The Anatomy of an ATT&CK (Adversarial Tactics, Techniques, and Common Knowledge)

 

Anatomy of a Cyber Attack 

A typical cyber attack follows a sequence of steps, from initial entry to data theft and destruction. One way to understand this is to use a common language, such as the MITRE ATT&CK Framework, which maps an attacker's actions to specific tactics, techniques, and procedures (TTPs).

Here's a breakdown of a common attack scenario mapped to the ATT&CK framework:

---

A Sample Attack Scenario

• Assets:

  • Web server (connected to database)

  • Email server

  • File-sharing system

• Attacker (“bad guy”) tries to exploit these.

1. Reconnaissance: The attacker begins by scanning the target's network to identify systems like web servers, email servers, and file shares.

   • Tactic: Reconnaissance

   • Technique: Active Scanning

2. Initial Access: The attacker sends a phishing email to an unsuspecting employee. The email contains a malicious link that tricks the user into entering their credentials on a fake login page.

   • Tactic: Initial Access

   • Technique: Phishing and Valid Accounts

3. Credential Access: The attacker now has the employee's credentials and uses them to access a file-sharing system. They discover an unencrypted file containing a list of passwords.

   • Tactic: Credential Access

   • Technique: Unsecured Credentials

4. Privilege Escalation: The attacker uses a more powerful credential found on the file share to log in to a sensitive database.

   • Tactic: Privilege Escalation

   • Technique: Valid Accounts

5. Collection & Exfiltration: The attacker copies the sensitive data from the database and sends it back to themselves over the network.

   • Tactic: Collection & Exfiltration

   • Technique: Data from Removable Media & Exfiltration Over C2 Channel

6. Impact: The attacker finishes the attack by destroying the data on the organization's server, leaving them "empty-handed."

   • Tactic: Impact

   • Technique: Data Destruction

---

Using the MITRE ATT&CK Framework

The MITRE ATT&CK Framework provides a common language for classifying and understanding cyberattacks. Each tactic (the "why") and technique (the "how") is documented with details on how to detect and mitigate it. This framework allows security professionals to describe complex attacks in a way that everyone in the industry can understand.

Security tools like SOAR (Security, Orchestration, Automation, and Response) and SIEM (Security Information and Event Management) can automatically map a security event to the ATT&CK framework, helping analysts quickly understand the nature of an attack and respond effectively.

While attackers use TTPs (Tactics, Techniques, and Procedures), defenders can counter them with PPT (People, Process, and Technology). By using this framework, security teams can better understand the threat and develop a more effective defense.