A practical approach to integrating MITRE’s ATT&CK and D3FEND

Diego Samuel Espitia    16 February, 2022

Businesses have become aware of the need to have mechanisms in place to ensure the protection of their information and how important it is to understand their weaknesses in order to improve their resilience in the event of a cyber incident. Although many managers continue to see security as the need to have elements designed to protect and minimise the possibility of an attack, this is no longer the case. Cybersecurity is an ongoing process that requires understanding the adversaries and the risks in the environment.

MITRE’s ATT&CK, which we have talked about on previous occasions in our blog, was born with this philosophy in 2013, seeking to compile in a matrix the techniques, tactics and procedures used by attackers in real actions against business, mobile and industrial environments, where its evolution has led to the creation of a matrix of defensive capabilities and countermeasures, called D3fend.

Mitre states that, “cyber threat intelligence is about knowing what adversaries are doing and then using that information to improve decision making”, so regardless of the size of the cybersecurity team, this tool is vital in the process of ensuring information security. In this way, it is possible to associate techniques of the main criminal groups, iconic cases of incidents in different industries, validate which are the common adversaries, know the software used in each of the phases of the attack, among many other tools that are provided.

Companies that are just starting out and have few resources in the area can begin by understanding the usual behaviour of the adversaries in their industry, and with this data validate whether the defences implemented detect and mitigate the actions of these groups. To understand how this analysis is done, let’s take the example of a logistics company, which has recently been the victim of several ransomware attacks around the world

1. Find your sector. Determine the sector of the industry that the business is focused on. For this purpose, the website provides a search engine at the top. Here we will enter logistics for the example

Figure 1: Search result in https://attack.mitre.org/groups/

For the analysis we will take the Cuba ransomware, which we mark in the illustration. It is one of the most widely used against medium-sized companies in Latin America.

2. Adversary information. Once the software or group to be analysed is selected, access is gained to the information provided by the system, such as basic data on the platform being attacked, when it was detected, who detected it and the victim industries.

Figure 2: Adversary information

3. Know the techniques. This same adversary page shows the techniques that have been detected in attacks where this malware has been used in a list that enumerates the techniques and sub-techniques used.

Figure 3: Techniques used by Cuba in an attack.

Right there in the “Navigator Layers” it gives the possibility to see within the matrix what the tactics and their techniques are.

Figure 4: Visualisation of tactics and techniques used by Cuba.

In this case, it can be seen that the techniques used by the adversary groups to initiate the attack are unknown or not reflected, which is called pre-attack in the matrix. This usually indicates that the techniques used are too varied to establish a specific one.

4. Know the defences. Each of the techniques has a section listing the possible forms of detection that should be implemented to mitigate this action. For the example we will look at a sub-technique used in the execution tactic, and which is usually the first step detected by incident response investigators in ransomware attacks.

Figure 5: Technique to be analysed, because it shows us a command.

Adversaries use the Windows command console to execute programmes inside the victim machine. In the specific case of Cuba, the cmd.exe /c command has been detected in several of the activities analysed.

By accessing the information on the technique, we have the basic data collected on how it has been used, some of the procedures where it has been detected, possible mitigations and ways of detecting its execution. For our example case we will look directly at the information and the possible ways to detect it.

Figure 6: T1059.003 Technique data
Figure 7: Detection recommendations for T1059.003

With this information, the cybersecurity team can make decisions on how to act to prevent an incident that uses this software to affect their industry sector.

They can even reference the technique to search the defence matrix for more information on how to protect themselves. Go to https://d3fend.mitre.org/ and in the search engine called ATT&CK lookup enter the technique, for our example T1059.003.

Figure 8: Relation with defence matrix.

This shows the map of the forms of defence and detection, and for our example these are as follows.

Figure 9: Defence map for T1059.003

In short, this tool is invaluable for all types of businesses and cybersecurity teams, providing information and data to make decisions in the pursuit of better cyber resilience.

Leave a Reply

Your email address will not be published.