MITRE ATT&CK for Small & Medium Enterprises (SMEs)

40 percent of cyberattacks in Singapore target Small and Medium Enterprises (SMEs)

As the world is developing and changing rapidly, the pervasive adoption of Information Technology (IT) becomes assimilated into businesses. We cannot argue that the success of a business is dependent on how effectively the organisation can use IT. Previously, this IT wave only affects the enterprises and was not essential for Small and Medium Enterprises (SMEs). However, in recent years, especially with the COVID-19 pandemic, the prevalent use of IT has tremendously changed the landscape for SMEs and became a necessity for most organisations, large and small.

Due to the lack of best practices adoption, skilled engineers and technicians, inadequate funding, training, research and support, and with the rapid increase in the number of digitalised SMEs, the number of security incidents has inadvertently increased over the years. According to the annual report from the Cyber Security Agency of Singapore (CSA), 873 websites in Singapore were defaced in 2019 and most of which belonged to SMEs. The statistics became a wake-up call for many large and small organisations, including the government agencies.

We all believe that digitisation comes with numerous benefits for organisations and businesses. At the same time, it also increases the risk of adversaries getting this large playground to steal and compromise systems and data. Digitising the whole or part of the business without conducting any form of asessment is exposing your data or information to the public. Without a proper preparation mechanism in place, the hacker or adversary can easily breach, access and steal the confidential information that can lead to data loss for the business.

Over the years, researchers all over the world have released many useful cyber security frameworks such as the NIST Cybersecurity Framework, ISO27001, PCI DSS, Healthcare Insurance Portability and Accountability Act (HIPAA), MITRE ATT&CK to identify, maintain and defend cyber threats across various organisations.

In this article, we will talk about how SMEs can develop enterprise-ready cyber security defence system using the MITRE ATT&CK framework and also discuss some common difficulties and challenges that usually occurs while implementing the framework. Let us take a look at what an adversary does while targeting an organisation.

 

What is the Cyber Kill Chain?

Computer scientists at the Lockheed-Martin corporation released an “intrusion kill chain” framework or model to defend computer networks back in 2011. The framework addresses the various phases of cyber attack, from the early reconnaissance stage to the eventual goal of data exfiltration. The phases are as follows:

  1. Reconnaissance: The adversary may select, research and attempt to identify potential vulnerabilities for the targeted network.
  2. Weaponization: The adversary may develop malicious software or tools such as viruses, trojans, rootkits, exploits etc. 
  3. Delivery: After identifying and developing the necessary software, the adversary may then transmit their crafted software to the targets via email or USB drives.
  4. Exploitation: Once the victim/user executes the malicious program, the payload within it can decide to take up different actions or tasks on the network to exploit the inherent vulnerability.
  5. Installation: This malicious program can install an initial access point such as backdoors which can be leveraged later by the adversary.
  6. Command and Control: The adversary or program gains persistent access to the target network.
  7. Actions on Objective: The adversary may initiate end goal actions such as data exfiltration.

 

Figure 1: Lockheed-Martin Cyber Kill Chain

Figure 1: Lockheed-Martin Cyber Kill Chain

As shown above, the attacker life cycle during a cycle of cyber attack can identify with the Lockheed-Martin Cyber Kill Chain. That said, the Cyber Kill Chain model may be too high-level to relate actual attack behaviours to defences and this is why the MITRE ATT&CK model comes into play. MITRE ATT&CK is a framework that describes the adversary tactics and techniques from the reconnaissance stage to the adversary’s end goal based on real-world observations.

 

MITRE ATT&CK

MITRE developed the Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK) framework in 2013 to document common tactic, techniques, and procedure (TTP) that advanced persistent threats use against Windows enterprise networks. Further to that, the framework now also includes the Linux, MacOS and Mobile platforms. At a high-level, ATT&CK is a behavioural model that consists of the following core components:

  • Tactics: tactical adversary goals during an attack (the columns) and
  • Techniques: describing the means by which adversaries achieve tactical goals (individual cells)
  • Documented procedures on adversary usage of techniques and other metadata (linked to techniques)

 

Figure 2: MITRE Tactics

Figure 2: MITRE Tactics

 

Tactics represent the adversary’s objective for performing an action. For example, an adversary wants to perform a network scan. In other way, higher-level notations for things adversaries do during an operation, such as persist, discover information, move laterally, execute files, and exfiltrate data.

 

Figure 3: MITRE Techniques

Figure 3: MITRE Techniques

 

Technique represents how an adversary achieves a tactical objective by performing an action. For example, an adversary is trying to obtain user credentials via a brute force attack technique.

 

Why SMEs should use MITRE ATT&CK?

According to the “Threat Modeling: Designing for Security” book written by Adam Shostack, who is part of Microsoft’s Security Development Lifecycle strategy team, he described that before building something, an organisation should consider the following questions:

  1. What are you building?
  2. What can go wrong with it once it is built?
  3. What should you do about those things that can go wrong?
  4. Did you do a decent job of analysis?

SMEs should model the possible threats and should consider information security before building an application or architecting infrastructure. Some of the examples to secure the application or network by using MITRE ATT&CK are:

T1566 - Phishing: An adversary may send phishing messages to gain access to the victim’s systems. If an attacker or attack group had targeted a specific organisation, this is known as spearphishing. The adversary may also send malicious attachments along with the emails in order to execute code on the victim’s computer or to gather user credentials. SMEs should implement SPF, DKIM, DMARC records and a secure email platform to block emails that contain malicious attachment.

T1059 - Command and Scripting Interpreter: Once a malicious binary or attachment is executed, adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. 

For example, in executing the malicious PowerShell command line, the SME can prevent the execution by blocking PowerShell access, whitelisting the application, installing an Antivirus software on endpoints or monitoring endpoints using SIEM and EDR.

Thanks to the MITRE ATT&CK framework, not only the attacker can reference the attack techniques, but the defender can also model the possible threats to secure an application or infrastructure.

 

Conclusion

It goes without saying that large organisations should focus on cybersecurity but it is even more vital for SMEs to consider cybersecurity as part of their technology implementation stack. It is always good to address the possible threats and remediate these threats early-on within the application or infrastructure. When a system goes online without modeling threats, it is prone to be compromised. Technology is fantastic but without proper security mitigations, technology becomes a playground for adversaries.

 

Sources

Figure 2: MITRE Tactics (https://attack.mitre.org/tactics/enterprise/)

Figure 3: MITRE Techniques (https://attack.mitre.org/tactics/TA0006/)