MITRE ATT&CK is a globally-accessible knowledge base of adversary tactics and techniques based on real-world observations. It is used as a foundation for the development of specific threat models and methodologies in the private sector, in government, and in the cybersecurity product and service community. The ATT&CK framework provides a common taxonomy for security practitioners to classify attacks and assess an organization’s risk posture. In this article, we will explore how ATT&CK can be used to improve security programs through purple teaming, a collaborative approach between red teams (offensive security) and blue teams (defensive security). We will also provide an example of how the framework can be applied in a purple team scenario.
Understanding the MITRE ATT&CK Framework
The framework is divided into two main categories: tactics and techniques. Tactics are the high-level goals of an adversary, such as initial access, execution, persistence, privilege escalation, defense evasion, credential access, discovery, lateral movement, collection, exfiltration, and command and control. Techniques are the specific actions that an adversary may take to achieve these tactics.
The framework includes a wide range of techniques, organized by tactic, that can be used to describe various types of attacks. Each technique is described in detail, including a definition, examples of real-world use, and detection methods. The framework also includes information on the platforms (Windows, Linux, Mac) and software (Office, Adobe, etc.) that each technique may target.
Using MITRE ATT&CK for Purple Teaming
Purple teaming is the process of combining the efforts of red teams and blue teams to improve an organization’s security posture. Red teams are responsible for simulating attacks against an organization’s systems and networks, while blue teams are responsible for detecting and responding to those attacks. By working together, these two teams can identify gaps in the organization’s defenses and develop a plan to address them.
The ATT&CK framework provides a common taxonomy for red and blue teams to classify attacks and assess risk. This allows both teams to speak the same language and ensures that they are focusing on the most relevant threats to the organization. Additionally, the framework tactics provide red teams with a comprehensive library of tactics and techniques to use during simulations, while also providing blue teams with a detailed understanding of how these attacks work and what they look like in their environments.
Example of MITRE ATT&CK in Use for Purple Teaming
An organization has identified that they are at risk of being targeted by a sophisticated threat actor who is known to use living off the land (LotL) techniques. The red team decides to simulate this type of attack using the ATT&CK framework as a guide. They begin by identifying the tactics and techniques that are most relevant to LotL attacks, as shown below.
MITRE ATT&CK applied to a living of the land (LOL) scenario
Once the relevant tactics and techniques have been identified, the red team creates a plan to simulate an attack using these methods. They begin by sending a spearphishing attachment to a targeted user, which when opened, executes a PowerShell script that downloads and installs a malicious DLL. The DLL is then loaded into a legitimate process using process injection, allowing it to evade detection.
The blue team, on the other hand, uses the MITRE ATT&CK framework to identify gaps in their defenses and develop a plan to address them. They begin by reviewing the tactics and techniques that the red team is planning to use and identifying areas where their current security controls may be lacking. For example, they may notice that their endpoint detection and response (EDR) solution does not have good visibility into PowerShell activity or that their network segmentation strategy is not as strong as it could be.
During the purple team exercise, both teams work together to identify areas of concern and develop a plan to address them. For example, they may decide to implement additional logging for PowerShell activity, improve their network segmentation strategy, or implement new security controls such as application whitelisting. They also use the ATT&CK framework to track progress and measure success by providing a common taxonomy for classifying attacks and assessing risk.
Benefits of Using MITRE ATT&CK for Purple Teaming
There are several benefits to using ATT&CK for purple teaming:
- Common Taxonomy: By using a common taxonomy, red and blue teams can speak the same language and ensure that they are focusing on the most relevant threats to the organization.
- Comprehensive Library of Tactics and Techniques: The MITRE ATT&CK framework includes a wide range of tactics and techniques that can be used to describe various types of attacks. This provides red teams with a comprehensive library of tactics and techniques to use during simulations, while also providing blue teams with a detailed understanding of how these attacks work and what they look like in their environments.
- Improved Communication: By working together using the MITRE ATT&CK framework as a foundation, red and blue teams can improve communication and collaboration, leading to more effective security programs.
- Measurable Results: The MITRE ATT&CK framework allows organizations to track progress and measure success by providing a common taxonomy for classifying attacks and assessing risk. This helps organizations understand the effectiveness of their security controls and make data-driven decisions about where to invest in security.
The ATT&CK framework is not only a technical tool but also a valuable resource for businesses looking to improve their overall security posture. By using the framework as a foundation for purple teaming exercises, organizations can ensure that their red and blue teams are aligned in their efforts to identify and mitigate threats. This alignment can lead to more efficient use of resources, as both teams are focused on the most relevant threats to the organization.
Additionally, the framework’s comprehensive library of tactics and techniques allows red teams to simulate real-world attacks, providing blue teams with valuable insights into how these attacks work and what they look like in their environments. This understanding can help blue teams develop more effective detection and response strategies, reducing the risk of a successful attack.
From a business perspective, the ATT&CK framework provides a structure for organizations to assess their security posture, prioritize resources, and improve communication and collaboration between red and blue teams, ultimately leading to a more secure environment.