CyberWire Daily - The current state of MITRE ATT&CK.
Episode Date: July 15, 2024Rick Howard, The CSO, Chief Analyst, and Senior Fellow at N2K Cyber, discusses the current state of MITRE ATT&CK with CyberWire Hash Table guests Frank Duff, Tidal Cyber’s Chief Innovation Officer, ...Amy Robertson, MITRE Threat Intelligence Engineer and ATT&CK Engagement lead, and Rick Doten, Centene’s VP of Information Security. References: Amy L. Robertson, 2024. ATT&CK 2024 Roadmap [Essay]. Medium. Blake E. Strom, Andy Applebaum, Doug P. Miller, Kathryn C. Nickels, Adam G. Pennington, Cody B. Thomas, 2018. MITRE ATT&CK: Design and Philosophy [Historical Paper]. MITRE. Eric Hutchins, Michael Cloppert, Rohan Amin, 2010. Intelligence-Driven Computer Network Defense Informed by Analysis of Adversary Campaigns and Intrusion Kill Chains [Historic Paper]. Lockheed Martin Corporation. Nick Selby, 2014. One Year Later: The APT1 Report [Essay]. Dark Reading. Rick Howard, 2023. Cybersecurity First Principles: A Reboot of Strategy and Tactics [Book]. Goodreads. Rick Howard, 2020. Intrusion kill chains: a first principle of cybersecurity. [Podcast]. The CyberWire. Rick Howard, 2022. Kill chain trifecta: Lockheed Martin, ATT&CK, and Diamond. [Podcast]. The CyberWire. Rick Howard, 2020. cyber threat intelligence (CTI) (noun) [Podcast]. Word Notes: The CyberWire. Kevin Mandia, 2014. State of the Hack: One Year after the APT1 Report [RSA Conference Presentation]. YouTube. SAHIL BLOOM, 2023. The Blind Men & the Elephant [Website]. The Curiosity Chronicle. Sergio Caltagirone, Andrew Pendergast, and Christopher Betz. 05 July 2011. The Diamond Model of Intrusion Analysis. Center for Cyber Threat Intelligence and Threat Research.[Historical Paper] Staff, n.d. Home Page [Website]. Tidal Cyber. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
DeleteMe's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for DeleteMe.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash N2K and use promo code N2K at checkout. The only way to get 20% off is to go to joindeleteme.com slash N2K and enter code
N2K at checkout. That's joindeleteme.com slash N2K, code N2K.
Hey, everybody. Rick here.
The Minor Attack Wiki is the only open-source collection
dedicated to cataloging known nation-state and some crime,
hacker tactics, techniques,
and procedures, TTPs, across the intrusion kill chain. I've been a fan of it for over a decade
now. My old intelligence director, Ryan Olson, introduced me to it when we founded the Palo
Alto Network's public-facing intelligence team, Unit 42. It took a while for Ryan to get it
through my thick head, the immense potential value
of the MITRE Intelligence Collection to anybody pursuing the Intrusion Kill Chain Prevention
Strategy. But once I got it, it was like inserting the last piece into a very large puzzle. It was
a eureka moment for me. I realized that there really is nothing else like it in the world.
The Intrusion Kill Chain Prevention strategy realizes that hacker groups like the Shadow Brokers, Fancy Bear, and the Lazarus Group, etc.,
must successfully execute a chain of offensive actions against their victims in order to accomplish their goal.
Not one thing, a set of things.
Sometimes the InfoSec profession refers to that set of things as offensive attack campaigns.
The strategy makes a couple of assumptions.
First, the hacker group reuses these campaigns against multiple victims.
They don't build it, use it once, throw it away, and then build another one.
That would be wasteful.
Which brings us to the second assumption.
wasteful. Which brings us to the second assumption. Designing, building, and deploying attack campaigns is expensive in terms of the people-process-technology triad. Hacker groups are
reluctant to abandon a good one, which is good news for the good guys. Analysts studying attack
campaigns can loosely categorize subsets of the campaign into stages of malicious activity like
delivery, installation, exploitation, command and control,
lateral movement, etc. With that categorization, analysts can then design and deploy prevention
and detection controls for one or more of the TTPs in that attack stage. When the Fancy Bear
hackers run into one of our blocks, they don't throw the entire campaign out, see assumption one,
they pivot. They try to find a way around that one block. Even if they don't throw the entire campaign out, see assumption one, they pivot.
They try to find a way around that one block. Even if they are successful though, you know,
they develop some new thing in the exploitation stage, let's say, something that the good guys have never seen before, some new code that we don't have a prevention control for yet,
it doesn't guarantee fancy bear success because the good guys have deployed other prevention controls in other stages in the attack sequence. Those controls will defeat the adversary.
The more controls you put in place for each stage reduces the probability of a material
cyber event to your organization from the hacker campaign. If the key defensive strategy for your
InfoSec program is the intrusion kill chain prevention strategy,
see my first principles book for a deeper explanation, you have to be using the MITRE ATT&CK framework wiki or something very similar that you either built yourself or you paid for.
Over the years, I became one of its biggest unofficial evangelists, as I was out and about
speaking at conferences and talking to security professionals of all stripes. When I met with
the MITRE people about it, I kept quietly suggesting that they should give me a commission
for my support. I'm still waiting to hear back. MITRE, if you're listening, send checks to the
Rick Howard Bermuda Islands Retirement Fund. But that doesn't mean that I haven't been frustrated
with it too. Although it has had a large impact on the InfoSec professional community already,
and the MITRE people behind it have made huge improvements to it
in a very short amount of time,
the idea of it has so much more unrealized potential.
So here we are in 2024, over 10 years since MITRE released version 1.
I thought it was time to put a stake in the ground
and assess what the current state of the MITRE ATT&CK framework is today.
So, hold on to your butts.
This is going to be fun. My name is Rick Howard, and I'm broadcasting from N2K Cyber's secret Sanctum Sanctorum studios
located underwater somewhere along the Patapsco River near Baltimore Harbor, Maryland,
in the good old U.S. of A.
And you're listening to CSO Perspectives,
my podcast about the ideas, strategies, and technologies that senior security
executives wrestle with on a daily basis.
It all began with the Lockheed Martin paper published in 2010.
It caused a shift in the collective cyberprofessional's thinking away from defending against generic
offensive tools like viruses, malware, and exploit code, with no relation to what the
adversary was trying to accomplish, towards specifically defeating the adversary's overall
goal.
Before the paper, most of us were using a defense-in-depth strategy designed to block
the hacker's generic offensive malicious software. By generic, I mean that we didn't associate the weapon with any adversary
plan. We were just looking to detect and prevent bad things on the network. To counter the
deployment, network defenders would stack one or more blocking tools between the boundary of our
digital environments and our crown jewels, like firewalls, intrusion prevention systems,
and antivirus software. The idea was that if the first tool failed to prevent the deployment of
the offensive weapon, then the second prevention tool in the stack would catch it. If that one
failed, then the third one would be successful. That's what defense in death means, multiple ways
to prevent bad things from happening. The number of defensive tools you had in the security stack
depended on your internal budget.
The Kill Chain paper's great insight
was that all cyber adversaries,
regardless of their motivation,
have to complete a set of tasks
in order to accomplish their goal.
And their goal, whatever it is,
doesn't really matter in terms of devising
a defensive strategy.
Whether it's crime, espionage, hacktivism, low-level cyber conflict,
or just mischief-making for the fun of it,
every hacking crew has to follow this general model.
Instead of cybersecurity professionals trying, and mostly failing,
to block all of the generic hacking weapons in existence with a defense-in-depth strategy,
we would instead design prevention controls for known adversary campaigns
and install them at every stage of the attack chain.
The brilliance of this model
is that the hacker team has to be 100% successful
in avoiding all of those prevention controls
in order to accomplish their goal.
They can't make one mistake.
The defenders, on the other hand,
only have to be successful once
somewhere along the
attack chain. If we are, we can break the attack sequence. We can kill the attack. That's why the
paper's title says that it's informed by analysis of adversary campaigns and intrusion kill chains.
By doing a post-mortem on victim zero and other subsequent victims, cyber intelligence analysts
can construct the attack sequence in the aftermath
and potentially identify multiple locations
along the chain where we can kill the attack.
That doesn't help victim zero,
but it helps every other potential victim
that Fancy Bear has its sights on.
That's a magnificent and radical insight.
It seems obvious to us now
that we're 10 years past the initial paper publication,
but back then, it was revolutionary. Just a year later, 2011, the Department of Defense published
their paper on the Diamond Model. It provides a structure for how cyber intelligence teams
can analyze attack sequences and provide a standard language for intelligence analysts
to discuss the same campaigns. In the early days of the idea, we were all doing our own thing.
It was exceedingly difficult to communicate what I knew about the Lazarus Group campaign
with somebody else because we were all speaking different languages.
The result was that the Diamond Model became a supporting guidebook
for organizations pursuing the kill chain strategy.
And then, in 2013, MITRE released the first version of the ATT&CK framework.
The team recognized the overall value of the kill chain strategy direction,
but they wanted to convey the actions that individual adversaries make,
how one action relates to another,
how sequences of actions relate to tactical adversary objectives,
and how the actions correlate with data sources,
defenses, configurations, and other countermeasures used for the security of a platform and domain.
Over time, I started calling these three research efforts the Intrusion Kill Chain Trifecta.
When we first started doing this podcast back in 2020, the intrusion kill chain prevention strategy was one of the first topics we covered. In 2022, we covered it again. And of course,
when we published the first principles book back in 2023, I dedicated chapter four to the idea.
In the book and the podcast,
I made the case about why these three research efforts
should be considered collectively and not separately.
They are three significant elements coming together.
One is a strategy document, the Lockheed Martin paper.
One is an operational construct for defensive action,
the MITRE framework. And one is a methodology operational construct for defensive action, the MITRE
framework, and one is a methodology for cyber threat intelligence teams, the diamond model.
You don't choose one model over the other. All of these models work in conjunction with each other.
To be clear, though, there wasn't a lot of collaboration between the research groups.
The Lockheed Martin people weren't saying, hey, we're doing the strategic piece, DOD,
you work on the intelligence piece, and MITRE, you build an intelligence wiki. No, different parts of the
infosec profession were all thinking along the same lines, working independently, and coming to
different conclusions. The situation was similar to the old Buddhist parable, where six blind men
examined the same elephant. Each man was convinced that what he experienced was the correct interpretation when really it was only a piece of the whole. Frank Duff is the chief innovation
officer at a startup called Tidal Cyber. Their mission is to make it practical and affordable
for all enterprises to adopt MITRE ATT&CK. And full disclosure here, I advise Tidal Cyber, so
take whatever I say here with a grain of salt. Before Tidal Cyber, though,
Frank spent 20 years working for MITRE and the last 10 years supporting the ATT&CK project.
Here's Frank. It was serendipitous, I guess, is the way of looking at it, right? Coincidental
that a lot of these things happened. Like any good standard, right? You had everybody doing
their own standard, I guess, at the time, right? They're all kind of pushing the same
philosophies. Yeah, a lot of smart people They're all kind of pushing the same philosophies and they smart people
thinking the same kind of things.
And how would they make that happen?
Is it kind of how I see it?
Yeah,
exactly.
Exactly.
And I think that there,
right.
There was this common need,
right.
And the community is a close knit community.
So I think a lot of people recognize this common need to create taxonomy,
but I think there is always the challenge
in moving from one to the other, right?
Like your application of the diamond model
is looking at a very specific
how thready is the threat kind of concept, right?
And yes, you're trying to describe it,
but it's trying to solve a slightly different problem.
Or the kill chain was a great way of making it so that people could realize
the steps that an adversary would have to take. But then with attack,
it's like, alright, well those steps don't always happen linearly. I don't think that it's a
you pick one kind of thing, which I know that you're a strong believer in, right?
I think those things continue to excel at what they were developed to do.
And they're all great pieces of making it so that you communicate,
making it so that you can prioritize and the like.
Amy Robertson has been working at MITRE for the past six years
as a cyber threat intelligence engineer
and the last four years as the ATT&CK engagement lead.
She concurs with Frank.
She says you take the output of the ATT&CK wiki as inputs
to the diamond model and the outputs of the diamond model support the kill chain strategy.
I would view them more as complementary. So I do think that they have different purposes,
essentially. So, you know, ATT&CK documents more detailed adversary behaviors while, for example,
documents of more detailed adversary behavior as well. For example, the diamond model is more helpful if you're trying to get a better understanding of how to cluster intrusions,
potentially how to use it for attribution. But, you know, attack map techniques are going to be
a useful source of input into the diamond model as you're using it to analyze adversary capabilities. So
I think those are complementary. I do not think that you have to use them separately. You can
use them together. I think that that makes a really good pairing. And then similarly,
the kill chain, it's set, attacks is at a little bit lower of a definition because, again,
we're describing adversary behaviors.
We're describing how they're doing things.
And so instead of that kind of more linear model where attack is unordered,
we're trying to reflect how an adversary is moving realistically across a network.
across a network.
The question then is,
where do most of us get the threat intelligence that will inform us about known attack sequences?
Well, you can develop it yourself
by using the Diamond Model
and reading thousands of security vendor intelligence blogs
about this adversary campaign or that one,
like the latest ESET report
on the Chinese hacker group Mustang Panda
running attack campaigns against the shipping industry in Europe.
And that's our show.
Well, part of it.
There's actually a whole lot more, and it's all pretty great.
So here's the deal.
We need your help so we can keep producing the insights that make you smarter
and keep you a step ahead in the rapidly changing world of cybersecurity.
If you want the full show, head on over to thecyberwire.com slash pro and sign up for an account.
That's thecyberwire, all one word, dot com slash pro.
For less than a dollar a day, you can help us keep the lights and the mics on and the insights flowing.
Plus, you get a whole bunch of other great stuff like ad-free podcasts, exclusive content, newsletters, and personal level-up resources like practice tests.
With N2K Pro, you get to help me and our team put food on the table for our families, and you also get to be smarter and more informed than any of
your friends. I'd say that's a win-win. So head on over to thecyberwire.com slash pro and sign up
today for less than a dollar a day. Now, if that's more than you can muster, that's totally fine.
Shoot an email to pro at n2k.com and we'll figure something out. I would love to see you on N2K Pro.
Here at N2K, we have a wonderful team of talented people
doing insanely great things to make me and the show sound good.
I think it's only appropriate you know who they are.
I'm Liz Stokes. I'm N2K's CyberWire's Associate Producer.
I'm Trey Hester, Audio Editor and Sound Engineer.
I'm Elliot Peltzman,
executive director
of sound and vision.
I'm Jennifer Iben,
executive producer.
I'm Brandon Karf,
executive editor.
I'm Simone Petrella,
the president of N2K.
I'm Peter Kilby,
the CEO and publisher
at N2K.
And I'm Rick Howard.
Thanks for your support,
everybody.
And thanks for listening.
Your business needs AI solutions that are not only ambitious, but also practical and adaptable. Thank you. Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy. Learn more at ai.domo.com.
That's ai.domo.com.