Demystifying MITRE’s ATT&CK™ to supercharge cyber defenses - Part II

In our first blog post, we explained what MITRE’s ATT&CK™ framework is and how it can assist with cyber security. In this blog post, we will have a closer look at how Cymulate’s BAS platform can utilize the ATT&CK framework to boost the security posture of organizations.

In general, MITRE’s ATT&CK and Cymulate’s BAS platform are perfectly in sync, which is good news for organizations and bad news for cybercrooks. Cymulate covers all Tactics and Techniques of MITRE’s ATT&CK matrix an adversary would be deploying while trying to attack an organization, enabling to assess the cyber security of an organization. This gives insight into the vulnerabilities and weak spots of the assessed organization. By showing how effective the simulated cyber-attacks are, the targeted organization can boost its preparedness to cyber-attacks before they will take place in real life.

Let’s have a closer look at some of the attack methods and strategies that malicious hackers and cyber criminals use as they are detailed in the ATT&CK matrix that aligning with Cymulate’s BAS platform’s capabilities:

  1. To gain initial access, attackers would use various techniques, such as: Drive-by attacks, Exploiting public-facing application, Spear phishing including attachments, links etc.
  2. For execution, the attackers use techniques that result in them having control over the malicious code on a local or remote system. This tactic is often used in combination with the initial access strategies mentioned above for executing the malicious code once access is obtained, and lateral movement to expand access to remote systems on a network.
  3. Persistence is any access, action, or configuration change to a system that gives an adversary a persistent presence on that system. Adversaries will often need to maintain access to systems through interruptions such as system restarts, loss of credentials, or other failures.
  4. Privilege escalation is the result of actions that allow hackers to get a higher level of permissions on a system or network. Once those hackers have access, they can take advantage of a system weakness to obtain e.g., local administrator or SYSTEM/root level privileges.
  5. Defense evasion consists of techniques that hackers use to avoid detection or defenses during all phases of their attack.
  6. Credential access consists of hackers using system, domain or service credentials to assume the identity of an account to avoid detection and defenses and to create accounts for later use within the environment.
  7. Discovery allows hackers to gain knowledge about the system and internal network. The operating system provides many native tools that help hackers to gather information that they can use for e.g., stealing sensitive or financial information.
  8. Lateral movement enables a hacker to access and control remote systems on a network which also allows for gathering information without needing e.g., remote access tools.
  9. Collection allows for identify and gathering e.g., sensitive files from the target network prior to exfiltration.
  10. Exfiltration enables or helps hackers to remove files and information from the compromised network.
  11. Command & control allows hackers to communicate with systems under their control within the compromised network.

To recap, Cymulate is the only BAS platform vendor that provides a comprehensive drill down of MITRE’s ATT&CK framework. This enables the cybersecurity, IT and red teams of an organization to execute the different methods automatically, followed by a high-level overview of the total risk score based on the results.

For a full overview of MITRE’S ATT&CK Matrix, click here.

To learn more about Cymulate’s BAS platform, click here.

 

Filed Under: MITRE, ATT&CK, Penetration Testing, Red Team, cyber security testing, Cyber Attacks