Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

10/16/2020
12:05 PM
50%
50%

Academia Adopts Mitre ATT&CK Framework

Security pros and academic researchers discuss the best ways to use MITRE's framework to inform cybersecurity efforts, analyze threats, and teach future workers.

When two educators at Temple University's criminal justice program decided to offer a course in analyzing the tactics, techniques, and procedures (TTPs) used by cybercriminals, they turned to MITRE's ATT&CK framework, an increasingly popular taxonomy of the steps attackers take to infiltrate networks, compromise systems, and execute payloads. 

Their lessons focused on attackers' initial attempts to infect users' systems using social engineering, turning to a subset of the framework known as PRE-ATT&CK, which identifies the techniques and subtechniques that could be detected early in an infiltration of a targeted network. Companies can use the PRE-ATT&CK list to look out for attackers' initial activities to establish policies for early detection and to try and stop attacks before they successfully compromise systems.

Related Content:

Threat-Modeling Basics Using MITRE ATT&CK

2020 State of Cybersecurity Operations and Incident Response

New on The Edge: What's Really Happening in Infosec Hiring Now?

Aunshul Rege, an associate professor at Temple University, along with Ph.D. student Rachel Bleiman, adopted the PRE-ATT&CK framework as part of their class on cybercrime as a way to teach students about threat intelligence, threat mapping, and mitigations strategies, the academic researchers said during MITRE's 90-minute ATT&CKcon presentation last week. 

"What is really cool is we are trying to map social engineering cases, which is not typically done, so I think that is an interesting exercise from a social science perspective," Rege said during the briefing on the school's efforts. "It isn't [that] technical, so all disciplines can engage. I have social science students who can engage in this and get an understanding of threat intelligence." 

The academic effort is just one way the ATT&CK framework has become a standard for describing attackers' TTPs. Officially released in May 2015, the framework is used by more than 80% of companies as part of their cybersecurity programs, according to a survey published by the University of California at Berkeley and McAfee last week.

A Google threat analyst demonstrated how the company uses the framework to classify ransomware threats such as TA505, a group designation that overlaps with the recent FIN11 group described by FireEye earlier this week. The analysis demonstrates that many of the TTPs could be used by a vigilant company to detect a ransomware attack before the actual infection stage, said Brandon Levene, head of applied intelligence with Google's Uppercase threat team, in a presentation.

Detecting the ransomware is too late; there is a long chain that leads up to infection, he says.

"Complementing defense in depth with detection in depth is crucial to protecting a modern enterprise," he said. "When you start to try to detect just the ransomware, you have missed five or six different interdiction opportunities [to stop the attack]."  

While it is gaining more adherents, the ATT&CK framework is not standing still. MITRE is quickly incorporating feedback from practitioners into the effort, adopting a greater number of subtechniques to drill down on popular attack techniques, and adapting the ATT&CK taxonomy to cloud threats as well.  

The addition of subtechniques to MITRE's ATT&CK framework is to combat the uneven granularity in the attack technique categories. Some attacker techniques — such as credential dumping and running code at boot-up — are very broad and encompass a variety of technical attacks, while other techniques — such as port knocking or privilege escalation exploits — have few or no subtechniques. 

Remapping threat intelligence to the subtechniques requires significant effort, said Brian Donohue, an evangelist for threat intelligence firm Red Canary, in a presentation at the conference. Red Canary embarked on a significant remapping effort and found it is hard to completely automate the process. In particular, human analysts are needed to remap the behavior techniques because it is an art, not a science, he said.

"We naively thought the code would do all the work for us. We were quickly disabused of that notion," he said. "Once you get to the point that you are going to have to do a human review at some level, you have to decide whether you want to divide and conquer or do it as a small team or individual."

In one example, the company found two subtechniques having to do with camouflaging malicious code as the common "svchost.exe" process needed to be move to another ATT&CK category, process injection, a significant effort but one that boosted the category to the No. 1 spot with 35% of organizations affected. Among the malware that uses the technique is the ubiquitous TrickBot operation.

Companies that are using the ATT&CK framework need to enumerate all the tools and processes that rely on ATT&CK prior to a remapping effort, Donohue said. A team will get the remapping faster but it will be less consistent, while a small team will stay consistent but the remapping effort will take longer. The company recommended creating a style guide and creating a review team. 

Another problem is examples of ATT&CK classifications of real threats that can be used for training threat analysts. Temple University's effort solves some of those issues. The university effort required real data on ATT&CK classification of social engineering attacks, so two researchers created data sets from public reports, including 623 social engineering incidents and 747 critical infrastructure ransomware incidents. Industry and government researchers repeatedly requested to use the data and asked the researchers to map the data sets to MITRE's ATT&CK, Temple's Rege said.

The effort underscored that the ATT&CK framework still needs more efforts to classify threats: Only 56% of ransomware strains mapped onto known threats classified by the ATT&CK framework, so major strains of ransomware were not included in the datasets and less than a quarter of attacks mapped to specific attackers, such as Lazarus and other groups. 

The focus on social engineering attacks and the ATT&CK framework underscores that teaching students about cybersecurity is not just about technical solutions, Rege said. 

"We are training computer scientists to really think about," he said. "These are the next-generation workforce of computer scientists who are going to be developers and defenders who think about using these frameworks not just for the technical aspect, but in the human domains."

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Manchester United Suffers Cyberattack
Dark Reading Staff 11/23/2020
As 'Anywhere Work' Evolves, Security Will Be Key Challenge
Robert Lemos, Contributing Writer,  11/23/2020
Cloud Security Startup Lightspin Emerges From Stealth
Kelly Sheridan, Staff Editor, Dark Reading,  11/24/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-20934
PUBLISHED: 2020-11-28
An issue was discovered in the Linux kernel before 5.2.6. On NUMA systems, the Linux fair scheduler has a use-after-free in show_numa_stats() because NUMA fault statistics are inappropriately freed, aka CID-16d51a590a8c.
CVE-2020-29368
PUBLISHED: 2020-11-28
An issue was discovered in __split_huge_pmd in mm/huge_memory.c in the Linux kernel before 5.7.5. The copy-on-write implementation can grant unintended write access because of a race condition in a THP mapcount check, aka CID-c444eb564fb1.
CVE-2020-29369
PUBLISHED: 2020-11-28
An issue was discovered in mm/mmap.c in the Linux kernel before 5.7.11. There is a race condition between certain expand functions (expand_downwards and expand_upwards) and page-table free operations from an munmap call, aka CID-246c320a8cfe.
CVE-2020-29370
PUBLISHED: 2020-11-28
An issue was discovered in kmem_cache_alloc_bulk in mm/slub.c in the Linux kernel before 5.5.11. The slowpath lacks the required TID increment, aka CID-fd4d9c7d0c71.
CVE-2020-29371
PUBLISHED: 2020-11-28
An issue was discovered in romfs_dev_read in fs/romfs/storage.c in the Linux kernel before 5.8.4. Uninitialized memory leaks to userspace, aka CID-bcf85fcedfdd.