular technique is when an attacker uses “commonly known ports” that already have connections and have approved firewall rules in order to minimize the attention to the traffic. 

By blending their beacons into intervals, they can send data back to their servers over common ports such as 443(HTTPS), 25(SMTP/Email), or even 22(SSH). Sometimes the traffic is sent through the clear but rarely does that happen now as most malicious traffic is encrypted. A “proxy connection” may also be used as it has a trusted communication path amongst hosts on a network and the outside world. If that proxy is exploited, then it would be much easier for an adversary to allow their data to be easily exfiltrated to their C2 server while deleting logs of the connections that have been made. Taking advantage of a “Web Service” as it’s already hosting code for its public users and having an excessive amount of connections. By compromising a service such as LinkedIn for command and control purposes would require many logs to be analyzed in order to identify who the attacker is as it’s easier to hide behind the high volume of traffic.

 

                                                                             References

Airbus. (n.d.). Analysing the Hancitor Maldoc – Airbus Defence and Space Cyber. Airbus CyberSecurity. Retrieved September 12, 2022, from https://www.cyber.airbus.com/analysing-hancitor-maldoc/

Homeland Security Today. (2018, May 2). Report Finds Cybersecurity ‘Dwell’ Time Is 191 Days; State CIO Says It Should be Zero. Homeland Security Today. Retrieved September 13, 2018, from https://www.hstoday.us/home-posts/report-finds-cybersecurity-dwell-time-is-191-days-and-state-cio-says-it-should-be-zero/

Optiv. (2017, January 19). TTPs Within Cyber Threat Intelligence. Optiv. Retrieved September 12, 2022, from https://www.optiv.com/explore-optiv-insights/blog/tactics-techniques-and-procedures-ttps-within-cyber-threat-intelligence

Strom, B. E., Applebaum, A., Miller, D. P., Nickels, K. C., Pennington, A. G., & Thomas, C. B. (2018, July 1). MITRE ATT&CK: Design and Philosophy. MITRE. Retrieved September 12, 2018, from https://attack.mitre.org/docs/ATTACK_Design_and_Philosophy_March_2020.pdf

Strom, D. (n.d.). MITRE ATT&CK framework: Understanding attack methods. CSO Online. Retrieved September 12, 2021, from https://www.csoonline.com/article/3267691/mitre-att-and-ck-framework-understanding-attack-methods.html

 
–Christian Galvan

Ready to Begin Your Cybersecurity Career?

Follow & Share a screenshot of our home page with the tag @thedukeofcyber & @themoderntechleaders on Instagram for a FREE Cybersecurity roadmap, tutorials, and career guidance

Contact Us
Tags: , , , , ,
Comments are closed.