Analyst Workflow: Applying the MITRE ATT&CK Framework to Recorded Future

January 18, 2019 • Mike Passaro

Key Takeaways

  • Traditionally, researching, analyzing, and reporting on the tactics, techniques, and procedures (TTPs) of a threat actor using the MITRE ATT&CK framework would take weeks of an analyst’s time — but Recorded Future can do it in minutes.
  • Because it is so powerful and flexible, this capability has the potential to help advance the security program of all Recorded Future customers.
  • The MITRE ATT&CK TTP lists within Recorded Future can be applied to any industry, threat actor, or company.
  • The data fidelity of Recorded Future is fully on display when aligned with the MITRE ATT&CK framework. Customers can gain detailed insights into patterns of threat actor activity that dynamically update in real time as new data becomes available.

Today, many security teams consume deep threat actor research through paid or freemium “snapshot in time” reports written by security vendors, researchers, or consultants. In this blog, we’ll explain how applying the MITRE ATT&CK framework1 to Recorded Future data can give your team the ability to do this deep-level analysis on the fly, for any threat actor, across all sources.

MITRE’s Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK™) is a curated knowledge base and model for cyber adversary behavior, reflecting the various phases of an adversary’s lifecycle and the platforms they are known to target. ATT&CK is useful for understanding security risk against known adversary behavior, for planning security improvements, and for verifying that defenses work as expected.

The value of this workflow is the capability to visualize the tactics, techniques, and procedures a specific threat actor uses, including when, how often, and in what ways the threat actor used them, as well as how they might reuse or alter them in the future and what their intended targets are. These types of conclusions would take human analysts weeks to research, analyze, and report, but in Recorded Future, this is possible in a matter of minutes.

Here, we’ll look at the techniques and methods used within Recorded Future to build a prototype that solves this problem. Although none of this is available “baked in” to the product today, if you’re a Recorded Future customer, you can apply these same techniques and methods to get started with this advanced analysis right away.

Methodology

MITRE’s full ATT&CK framework is publicly available here. In short, MITRE has analyzed all of the TTPs that advanced threat actors could possibly use in their attacks and separated them into 11 tactics categories. This blog focuses on three of the more prominent ones:

  1. Credential Access: Techniques resulting in access to or control over systems, domains, or service credentials that are used within an enterprise environment
  2. Execution: Techniques that result in the execution of adversary-controlled code on a local or remote system
  3. Defense Evasion: Techniques an adversary may use to evade detection or avoid other defenses

For every tactics category, MITRE has a sub-page that shows details about each individual TTP within that category. To get started, I needed a way to get these individual TTPs into Recorded Future. The three questions I had to address were:

  1. How?
  2. Which ones?
  3. In what way?

Based on my experience with the product, I knew a list would be the best way to do this.

The first step was to pull out the particular TTPs within each tactics category. Starting with Credential Access, I went through MITRE’s table of individual TTPs. I read each one and as I was doing so, extracted keywords, phrases, filenames, malware, vulnerabilities, commands, API calls, scripts, attack vectors, and so on. These extractions would become the terms for which I would be searching in Recorded Future. Every time I extracted one, I added it to my list in Recorded Future, which I named “MITRE ATT&CK — Credential Access TTPs.”

Recorded Future List

Sample of extracted Credential Access TTPs entered into a list within Recorded Future.

Diving Deeper

As I was adding TTPs to my list in Recorded Future, I needed to choose whether I wanted the curated entity or a text match. The curated entity would get me broader results because of all the terms within the entity structure, but I was concerned it might act like a double-edged sword — the results might not have been focused enough. By contrast, using text matches could potentially return higher fidelity results, but those results may be too narrow — now you understand the dilemma!

So what did I choose for each TTP? Essentially, what I did was make the best decision possible by considering the specific TTP, seeing if a curated entity existed, exploring the entity structure for that entity, and considering how a text search would affect the results.

Recorded Future Search

Text search-based TTPs for Credential Access.

I continued through all of the TTPs within each of the three categories, organizing each one into its own list within Recorded Future. I ended up with these three lists:

  1. Credential Access TTPs: 37 entries
  2. Execution TTPs: 82 entries
  3. Defense Evasion TTPs: 61 entries

Application

Now that I had the lists of extracted TTPs, it was time to try and apply them to Recorded Future’s data. Because the MITRE ATT&CK framework is meant to be applied to threat actors, the most obvious way to do this was to apply the TTP lists to threat actors within Recorded Future, so I quickly built my own list. To do that, I pulled all cyberattacks in the banking or finance industries from the last year.

Recorded Future Query

Query to quickly build a list of threat actors targeting the banking or finance industry, active in the last year.

After running the query, I extracted the entities to a list. This automatically created a list of 33 entities — all threat actors who have been involved in a cyberattack targeting the banking or finance industry within the last year. Here are a few examples of big players that you may have heard of before:

  • Hacking Team
  • Lazarus Group
  • APT28 (Fancy Bear)
  • Carbanak
  • Inj3ct0r Team
  • APT33
  • The Shadow Brokers

Now, I had four lists created and ready:

  1. Finance Threat Actors
  2. Credential Access TTPs
  3. Execution TTPs
  4. Defense Evasion TTPs

Results

Because data quality is always the first thing I’m concerned about when writing a query designed to highlight trends, this made me want to explore the details of the data by focusing on an event stream before producing any visualizations.

Event Stream: MITRE ATT&CK Credential Access TTPs

I began with the goal of producing a simple stream of events in Recorded Future around Credential Access TTPs and banking or finance. That is, I wanted a query that returned a chronological list of cyber events (attacks, exploits, incidents, and so on) where the targets were companies in the banking or finance industries and involved Credential Access TTPs. If the data looked good, then I could focus on visualizations.

Below is the first query I put together that applied my list of TTPs to Recorded Future’s data. It’s a simple application of the Credential Access TTPs with some filters for noise.

Recorded Future Query

Query for a stream of cyberattacks targeting banking or finance that used Credential Access TTPs.

The query returned 52 results, which were pretty solid, and all involved ATT&CK Credential Access TTPs in some way. Some recent data from the query included:

  • Westpac, an Australian bank, suffered a data breach after a manager shared the passwords of 80 customers with a mortgage broker.
  • A cyberattack by Dark Tequila that targeted several major Mexican banks involved a keylogger that was used to steal information from online banking sites.
  • A research dissection of the information-stealing Panda Banker malware explained how it could be used by threat actors to steal financial data from compromised machines.
  • A cyberattack targeted Brazilian bank customers by using a vulnerability in a router that allowed its configuration to be modified without authorization. The hacked router then directed traffic to a fake, hacker-controlled online banking site where usernames and passwords would be stolen.

These results validated that the items I had added to the TTP list were working and could be applied to Recorded Future’s data. Each of these events involved those TTPs in some way: something like password leaking, stealing credentials, or malware designed to steal online banking credentials. In fact, the one involving the Brazilian bank was particularly impressive to me because the TTP was only used in the final part of the attack.

Now, I wanted to see if I could visualize this in a way that made the data easier to understand while applying my list of threat actors.

Visualization: MITRE ATT&CK Execution TTPs

For my next step, I decided to visualize the data within Recorded Future’s Timeline View. I also wanted to try another TTP category and utilize my Finance Threat Actors list. I needed to construct a query that compared the Finance Threat Actors list against the MITRE ATT&CK Execution TTPs, and I only wanted to return cyberattacks.

After running the query, I flipped to the Timeline View and configured the timeline by grouping it by “cyberattack attacker” and color-coding it by “cyberattack method.” I then received a visualization where I was able to show the exact TTPs from within the ATT&CK Execution TTPs category that each threat actor had used in the past year. I could see where each TTP had been used, by which threat actor, when, and in which attack.

Recorded Future Timeline

Visualization of the Execution TTPs utilized by major threat actors targeting the finance and banking industries.

Visualization: MITRE ATT&CK Defense Evasion TTPs

Next, I wanted to check the final tactics category of the TTPs that I had built a list around: Defense Evasion. Once again, I wanted to compare these with my Finance Threat Actors list. I constructed a query, flipped to Timeline View, and configured the visualization.

Recorded Future Timeline

Defense Evasion TTPs utilized by threat actors targeting the finance industry.

While this looks impressive at first glance, I knew something was off. There simply weren’t enough data points represented on this timeline with my threat actors. Wondering what could be off, I revisited my list of TTPs, ran a couple of queries, and I came to the realization that the data was probably correct. Other than Inj3ct0r Team, either these threat actors I was looking at just weren’t using that many Defense Evasion TTPs, or if they were, there wasn’t much data available about them. I decided to change my query to test my hypothesis: instead of my specific Finance Threat Actors list, I decided to run the Defense Evasion TTPs against any threat actor.

Recorded Future Timeline

Threat actors using Defense Evasion TTPs.

From this, I learned that my TTPs were valid, but my threat actors in the Finance Threat Actors list weren’t really using many MITRE ATT&CK Defense Evasion TTPs (other than Inj3ct0r Team). However, other threat actors that I didn’t have in that list were. Not only did I discover this new information, but it proved that I could effectively flex these lists of TTPs against any threat actor at any time to identify new or additional threat actors.

Satisfied that all of my TTP lists were valid, I set out to take one final step: comparing how individual threat actors use different tactics categories.

Visualization: Comparing Threat Actors’ Use of Different Tactics

The next logical step was to utilize two of these TTP lists and then compare the activity of my Finance Threat Actors list to the other lists. To do that, I needed to build a more complex, multi-section query in Recorded Future.

Recorded Future Query

From the Advanced Query dropdown, select “Options,” and then select “Add New Query Section” to create a multi-section query.

Recorded Future Query

Multi-section query to compare two different TTP categories with the Finance Threat Actors list. Make sure to name each section so the timeline displays the name of the tactics category on each timeline.

Recorded Future Query

Run the query, switch to the Timeline visualization, click the gear icon, and then use this configuration to compare two different query sections by attacker.

Recorded Future Timeline

Comparing the activity of threat actors by TTP category.

In this visualization, it was easy to see each threat actor’s activity over the course of the last year across the two sets of TTPs. By going to the legend and hovering over or clicking on specific threat actors, you can visualize how each specific actor used TTPs from each category, or even compare two or more actors directly within the visualization.

Recorded Future Timeline

By hovering over Anonymous, you can see that this group uses a lot of Credential Access TTPs, but few Execution TTPs.

Recorded Future Timeline

In contrast, hovering over APT34 reveals that they utilize many Execution TTPs, but few Credential Access TTPs.

Recorded Future Timeline

Clicking on two threat actors will make them “stick” to the timeline so that you can do a direct comparison. Here, you can see a direct comparison between the TTPs of APT34 versus those of APT28 across the two categories.

Conclusion

Applying the MITRE ATT&CK framework to Recorded Future’s data gives our customers access to a powerful, flexible, and expeditious capability with unparalleled insight into the specific TTP activity of threat actors. Moreover, you can pivot on any of this information within Recorded Future to enrich indicators of compromise (IOCs). Tactically, this threat intelligence helps an organization visualize and understand the TTPs of threat actors targeting their industry, allowing them to focus their resources on those TTPs that matter most. Strategically, it helps organizations mature their security program faster by profiling threat actors, monitoring their activities, and even conducting their own research on new or emerging threat actors.

The best part is that this is all completely flexible. The MITRE ATT&CK TTP lists can be applied within Recorded Future for any industry, against any threat actor, and for any company. In my product trainings, I tell customers that Recorded Future helps cybersecurity professionals answer hard questions. With the MITRE ATT&CK Framework and Recorded Future, you can quickly obtain advanced intelligence to answer even harder questions:

  • Want to know which threat actors are targeting your industry? We can tell you.
  • Want to break down a threat actor’s attacks into MITRE ATT&CK TTP categories? We can do that.
  • Want to see how a threat actor’s TTPs have changed over time across MITRE ATT&CK categories? We can show you.
  • Want the IOCs from attacks by a specific threat actor in a specific MITRE ATT&CK TTP category? We can pull them.
  • Want a visualization that shows management the advanced threat actors that could be targeting your organization and in what ways? We can create it.
  • Want to make sure your team is focused on protecting against the right stuff? We can help make it happen.
  • Want to apply the MITRE ATT&CK framework? You can do it.

To learn more about how Recorded Future can help organizations understand and prevent threats, request a personalized demo.

Mike Passaro

Mike Passaro is a product trainer at Recorded Future.

1© 2018 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation.