What MITRE ATT&CK tells us about prioritizing mitigations

An interesting conversation came up last week in my LinkedIn feed. It went something like “why do defenders use a framework like MITRE ATT&CK when attackers don’t?” The reality of this is that cyber criminals are lazy and only when the easy thing doesn’t work will they find more inventive ways to breach our defenses.

The idea reminded me of some basic analysis that I did on the MITRE ATT&CK framework awhile ago. Specifically, they have releases a set of STIX scripts against their TAXII server to make the underlying data model open to analysis. Now if that didn’t make sense, no worries, let’s walk through the results. However, if that is as exciting to you as it was to me, check out their GitHub page.

My first question was, what are the most preferred techniques. The top 10 were:

  1. Spearfishing Attachment
  2. Malicious File
  3. Obfuscated Files or Information
  4. PowerShell
  5. Windows Command Shell
  6. Ingress Tool Transfer
  7. Registry Run Keys / Startup Folder
  8. Web Protocols
  9. File Deletion
  10. Scheduled Tasks

The high level look, the question was how many mitigations were listed per technique? The top 10 were:

  1. Privileged Account Management
  2. Pre-compromise
  3. User Account Management
  4. Audit
  5. Network Intrusion Prevention
  6. Restrict File and Directory Permissions
  7. Execution Prevention
  8. Disable or Remove Feature or Program
  9. Password Policies
  10. Filter Network Traffic

So this caused a question in my mind. What are the most prominent types of techniques out there. The top 10 were:

  1. Ingress Tool Transfer
  2. System Information Discovery
  3. Web Protocols
  4. Windows Command Shell
  5. Obfuscated Files or Information
  6. File and Directory Discovery
  7. Process Discovery
  8. File Deletion
  9. Registry Run Keys / Startup Folder
  10. System Network Configuration Discovery

So these are easy descriptive statistics. But where this became useful for me is when I started looking at my defenses. My question to my own team and the one that I think you should start with when talking with your team is, “can we detect and deter these types of attacks, and how?”

In my case, the customer I was working with had some manual abilities to do this, but had experienced fairly systemic attacks on some of these fronts. This lead me to two different discussions.

  1. Are we doing enough to deter / prevent these types of attacks?
  2. Are we automating our response to these attacks sufficiently?

This lead the team to a more fundamental understanding that before we augment our tool selection we needed to focus on some basics.

As a practitioner, how many times have we focused on tools that promise quick hits in securing our environment when we leave the front door open?

What are the fundamentals for your environment that make your risk mitigation strategy pragmatic, effective and efficient without compromising your user functionality?

For those wanting to look at the analysis, I cannot suggest highly enough the MITRE ATT&CK GitHub page as it has the most recent data on it. But if you want a quick look at my analysis, here is the excel file.

Leave a Reply