By: Owen Dubiel
June 30, 2021
MITRE ATT&CK Framework v.8 (Sub-techniques)
By: Owen Dubiel
June 30, 2021
The MITRE ATT&CK framework has been the staple that helps hold the security industry together against facing adverse threats in any situation. In late 2020, MITRE announced the release of its latest version update. Version 8 includes a whole new addition to the known kill chain. They added a set of sub-techniques to some of the effective techniques known today. This article will cover some of these sub-technique additions to get a feel for how to better implement or tune security controls for further visibility, detection, and prevention in the future.
Every stage received some attention and added sub-techniques; the following is a breakdown of the most popular that should be implemented in your environment and a snapshot overview of technique revisions.
- Active scanning is categorized into vulnerability scanning and IP block scanning.
- Gathering host information contains the four additional pillars of hardware, software, firmware, and configurations.
- Identity information consists of credentials, email addresses, and employee names.
- Network information includes the following:
- Domain properties
- Trust dependencies
- IP Addresses
- Security appliances
- Organization information is now composed of business relationships, physical locations, and the ability to identify business roles and tempos.
- Phishing for information focuses on all aspects of spear phishing, including services, attachments, and links.
- Technical databases have been updated to include WHOIS, Passive DNS, Digital Certificates, CDNs, and scan databases.
- Lastly, searching on open website domains has sub-techniques that encompass
social media and search engines.
- Supply chain compromise now focus on both hardware and software dependencies and development tools
- Valid accounts are now broken down into four different types:
- Command and scripting interpreter is now broken down into the following sub-techniques:
- Windows Command Shell
- Unix Shell
- Visual Basic
- Network CLI
- Scheduled tasks contain the following subcategories:
- At (Windows)
- Scheduled Task
- At (Linux)
- Systemd Timers
- User execution is comprised of both malicious files and links
Account manipulation will now focus on exchange email delegation, O365 admin role, SSH keys, and cloud credentials.
- Create account can be classified into local, domain, and cloud accounts
- Create or modify system process
- Event-triggered execution
- Hijack execution flow
- Office app startup
- Traffic signaling
- Valid accounts
Believe it or not, there are now many documented ways someone can escalate their privileges in a system. This section is worth reviewing as some of these may astonish.
- Abuse elevation control mechanism
- Access token manipulation
- Boot or login autostart execution
- Domain policy modification
- Process injection
Credential access is one of the techniques that got the most attention as far as creating sub-techniques goes. MITRE went through and created sub-techniques that identify every known way someone can get credential access to a system. Examples include password attacks, keychains, different types of input capturing, and other ways an attacker can modify the authentication process.
- Brute force
- Credentials from password stores
- Forge web credentials
- Input capture
- Man in the middle
- Modify authentication process
- OS credential dumping
- Forge kerberos tickets
- Unsecured credentials
Small and subtle can lead to drastic discoveries in security. The discovery technique was improved by simply identifying the different accounts that can be discovered and permissions to these accounts.
- Account discovery
- Permission groups discovery
- Software discovery
- Virtualization/sandbox evasion
Lateral Movement focused on increasing visibility with remote services paired with different varieties of alternate authentication methods. For example, it can be observed as a possible threat that a user has an SSH session and utilizes the hash technique to authenticate.
- Remote service session hijacking
- Remote services
- Alternate authentication material
Command & Control
The command and control technique is broken down into more specific sub-techniques to provide more granularity to these activity types. Multiple proxies, communication methods, cryptography, encoding, and protocols are outlined as sub techniques here.
- Application layer protocol
- Data encoding
- Data obfuscation
- Dynamic resolution
- Encrypted channel
- Traffic signaling
- Web service
The exfiltration categories focused on adding other mediums to its arsenal. Mediums like Bluetooth, USB, and cloud storage are among those added.
- Automated exfiltration
- Exfiltration over alternative protocols
- Exfiltration over other network medium
- Exfiltration over a physical medium
- Exfiltration over web service
Many more sub-techniques were added; the above are just some of the low-hanging fruit that any organization should research. For more information on how to best use the MITRE ATT&CK framework in your industry, head to Cybrary and check out other content that may help close the security gap on detection/response efforts today.