Joshua Platz is a senior consultant in Optiv’s advisory services practice on the attack and penetration team. Joshua’s role is to provide internal and external network penetration testing to determine vulnerabilities and weaknesses in client networks and environments. He specializes in PCI DSS, wireless, social engineering, password cracking, as well as post-exploitation of customer networks.
Intro to Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK™ Series)
Attack and Penetration consultants strive to stay current and knowledgeable in all of the current trends, both from an offensive security perspective, as well as a defensive mitigation and remediation perspective. You may have missed our previous blog series Top 20 CIS Critical Security Controls (CSC) Through the Eyes of a Hacker, where we reviewed the updated Center for Internet Security (CIS) Critical Security Controls (CSC) from the perspective of offensive security professionals with the intention of educating organizations of controls that exist. This series is also focused on the risk associated with attacks which leverage vulnerabilities that could have been mitigated through the implementation of a control.
What is ATT&CK
In this new series, we will be reviewing MITRE’s National Cybersecurity Federally Funded Research and Development Centers (FFRDC’s) Adversarial Tactic, Techniques, and Common Knowledge (ATT&CK) repository of collected cyber security data. ATT&CK bridges the gap between multiple offensive security data points, including Tactics, Techniques, Tools, and identified malicious Advanced Persistent Threat actors. The creation of most of this framework comes from an interesting project executed by Blake Storm, of MITRE, called project FMX (Fort Meade eXperiment). In this project, a production network was attacked by Blake and other security professionals which impersonated adversarial groups' tactics and techniques. By leveraging data points collected on the network, Blake was able to construct a large part of the ATT&CK framework that could be leveraged by offensive as well as defensive security professionals, to map potential offensive tactics and techniques.
The ATT&CK Navigator
By far, the best way to disseminate the entirety of the ATT&CK project is through the ATT&CK Navigator. The ATT&CK Navigator allows users to filter, drill down, build potential attack chains, and view cross-tactic techniques. This is particularly helpful for defensive security professionals in creating potential incident response attack scenarios. Teams could play through scenarios of how an attack could unfold by chaining together several different techniques, creating an attack chain. From an offensive security perspective, it allows teams to “look ahead” or “brainstorm” ways to demonstrate impact and risk within their penetration tests.
Purpose of the Series
The purpose of this series is to rely on Optiv Attack and Pen's experience performing adversarial threat assessments, and analyze the techniques of each tactic, in attempt to bring attention to the most commonly leveraged methods we employ as offensive security professionals. There are currently 219 techniques across ATT&CK’s 11 tactics; this is an enormous amount of information to consume, and even more so to implement mitigations around. We hope that security teams will benefit from the information in this series regarding the common attack techniques, however we encourage those teams to not stop there. Teams should continue to enhance their security by drilling into the ATT&CK matrix to develop as many attack mitigations as possible.
So now that we have defined what ATT&CK is, our next post we will cover the Initial Access Tactic and will examine the following tactics that attackers can use to gain a foothold into your environment:
- T1190 – Exploit Public-Facing Application
- T1192/T1193 – Spear Phishing Link/Attachments
- T1199 – Trusted Relationships
- T1078 – Valid Accounts