When two educators at Temple University's criminal justice program decided to offer a course in analyzing the tactics, techniques, and procedures (TTPs) used by cybercriminals, they turned to MITRE's ATT&CK framework, an increasingly popular taxonomy of the steps attackers take to infiltrate networks, compromise systems, and execute payloads.
Their lessons focused on attackers' initial attempts to infect users' systems using social engineering, turning to a subset of the framework known as PRE-ATT&CK, which identifies the techniques and subtechniques that could be detected early in an infiltration of a targeted network. Companies can use the PRE-ATT&CK list to look out for attackers' initial activities to establish policies for early detection and to try and stop attacks before they successfully compromise systems.
Aunshul Rege, an associate professor at Temple University, along with Ph.D. student Rachel Bleiman, adopted the PRE-ATT&CK framework as part of their class on cybercrime as a way to teach students about threat intelligence, threat mapping, and mitigations strategies, the academic researchers said during MITRE's 90-minute ATT&CKcon presentation last week.
"What is really cool is we are trying to map social engineering cases, which is not typically done, so I think that is an interesting exercise from a social science perspective," Rege said during the briefing on the school's efforts. "It isn't [that] technical, so all disciplines can engage. I have social science students who can engage in this and get an understanding of threat intelligence."
The academic effort is just one way the ATT&CK framework has become a standard for describing attackers' TTPs. Officially released in May 2015, the framework is used by more than 80% of companies as part of their cybersecurity programs, according to a survey published by the University of California at Berkeley and McAfee last week.
A Google threat analyst demonstrated how the company uses the framework to classify ransomware threats such as TA505, a group designation that overlaps with the recent FIN11 group described by FireEye earlier this week. The analysis demonstrates that many of the TTPs could be used by a vigilant company to detect a ransomware attack before the actual infection stage, said Brandon Levene, head of applied intelligence with Google's Uppercase threat team, in a presentation.
Detecting the ransomware is too late; there is a long chain that leads up to infection, he says.
"Complementing defense in depth with detection in depth is crucial to protecting a modern enterprise," he said. "When you start to try to detect just the ransomware, you have missed five or six different interdiction opportunities [to stop the attack]."
While it is gaining more adherents, the ATT&CK framework is not standing still. MITRE is quickly incorporating feedback from practitioners into the effort, adopting a greater number of subtechniques to drill down on popular attack techniques, and adapting the ATT&CK taxonomy to cloud threats as well.
The addition of subtechniques to MITRE's ATT&CK framework is to combat the uneven granularity in the attack technique categories. Some attacker techniques — such as credential dumping and running code at boot-up — are very broad and encompass a variety of technical attacks, while other techniques — such as port knocking or privilege escalation exploits — have few or no subtechniques.
Remapping threat intelligence to the subtechniques requires significant effort, said Brian Donohue, an evangelist for threat intelligence firm Red Canary, in a presentation at the conference. Red Canary embarked on a significant remapping effort and found it is hard to completely automate the process. In particular, human analysts are needed to remap the behavior techniques because it is an art, not a science, he said.
"We naively thought the code would do all the work for us. We were quickly disabused of that notion," he said. "Once you get to the point that you are going to have to do a human review at some level, you have to decide whether you want to divide and conquer or do it as a small team or individual."
In one example, the company found two subtechniques having to do with camouflaging malicious code as the common "svchost.exe" process needed to be move to another ATT&CK category, process injection, a significant effort but one that boosted the category to the No. 1 spot with 35% of organizations affected. Among the malware that uses the technique is the ubiquitous TrickBot operation.
Companies that are using the ATT&CK framework need to enumerate all the tools and processes that rely on ATT&CK prior to a remapping effort, Donohue said. A team will get the remapping faster but it will be less consistent, while a small team will stay consistent but the remapping effort will take longer. The company recommended creating a style guide and creating a review team.
Another problem is examples of ATT&CK classifications of real threats that can be used for training threat analysts. Temple University's effort solves some of those issues. The university effort required real data on ATT&CK classification of social engineering attacks, so two researchers created data sets from public reports, including 623 social engineering incidents and 747 critical infrastructure ransomware incidents. Industry and government researchers repeatedly requested to use the data and asked the researchers to map the data sets to MITRE's ATT&CK, Temple's Rege said.
The effort underscored that the ATT&CK framework still needs more efforts to classify threats: Only 56% of ransomware strains mapped onto known threats classified by the ATT&CK framework, so major strains of ransomware were not included in the datasets and less than a quarter of attacks mapped to specific attackers, such as Lazarus and other groups.
The focus on social engineering attacks and the ATT&CK framework underscores that teaching students about cybersecurity is not just about technical solutions, Rege said.
"We are training computer scientists to really think about," he said. "These are the next-generation workforce of computer scientists who are going to be developers and defenders who think about using these frameworks not just for the technical aspect, but in the human domains."