An attacker carries out a cyberattack in phases. This is known as the attack kill chain, and it’s comprised of different stages—starting with reconnaissance, when the attacker tries to gather information on their targets, and ending at data exfiltration. Using the ATT&CK framework, security admins can learn about the different techniques used by attackers in each of these stages, from initial access to final impact. This way, admins can prioritize threats that occur earlier in the attack chain, stopping a potential cyberattack.

What is ATT&CK?

ATT&CK, short for Adversarial Tactics, Techniques, and Common Knowledge, is a knowledge base of curated tactics and techniques used by attackers to compromise an organization's cybersecurity. The constantly evolving framework provides information based on real-world examples and helps security operation centers identify loopholes in their defenses and create a more resilient security strategy.

An attacker's final goal may be to exfiltrate data, extort a ransom, or even sabotage an organization's IT environment. But before that, they perform several intermediate steps called tactics to achieve their final objective. According to ATT&CK, the following are some of the tactics attackers use to exploit an organization's network.

  • Initial Access (TA0001): When an attacker tries to gain entry to the organization's network. This can be achieved by exploiting network vulnerabilities.
  • Execution (TA0002): When they try to run malicious code.
  • Persistence (TA0003): When they try to maintain access to the victim’s systems.
  • Privilege Escalation (TA0004): When they try to elevate their security status.
  • Credential Access (TA0006): When they try to obtain user and account credentials within the network.
  • Collection (TA0009): When they try to gather data of interest to their goal.
  • Exfiltration (TA0010): When they try to steal sensitive information.
Learn more

While tactics imply the technical objective of the attacker at any given phase, techniques describe the ways in which the attacker carries out a particular tactic. For example, the tactic Lateral Movement (TA0008), where the attack moves within the organization's network to gather information, can be carried out using various techniques, like Exploitation of Remote Services (T1210); Remote Services (T1021) like RDP, SMB, and SSH; Replication Through Removable Media (T1091); and Use Alternate Authentication Material (T1550) like Pass the Hash and Pass the Ticket.

The framework lists around 205 techniques followed by attackers from the early stages of Reconnaissance to the final Impact stage. For each technique, ATT&CK lists the applicable platforms (e.g., Windows or Linux), the permissions required to deploy the technique, and the sources of data (logs) for detecting the technique.

How Log360 aligns with ATT&CK tactics and techniques to detect security threats

Log360, being a SIEM solution, leverages ATT&CK to analyze the attacker's footsteps, provide real-time alerts on any indications of a security threat, and complete the threat mitigation process with incident management.

Equipped with knowledge of what the attacker does in each stage and how they carry out their activities, security admins can hunt for threats, look for techniques that have been implemented, and prepare their defense. Log360 provides security analytics based on the various tactics and techniques of ATT&CK. For example, an attacker can gain initial access to a network (tactic) through phishing (technique). This critical security threat can be mitigated using threat intelligence, which inspects URLs within phishing emails, and by detecting malicious files downloaded by users.

mitre-attack-framework-1

Let's look at a use case to understand how Log360 uses ATT&CK for threat detection.

Use case: Detecting data exfiltration using Log360

Let's consider a case where the attacker carries out the Exfiltration (TA0010) tactic by using Exfiltration Over Alternative Protocol (T1048). This is when the attacker obtains the sensitive information and needs to get it out of the network. Here, the data may be sent over different protocols like FTP, SMTP, and HTTP/S that are not being used as the main command and control channel.

To detect this security threat, ATT&CK suggests admins analyze network data for uncommon data flows. For example, this could happen when a client sends significantly more data than it receives from a server. Log360 constantly monitors network applications and analyzes network data for unusual data flows. If any of the applications send more traffic than they receive, this will be deemed suspicious, and an alert will be triggered to warn the security admin of a possible security threat.

mitre-attack-framework-2

Organizations are also advised to configure network firewalls to allow only the necessary ports and traffic to enter and exit the network.

The incident management console

Every stage of the cyber kill chain is a critical turning point in a potential attack. Log360 detects suspicious activities instantly and provides critical security analytics for each one. This helps security admins investigate a particular threat further.

Organizations will find that the key to keeping their cybersecurity intact is the urgency of their response to a security threat. Log360 draws on its efficient incident detection techniques to provide real-time alerts so that security admins can immediately prioritize a potential threat.

A triggered alert can be marked as an incident, which can then be assigned to a security technician who can quickly respond to it.A triggered alert can be marked as an incident, which can then be assigned to a security technician who can quickly respond to it.

mitre-attack-framework-3

Users can also link reports to an incident.

mitre-attack-framework-4

The incident management framework provided by Log360 allows security admins to always stay ahead of security threats.

detecting-insider-threat-and-attacks-for-dummies
 

Chapter 2

Different functions of SIEM

Learn about the different capabilities of an ideal SIEM solution.

 

Chapter 3

Component of SIEM Architecture

Get an overview of all the components that make up a SIEM solution.

 

Chapter 4

Log Management

Learn about log management and why it is necessary.

 

Chapter 5

Incident Management

Learn about security incidents and how they are handled.

 

Chapter 6

Threat intelligence

Learn about security audits, real-time monitoring, and correlation and how they are useful to mitigate cyberthreats.

 

Chapter 7

Cloud security

Learn why it is important to secure data that is stored online on cloud computing platforms.

 

Chapter 8

User Entity and Behavior Analytics

Learn why UEBA is critical to maximize cybersecurity.

 

Chapter 9

Data protection

Learn why it is important to adhere to compliance regulations.