Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

12:05 PM

Academia Adopts Mitre ATT&CK Framework

Security pros and academic researchers discuss the best ways to use MITRE's framework to inform cybersecurity efforts, analyze threats, and teach future workers.

When two educators at Temple University's criminal justice program decided to offer a course in analyzing the tactics, techniques, and procedures (TTPs) used by cybercriminals, they turned to MITRE's ATT&CK framework, an increasingly popular taxonomy of the steps attackers take to infiltrate networks, compromise systems, and execute payloads. 

Their lessons focused on attackers' initial attempts to infect users' systems using social engineering, turning to a subset of the framework known as PRE-ATT&CK, which identifies the techniques and subtechniques that could be detected early in an infiltration of a targeted network. Companies can use the PRE-ATT&CK list to look out for attackers' initial activities to establish policies for early detection and to try and stop attacks before they successfully compromise systems.

Related Content:

Threat-Modeling Basics Using MITRE ATT&CK

2020 State of Cybersecurity Operations and Incident Response

New on The Edge: What's Really Happening in Infosec Hiring Now?

Aunshul Rege, an associate professor at Temple University, along with Ph.D. student Rachel Bleiman, adopted the PRE-ATT&CK framework as part of their class on cybercrime as a way to teach students about threat intelligence, threat mapping, and mitigations strategies, the academic researchers said during MITRE's 90-minute ATT&CKcon presentation last week. 

"What is really cool is we are trying to map social engineering cases, which is not typically done, so I think that is an interesting exercise from a social science perspective," Rege said during the briefing on the school's efforts. "It isn't [that] technical, so all disciplines can engage. I have social science students who can engage in this and get an understanding of threat intelligence." 

The academic effort is just one way the ATT&CK framework has become a standard for describing attackers' TTPs. Officially released in May 2015, the framework is used by more than 80% of companies as part of their cybersecurity programs, according to a survey published by the University of California at Berkeley and McAfee last week.

A Google threat analyst demonstrated how the company uses the framework to classify ransomware threats such as TA505, a group designation that overlaps with the recent FIN11 group described by FireEye earlier this week. The analysis demonstrates that many of the TTPs could be used by a vigilant company to detect a ransomware attack before the actual infection stage, said Brandon Levene, head of applied intelligence with Google's Uppercase threat team, in a presentation.

Detecting the ransomware is too late; there is a long chain that leads up to infection, he says.

"Complementing defense in depth with detection in depth is crucial to protecting a modern enterprise," he said. "When you start to try to detect just the ransomware, you have missed five or six different interdiction opportunities [to stop the attack]."  

While it is gaining more adherents, the ATT&CK framework is not standing still. MITRE is quickly incorporating feedback from practitioners into the effort, adopting a greater number of subtechniques to drill down on popular attack techniques, and adapting the ATT&CK taxonomy to cloud threats as well.  

The addition of subtechniques to MITRE's ATT&CK framework is to combat the uneven granularity in the attack technique categories. Some attacker techniques — such as credential dumping and running code at boot-up — are very broad and encompass a variety of technical attacks, while other techniques — such as port knocking or privilege escalation exploits — have few or no subtechniques. 

Remapping threat intelligence to the subtechniques requires significant effort, said Brian Donohue, an evangelist for threat intelligence firm Red Canary, in a presentation at the conference. Red Canary embarked on a significant remapping effort and found it is hard to completely automate the process. In particular, human analysts are needed to remap the behavior techniques because it is an art, not a science, he said.

"We naively thought the code would do all the work for us. We were quickly disabused of that notion," he said. "Once you get to the point that you are going to have to do a human review at some level, you have to decide whether you want to divide and conquer or do it as a small team or individual."

In one example, the company found two subtechniques having to do with camouflaging malicious code as the common "svchost.exe" process needed to be move to another ATT&CK category, process injection, a significant effort but one that boosted the category to the No. 1 spot with 35% of organizations affected. Among the malware that uses the technique is the ubiquitous TrickBot operation.

Companies that are using the ATT&CK framework need to enumerate all the tools and processes that rely on ATT&CK prior to a remapping effort, Donohue said. A team will get the remapping faster but it will be less consistent, while a small team will stay consistent but the remapping effort will take longer. The company recommended creating a style guide and creating a review team. 

Another problem is examples of ATT&CK classifications of real threats that can be used for training threat analysts. Temple University's effort solves some of those issues. The university effort required real data on ATT&CK classification of social engineering attacks, so two researchers created data sets from public reports, including 623 social engineering incidents and 747 critical infrastructure ransomware incidents. Industry and government researchers repeatedly requested to use the data and asked the researchers to map the data sets to MITRE's ATT&CK, Temple's Rege said.

The effort underscored that the ATT&CK framework still needs more efforts to classify threats: Only 56% of ransomware strains mapped onto known threats classified by the ATT&CK framework, so major strains of ransomware were not included in the datasets and less than a quarter of attacks mapped to specific attackers, such as Lazarus and other groups. 

The focus on social engineering attacks and the ATT&CK framework underscores that teaching students about cybersecurity is not just about technical solutions, Rege said. 

"We are training computer scientists to really think about," he said. "These are the next-generation workforce of computer scientists who are going to be developers and defenders who think about using these frameworks not just for the technical aspect, but in the human domains."

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
When It Comes To Security Tools, More Isn't More
Lamont Orange, Chief Information Security Officer at Netskope,  1/11/2021
US Capitol Attack a Wake-up Call for the Integration of Physical & IT Security
Seth Rosenblatt, Contributing Writer,  1/11/2021
IoT Vendor Ubiquiti Suffers Data Breach
Dark Reading Staff 1/11/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
2020: The Year in Security
Download this Tech Digest for a look at the biggest security stories that - so far - have shaped a very strange and stressful year.
Flash Poll
Assessing Cybersecurity Risk in Today's Enterprises
Assessing Cybersecurity Risk in Today's Enterprises
COVID-19 has created a new IT paradigm in the enterprise -- and a new level of cybersecurity risk. This report offers a look at how enterprises are assessing and managing cyber-risk under the new normal.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-01-17
An issue was discovered in Quali CloudShell 9.3. An XSS vulnerability in the login page allows an attacker to craft a URL, with a constructor.constructor substring in the username field, that executes a payload when the user visits the /Account/Login page.
PUBLISHED: 2021-01-17
Netsia SEBA+ through 0.16.1 build 70-e669dcd7 allows remote attackers to discover session cookies via a direct /session/list/allActiveSession request. For example, the attacker can discover the admin's cookie if the admin account happens to be logged in when the allActiveSession request occurs, and ...
PUBLISHED: 2021-01-15
An issue was discovered in Malwarebytes before 4.0 on macOS. A malicious application was able to perform a privileged action within the Malwarebytes launch daemon. The privileged service improperly validated XPC connections by relying on the PID instead of the audit token. An attacker can construct ...
PUBLISHED: 2021-01-15
Docker Desktop Community before on macOS mishandles certificate checking, leading to local privilege escalation.
PUBLISHED: 2021-01-15
OneDev is an all-in-one devops platform. In OneDev before version 4.0.3, there is a critical vulnerability which can lead to pre-auth remote code execution. AttachmentUploadServlet deserializes untrusted data from the `Attachment-Support` header. This Servlet does not enforce any authentication or a...