The MITRE ATT&CK framework is a comprehensive matrix of tactics and techniques used by threat actors to compromise and exploit systems. Here, we’ll delve into five key MITRE tactics that are commonly observed in cyber attacks, exploring what they entail and how they can be mitigated.
1. Reconnaissance
Definition: Reconnaissance involves gathering information about a target system or network, often to identify vulnerabilities that can be exploited. This tactic is the first step in the attack lifecycle, where attackers attempt to gather as much information as possible about the target.
Techniques: Common techniques under reconnaissance include Open Source Intelligence (OSINT) gathering, where attackers use publicly available information to understand the target’s infrastructure, and network reconnaissance, which involves scanning the network for open ports and services to identify potential entry points.
Mitigation: To mitigate reconnaissance, organizations should limit the amount of sensitive information exposed publicly, implement robust network segmentation to limit the visibility of internal infrastructure, and utilize intrusion detection systems (IDS) to identify and alert on suspicious network scanning activities.
2. Execution
Definition: Execution refers to the tactic of running malicious code or commands on a target system. This can be achieved through various means, such as exploiting vulnerabilities, using social engineering tactics to trick users into executing malware, or leveraging legitimate system administration tools for malicious purposes.
Techniques: Techniques under execution include spearphishing attachment, where a victim is tricked into opening a malicious attachment, and exploiting public-facing applications by leveraging known vulnerabilities in web applications.
Mitigation: Preventing execution requires a multi-layered approach, including keeping software up to date with the latest security patches, implementing anti-virus solutions that can detect and prevent execution of known malware, and educating users about the risks of spearphishing and other social engineering tactics. Employing application whitelisting can also restrict what applications can run on a system, preventing unauthorized execution.
3. Defense Evasion
Definition: Defense evasion involves tactics that attackers use to evade detection by security controls. This can include techniques like code obfuscation, where malware is made difficult to understand and analyze, or using legitimate system tools to blend in with normal system activity.
Techniques: Common techniques under defense evasion include obfuscated files or information, where code or data is obscured to avoid detection, and masquerading, where malicious files or activity are made to appear as though they are legitimate system files or processes.
Mitigation: Mitigating defense evasion requires advanced security monitoring capabilities that can detect anomalous behavior, even when malware attempts to blend in or evade detection. Utilizing endpoint detection and response (EDR) solutions can provide real-time monitoring and analysis of endpoint activity, helping to detect and respond to evasive tactics.
4. Credential Access
Definition: Credential access tactics are used by attackers to obtain credentials that can be used to gain unauthorized access to systems or data. This can be achieved through various means, such as guessing or cracking passwords, exploiting vulnerabilities in password management systems, or capturing credentials through keyloggers or other forms of input capture.
Techniques: Techniques under credential access include brute force, where attackers attempt to guess passwords through repeated login attempts, and credential dumping, where attackers exploit vulnerabilities to extract credentials from system memory or storage.
Mitigation: Protecting against credential access requires enforcing strong password policies, including the use of multi-factor authentication (MFA) to add a layer of security beyond just passwords. Regularly auditing and monitoring for unusual login activity can also help detect and respond to credential access attempts.
5. Lateral Movement
Definition: Lateral movement involves tactics used by attackers to move through a network after gaining initial access, often in pursuit of high-value targets such as sensitive data or critical system controls.
Techniques: Techniques under lateral movement include remote service session hijacking, where attackers steal or take control of existing remote desktop sessions, and exploiting remote services, where vulnerabilities in services like RDP are leveraged to gain unauthorized access.
Mitigation: Mitigating lateral movement requires a focus on network segmentation, where access to different parts of the network is restricted based on the principle of least privilege, limiting how far an attacker can move laterally if they do gain access. Implementing strong authentication mechanisms for remote services and regularly monitoring network activity for signs of unusual movement can also help detect and prevent lateral movement attempts.
Understanding these and other MITRE tactics and techniques provides a powerful framework for defenders to anticipate, detect, and respond to cyber threats. By recognizing the patterns and methods used by attackers, organizations can strengthen their defenses and improve their resilience against cyber attacks.
