Preempt MITRE ATT&CK Coverage
MITRE ATT&CK is a framework covering multiple tactics and techniques adversaries use to penetrate systems, move laterally, and ultimately take over the network. It covers multiple platforms, threats groups, stages, and industries from public to private sectors
The MITRE ATT&CK knowledge base describes these tactics and techniques from the perspective of the adversary. It focuses on what they want to achieve and how to do it. ATT&CK represents these activities by dividing adversary behavior into technical objectives they want to achieve; the tactics of the framework.
For each tactic, ATT&CK specifies a list of techniques and sub-techniques that an adversary may use to achieve their objective. Because networks are configured differently, the same tools are not always available. Also, as learned from past attacks, some adversary groups have their own preferences for building attack mechanisms. This is why there are a number of different techniques for achieving the same goal category.
MITRE’s goal is to prepare security teams by presenting the information in a structured, unified, and actionable format. It includes an evaluation of how they might detect or stop malicious behavior. All of this information is presented in a single matrix, designed to allow a quick assessment of how the organization is prepared to deal with each technique.
At Preempt we use the ATT&CK framework to help our customers perform threat modeling to evaluate their current coverage for potential attacks. We believe that technique coverage isn’t just a checkbox to fill – this lead to a “3 phase approach” to Preempt capabilities: Assessment, Detection, and Enforcement:
– Assessment indicates how Preempt discovers where your network is vulnerable to a technique.
– Detection covers how Preempt can detect and alert when a technique is used.
– Enforcement shows how security teams can use Preempt to configure a policy to prevent the
In addition to these phases, each technique receives an accumulated score for how Preempt covers the majority of approaches and current malware available in that technique. In July 2020, MITRE released ATT&CK with sub-techniques (called just ATT&CK). Those sub-techniques enable focus on specific methods of different techniques. Whenever sub-techniques exist, Preempt coverage evaluates them for higher granularity.
We are excited to announce that our customers can explore how Preempt helps to cover those techniques by using the MITRE ATT&CK Navigator. This navigator is designed to provide representation and annotation of the ATT&CK matrix. It helps to visualize the defensive coverage matrix and helps make it easy to use ATT&CK to determine what security coverage you may or may not have in place for each attack type or even APT group.
How does it work?
Preempt Customers start by going to https://mitre-attack.github.io/attack-navigator/enterprise/, then press ‘+’, then “Open Existing Layer” and load the layer file (you can request the coverage file based on your Preempt deployment by opening a support ticket).
Once uploaded, you will see the coverage offered for each technique and group by Preempt. Note, that the coverage may look different depending on which type of Preempt license it demonstrates.
Fig. 1 – Preempt Coverage of ATT&CK – Full Conditional Access
Each technique or the sub-technique has a Preempt coverage score and lists how Preempt covers it is based on assessment, detection, and enforcement.
Let’s look at the Preempt Assessment and coverage of the Kerberoasting (T1558.003) sub-technique. Kerberoasting is a process of acquiring a ticket that contains an encrypted password challenge for an account and cracking it offline to obtain that password.
The first step of this attack is discovering which accounts are vulnerable to this technique. This information is available as a risk in Preempt called Poorly Protected Accounts with Service Principal Name (SPN). Having an SPN by itself isn’t a vulnerability as the account’s network activity could be legitimate; therefore the risk takes into account the password policy and strength. We recommend combining that information with another risk Preempt can find, accounts with Compromised Passwords. As Kerberoasting requires cracking the passwords, compromised passwords are naturally easier to determine. Preempt assesses those passwords using different databases from breaches (i.e. HaveIBeenPwned database), or enables the upload of a custom dictionary based on organizational context. The Detection module of Preempt can see Kerberoasting attempts as they are being made live, along with any other associated suspicious activities from the endpoint, the identity, or the destination.
The coverage Score indicates Preempt coverage for the sub-technique within the MITRE framework. In addition to providing an assessment of your security stack, Preempt will detect if there is an active LDAP search performed which is associated with this technique.
Preempt secures all workforce identities to help create a zero-trust with zero friction environment. Since 80% of all breaches involve compromised credentials, Preempt unifies security visibility, and control for on-premises and cloud identities.
Posted by Alex Talyanski on September 30, 2020 7:23 AM