APT & Targeted Attacks
The Storybook Approach to MITRE ATT&CK
Read this year’s MITRE Engenuity ATT&CK Evaluations story, which simulates techniques associated with notorious threat groups Carbanak and FIN7 to test solutions' ability to detect and stop APT & Targeted Attacks.
The MITRE ATT&CK® knowledge base is an extremely valuable tool that helps drive advancement and alignment throughout the cybersecurity industry. It has standardized the interpretation of an attacker’s approach and provided a common language to describe threat group behaviours.
Evaluations conducted by MITRE Engenuity don’t generate any scores, rankings or ratings. Instead, businesses are shown in full transparency how a vendor can help detect attacks from certain threat groups. By aligning to the ATT&CK framework, these evaluations provide a complete story of the attack.
Security teams can leverage the MITRE ATT&CK framework to tell a story that helps simplify security communication across their organization. The framework also provides security teams increased coverage visibility. A security professional can leverage MITRE ATT&CK to audit for coverage gaps to discover where they may be vulnerable to threats. From there they can use the evaluations to compare vendors and determine which solutions are best suited to fill this gap. The increase in visibility can also help identify coverage overlaps that could be adjusted to optimize cost.
For all the benefits MITRE ATT&CK delivers, it is a pretty dense amount of information to sort through and interpret, so we wanted to help break down the evaluation.
However, before we get into the actual evaluation breakdown of what each phase analyzes and highlights, it is important to understand this year’s attack scenarios. The MITRE Engenuity ATT&CK Evaluations builds their simulations based on real world advanced persistent threat (APT) attacks, simulating the tradecraft and operational flows of specific adversary threat groups. This year the evaluation separately simulated two financially motivated threat groups that use similar behaviors, Carbanak on day 1 and FIN7 on day 2 which in total included over 174 steps.
MITRE Engenuity ATT&CK Evaluations tests a solution’s ability to detect an adversary performing a targeted attack. This means that unlike traditional testing, MITRE Engenuity is solely focused on the product’s detection capabilities after a compromise has occurred. However, this year, an optional evaluation was run to test a product’s ability to block/prevent an attack, validating how effective a product is at detecting an on-going threat and stopping it in its track before further damage occurs.
The Compromise: Tricking the Target
The MITRE Engenuity ATT&CK Evaluations story begins with an integral manager, whether at the bank or hotel, being compromised. The simulated attackers sent a spear phishing email with a malicious attachment to the manager with the goal of tricking them into opening it, as this technique relies upon user execution. When the manager opened the attachment, initial access was granted to the threat group.
Maintaining Access: The Leg Work
Now that the threat group has been granted access to the organization’s network, they must collect the necessary information needed to complete their objective. There are several tactics used throughout the attacker’s journey. They maintain access and avoid detection through persistence and defense evasion techniques.
The adversary uses privilege escalation, which commonly involves taking advantage of pre-existing system weaknesses, misconfigurations, and vulnerabilities to gain higher permissions. From here the threat actor will access and collect credentials and work to discover the right systems to target to complete their objective.
The two groups in question are both financially motivated, so they’re looking for information that can give them the highest dollar value when resold. Historically, Carbanak and Fin7 have targeted personally identifiable information (PII) and credit card information for resale.
Lateral Movement: Moving in for the Kill
The threat group will use lateral movement techniques to locate the targeted system that they will take control of for fraud or to steal data that they can sell for financial profit. This is a critical point in attack detection. If the threat actors are still living in your network and moving laterally, data correlation across the environment is crucial in connecting the dots and weeding out the attacker before their final steps.
Trend Micro Vision One is great for this step. Automatically correlating threat data from different areas of the network and endpoint provides better alerts to security teams. We don’t just tell you these individual events have all occurred – we connect the dots for you, showing that they might be related and have similar indicators of compromise as a certain attack group or type.
So let’s summarise the story of the evaluation:
The first advanced attack was from the Carbanak Group who were targeting a bank, which is one of the popular targets for this group. The attack started with compromising the HR Manager, moving laterally to locate the CFO’s system from which collection of sensitive data and spoof money transfers being carried out.
The second simulation was a staged attack was from the Fin7 group who launched an attack on a Hotel chain in which they compromised the Hotel Manager who silently maintained access until credentials were collected and a new victim systems was discovered, from there moving laterally to an IT admin system, pivoting to an accounting system and setting up persistence to skim customer payment data information.
In the third scenario, the evaluation simulated 10 attack scenarios involving 96 tests, playing out to test the advanced prevention controls used in rapidly reducing exposure and allowing you to respond to less common threats. Think of it like locking your front door instead of relying on a CCTV system to record someone stepping right in. Ensuring prevention controls are in place alongside detection is a key tenant to depend on to prevent and detect advanced threats like these.
What Does it Mean for Me?
This is where Trend Micro’s 30+ years of data and threat research become a major value add allowing you to bring all the telemetry together to clearly tell the story of an attack.
Trend Micro Vision One platform can help customers like you deliver impressive results:
- 96% of attack coverage to provide visibility of 167 out of 174 simulated steps across the evaluations. This broad visibility allows customers to build a clear picture of the attack and respond faster.
- With Linux gaining huge popularity amongst many organizations, especially moving to the cloud, 100% of attacks against the Linux host were detected, capturing 14/14 attacker steps.
- 139 pieces of telemetry were enriched by the Trend Micro Vision One platform to provide extremely effective threat visibility to better understand and investigate attacks.
- 90% of attack simulations were prevented through automated detection and response very early on in each test. Deflecting risk early on frees up investigation resources, allowing teams to focus on the harder security problems to solve.
What else do I need to consider?
When evaluating the performance of vendors, it is important to consider the hierarchy of detection types. There are 5 types identified by MITRE ATT&CK:
- None: While no detection information is given, None doesn’t mean that no detection occurred. Rather, it means it did not meet the required detection criteria set by MITRE Engenuity.
- Telemetry: Data was processed that shows an event occurred related to the process being detected.
- General: A general detection indicates that something was deemed suspicious, but it was not assigned to a specific tactic or technique.
- Tactic: A detection on tactic means the detection can be attributed to a tactical goal (e.g. credential access).
- Technique: A detection on technique means the detection can be attributed to a specific adversarial action (e.g. credential dumping).
Results that are categorized as a detection type of general, tactic and technique reflect enriched data, which is a good thing. Since these detections such as the individual MITRE ATT&CK technique, and associated tactic can be used to tell the detailed story of the attack. This has resulted in a general understanding that general, tactic and technique detections are one of the priorities across vendors.
Tactics are similar to a chapter of a book. A CISO can outline a story they want to tell with the high-level tactics used in an attack and then refer to the techniques to tell the story of how they accomplished the attack which provides extra detail.
So, when evaluating vendors, the most important detection type to weigh is the number of general, tactics and techniques detected.
Telemetry also gives security analysts access to the raw footprints that provide increased depth of visibility they need when looking into detailed attacker activity across assets. Again, it’s not only important to have access to the data, but to make sense of the data.
Trend Micro doesn’t leave that responsibility wholly on you. We start the data correlation process for you to make a larger attack campaign more apparent. You also have the option to further explore relationships to the MITRE ATT&CK framework or get more information on specific attack types and groups from the platform.
During the simulation, the Trend Micro Vision One platform detected both attacks successfully with complete visibility across the environment allowing centralized detection and investigation. Collecting over 167 pieces of telemetry and correlating these back to over 139 pieces of enriched data allowing the team to paint a clear story of exactly what the attackers were trying to achieve.
A separate third round was conducted to test prevention controls that are used to prevent risk in the environment. This was an optional protection scenario in which 17 of the 29 vendors participated, including Trend Micro. For this specific test, Trend Micro performed exceptionally with the ability to block 90% of simulations automatically.
Another added element this year which deserves a special mention was the introduction of a Linux servers, where we detected all 14 techniques executed in the simulated attack scenario.
We are always happy to participate in MITRE Engenuity ATT&CK Evaluations to test our products against rigorous attacks. Check out the complete results and more information on Trend Micro Vision One here: https://resources.trendmicro.com/MITRE-Attack-Evaluations.html.