Advancing enterprise threat hunting with the MITRE ATT&CK™ knowledge base

Next story
Rene Holt

As the wealth of cybercrime intelligence published by cybersecurity researchers increases every year, there is a parallel risk that this can become potentially unmanageable for IT administrators who need clear action points to defend their organizations’ networks. Therefore, bringing order and connecting narratives within this data is crucial for businesses to understand the characteristic movements of threat groups that target their vertical. Thanks to the work of MITRE ATT&CK, that has become possible since 2013.

MITRE ATT&CK is a knowledge base that provides security operation center (SOC) teams a fund of open-source intel on known tactics, techniques and procedures (TTPs) of potential adversaries, enabling them to test their ability to detect potential threats and protect their networks. One of the benefits of this knowledge base is prioritization.

Considering there will be a number of different threat groups targeting your business or organization, network defenders can focus their efforts on the overlapping techniques employed by all groups – killing two birds with one stone. Using the MITRE ATT&CK Enterprise Matrix, a strategy can be built around the highest priority overlapping techniques that need to be addressed first.

For example, consider an SOC team that is in charge of securing online election campaigns and/or voting systems. By typing “democratic” – to search for groups who had targeted the Democratic National Committee – in the MITRE ATT&CK search bar, you would see that both The Dukes (APT29) and Sednit (APT28) are suspected culprits of the DNC hack.

Scrolling through the techniques, you would then find that both The Dukes and Sednit have been seen gaining initial access to victims’ computers via spearphishing links. Drilling down to the references listed with this particular technique, you would discover a publication by ESET Research detailing the procedure of how Sednit sent spearphishing emails that contained shortened URLs pointing to a zip file laced with the first stage of Sednit’s favorite backdoor, Zebrocy, for download.

Detecting and blocking such emails, or the malware they introduce, on an endpoint is obviously critical for protecting the computer systems of election campaign teams and, given that many types of malware can move laterally, their entire networks as well. As a matter of course, ESET’s publications contain IoCs, in this case for the zip file distribution URL, the C&C server and malware hashes – all excellent starting points for a scan on your network. To get a better handle on the entire infiltration chain begun with the download of Zebrocy, a threat intelligence analyst could refer to the MITRE ATT&CK table in our publication listing the specific procedures the Sednit group used for initial access, execution, persistence, exfiltration and other tactics seen in the attacks.

Perhaps the most important aspect of reading through a malware research publication, however, is for the threat analysts to understand Zebrocy’s behavior and procedures in greater detail. Advanced threat actors such as the Sednit group can quickly change IP addresses, domain names and other components, but not behavior. In other words, understanding the behavior of a piece of malware and writing a detection for that behavior better ensures that a threat actor won’t get in without at least getting noticed.

Detections do not all have the same effectiveness. Don’t fall into thinking that writing a simple detection will cover that attack vector sufficiently – this is a likely mistake. MITRE recommends grading your detections on a scale of 1 to 5 based on rigorous testing with purple teaming to ascertain how effectively they work for your network and the need to improve them.

Taking advantage of the detections already written by ESET’s malware research team is actually a very effective and simple way to bolster your SOC team’s capabilities off the bat. Via ESET Enterprise Inspector (EEI), ESET’s endpoint detection and response solution, network defenders receive over 300 configurable detections/rules built in that are designed to automatically trigger alarms in its dashboard.

For more than 30 years, ESET researchers have been analyzing the latest threats and writing detections for them. Thus, grounded in a deep knowledge of adversary behaviors, EEI’s rulesets represent very carefully crafted algorithms that pinpoint anomalies giving away an adversary’s presence.

This is especially significant for keeping on top of never-before-seen malware like LoJax, the first UEFI rootkit found in the wild (used by Sednit), and DePriMon, the first example of a malware using the Port Monitors technique ever to be publicly described.

A formidable lineup of ESET researchers has been continuously contributing to the MITRE ATT&CK knowledge base and revealing previously unknown techniques and procedures of threat groups.

MITRE ATT&CK has acknowledged the contributions of ESET researchers, including the discovery of new techniques used by APT32 via a macOS backdoor; the discovery of Ebury, a Linux backdoor capable of stealing OpenSSH credentials; and the discovery of a new version of Machete’s Python-based toolset mainly targeting Venezuela.

Other contributions to MITRE ATT&CK techniques and software can be found in the following links: software packing used by FinFisher, access notifications on Android OS, binary padding, Turla’s Epic backdoor, and taint shared content.

To learn more about how ESET employs ATT&CK for improved endpoint protection, request a recording of our joint webinar with MITRE ATT&CK here.