January 18, 2019 • Mike Passaro
Today, many security teams consume deep threat actor research through paid or freemium “snapshot in time” reports written by security vendors, researchers, or consultants. In this blog, we’ll explain how applying the MITRE ATT&CK framework1 to Recorded Future data can give your team the ability to do this deep-level analysis on the fly, for any threat actor, across all sources.
MITRE’s Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK™) is a curated knowledge base and model for cyber adversary behavior, reflecting the various phases of an adversary’s lifecycle and the platforms they are known to target. ATT&CK is useful for understanding security risk against known adversary behavior, for planning security improvements, and for verifying that defenses work as expected.
The value of this workflow is the capability to visualize the tactics, techniques, and procedures a specific threat actor uses, including when, how often, and in what ways the threat actor used them, as well as how they might reuse or alter them in the future and what their intended targets are. These types of conclusions would take human analysts weeks to research, analyze, and report, but in Recorded Future, this is possible in a matter of minutes.
Here, we’ll look at the techniques and methods used within Recorded Future to build a prototype that solves this problem. Although none of this is available “baked in” to the product today, if you’re a Recorded Future customer, you can apply these same techniques and methods to get started with this advanced analysis right away.
MITRE’s full ATT&CK framework is publicly available here. In short, MITRE has analyzed all of the TTPs that advanced threat actors could possibly use in their attacks and separated them into 11 tactics categories. This blog focuses on three of the more prominent ones:
For every tactics category, MITRE has a sub-page that shows details about each individual TTP within that category. To get started, I needed a way to get these individual TTPs into Recorded Future. The three questions I had to address were:
Based on my experience with the product, I knew a list would be the best way to do this.
The first step was to pull out the particular TTPs within each tactics category. Starting with Credential Access, I went through MITRE’s table of individual TTPs. I read each one and as I was doing so, extracted keywords, phrases, filenames, malware, vulnerabilities, commands, API calls, scripts, attack vectors, and so on. These extractions would become the terms for which I would be searching in Recorded Future. Every time I extracted one, I added it to my list in Recorded Future, which I named “MITRE ATT&CK — Credential Access TTPs.”
As I was adding TTPs to my list in Recorded Future, I needed to choose whether I wanted the curated entity or a text match. The curated entity would get me broader results because of all the terms within the entity structure, but I was concerned it might act like a double-edged sword — the results might not have been focused enough. By contrast, using text matches could potentially return higher fidelity results, but those results may be too narrow — now you understand the dilemma!
So what did I choose for each TTP? Essentially, what I did was make the best decision possible by considering the specific TTP, seeing if a curated entity existed, exploring the entity structure for that entity, and considering how a text search would affect the results.
I continued through all of the TTPs within each of the three categories, organizing each one into its own list within Recorded Future. I ended up with these three lists:
Now that I had the lists of extracted TTPs, it was time to try and apply them to Recorded Future’s data. Because the MITRE ATT&CK framework is meant to be applied to threat actors, the most obvious way to do this was to apply the TTP lists to threat actors within Recorded Future, so I quickly built my own list. To do that, I pulled all cyberattacks in the banking or finance industries from the last year.
After running the query, I extracted the entities to a list. This automatically created a list of 33 entities — all threat actors who have been involved in a cyberattack targeting the banking or finance industry within the last year. Here are a few examples of big players that you may have heard of before:
Now, I had four lists created and ready:
Because data quality is always the first thing I’m concerned about when writing a query designed to highlight trends, this made me want to explore the details of the data by focusing on an event stream before producing any visualizations.
I began with the goal of producing a simple stream of events in Recorded Future around Credential Access TTPs and banking or finance. That is, I wanted a query that returned a chronological list of cyber events (attacks, exploits, incidents, and so on) where the targets were companies in the banking or finance industries and involved Credential Access TTPs. If the data looked good, then I could focus on visualizations.
Below is the first query I put together that applied my list of TTPs to Recorded Future’s data. It’s a simple application of the Credential Access TTPs with some filters for noise.
The query returned 52 results, which were pretty solid, and all involved ATT&CK Credential Access TTPs in some way. Some recent data from the query included:
These results validated that the items I had added to the TTP list were working and could be applied to Recorded Future’s data. Each of these events involved those TTPs in some way: something like password leaking, stealing credentials, or malware designed to steal online banking credentials. In fact, the one involving the Brazilian bank was particularly impressive to me because the TTP was only used in the final part of the attack.
Now, I wanted to see if I could visualize this in a way that made the data easier to understand while applying my list of threat actors.
For my next step, I decided to visualize the data within Recorded Future’s Timeline View. I also wanted to try another TTP category and utilize my Finance Threat Actors list. I needed to construct a query that compared the Finance Threat Actors list against the MITRE ATT&CK Execution TTPs, and I only wanted to return cyberattacks.
After running the query, I flipped to the Timeline View and configured the timeline by grouping it by “cyberattack attacker” and color-coding it by “cyberattack method.” I then received a visualization where I was able to show the exact TTPs from within the ATT&CK Execution TTPs category that each threat actor had used in the past year. I could see where each TTP had been used, by which threat actor, when, and in which attack.
Next, I wanted to check the final tactics category of the TTPs that I had built a list around: Defense Evasion. Once again, I wanted to compare these with my Finance Threat Actors list. I constructed a query, flipped to Timeline View, and configured the visualization.
While this looks impressive at first glance, I knew something was off. There simply weren’t enough data points represented on this timeline with my threat actors. Wondering what could be off, I revisited my list of TTPs, ran a couple of queries, and I came to the realization that the data was probably correct. Other than Inj3ct0r Team, either these threat actors I was looking at just weren’t using that many Defense Evasion TTPs, or if they were, there wasn’t much data available about them. I decided to change my query to test my hypothesis: instead of my specific Finance Threat Actors list, I decided to run the Defense Evasion TTPs against any threat actor.
From this, I learned that my TTPs were valid, but my threat actors in the Finance Threat Actors list weren’t really using many MITRE ATT&CK Defense Evasion TTPs (other than Inj3ct0r Team). However, other threat actors that I didn’t have in that list were. Not only did I discover this new information, but it proved that I could effectively flex these lists of TTPs against any threat actor at any time to identify new or additional threat actors.
Satisfied that all of my TTP lists were valid, I set out to take one final step: comparing how individual threat actors use different tactics categories.
The next logical step was to utilize two of these TTP lists and then compare the activity of my Finance Threat Actors list to the other lists. To do that, I needed to build a more complex, multi-section query in Recorded Future.
In this visualization, it was easy to see each threat actor’s activity over the course of the last year across the two sets of TTPs. By going to the legend and hovering over or clicking on specific threat actors, you can visualize how each specific actor used TTPs from each category, or even compare two or more actors directly within the visualization.
Applying the MITRE ATT&CK framework to Recorded Future’s data gives our customers access to a powerful, flexible, and expeditious capability with unparalleled insight into the specific TTP activity of threat actors. Moreover, you can pivot on any of this information within Recorded Future to enrich indicators of compromise (IOCs). Tactically, this threat intelligence helps an organization visualize and understand the TTPs of threat actors targeting their industry, allowing them to focus their resources on those TTPs that matter most. Strategically, it helps organizations mature their security program faster by profiling threat actors, monitoring their activities, and even conducting their own research on new or emerging threat actors.
The best part is that this is all completely flexible. The MITRE ATT&CK TTP lists can be applied within Recorded Future for any industry, against any threat actor, and for any company. In my product trainings, I tell customers that Recorded Future helps cybersecurity professionals answer hard questions. With the MITRE ATT&CK Framework and Recorded Future, you can quickly obtain advanced intelligence to answer even harder questions:
To learn more about how Recorded Future can help organizations understand and prevent threats, request a personalized demo.
1© 2018 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation.