MITRE ATT&CK for Cloud

Cloud environments have become essential to today’s organizations, providing them with flexibility and the ability to scale without maintaining a complex IT infrastructure. Yet as more organizations embrace the cloud, adversaries are evolving and increasing their attempts to infiltrate cloud environments. To protect against this, organizations must understand the different tactics and techniques adversaries can use to orchestrate these attacks.

Enter the MITRE ATT&CK Framework, a documented knowledge base of malicious behaviors, referred to as tactics, techniques, and procedures (TTPs) that threat actors have used in real-world cyber attacks. The framework is one of the many standardized tools created by MITRE. First released in 2013 and enhanced regularly over time, MITRE ATT&CK aims to provide resources to the cyber security community to help them build resilience against attacks and develop confidence in their ability to mitigate vulnerabilities.

The MITRE ATT&CK  framework is used globally by organizations in all industries and across multiple cybersecurity disciplines including threat hunting, intrusion detection, threat intelligence, risk management, and more. Unlike other cyber security models, the framework takes the attacker’s perspective, helping security teams understand how adversaries approach, prepare for, and execute cyber attacks in different IT environments, including the cloud. Traditionally, the MITRE ATT&CK framework has been used for threat detection, but more recently its use has been extended to vulnerability management.

MITRE ATT&CK for Cloud

MITRE ATT&CK has four matrices – Pre-ATT&CK, Enterprise ATT&CK, Mobile ATT&CK, and ICS ATT&CK – that illustrate the relationship between adversary tactics (objectives, or the “why”), techniques (the “how”) relevant to a given environment, as well as procedures (tools and processes used in an attack).

 

The four MITRE ATT&CK Matrices
The four MITRE ATT&CK Matrices

 

The Enterprise ATT&CK Matrix is most commonly used by enterprises today. It covers tactics, techniques, and procedures (TTPs) for the following platforms: Windows, macOS, Linux, Network, Containers, and Cloud. The Cloud Matrix is a subset of the Enterprise Matrix and maps specific TTPs that threat actors could use in their attacks on cloud environments. It covers a range of cloud platforms including Azure AD, SaaS, and IaaS – relevant to AWS, Azure, and GCP environments. An example of one of these matrices can be seen in the image below:

 

IaaS MITRE ATT&CK Matrix (source: MITRE)
IaaS MITRE ATT&CK Matrix (source: MITRE)

 

When it comes to cloud infrastructure, misconfigurations represent the biggest threat to enterprise cloud security. Misconfigurations in cloud environments include granting excessive user permissions to users, enabling adversaries to gain access to sensitive data, or compromising cloud services. For example, some organizations may confuse “authenticated” users with “authorized” users and mistakenly grant access to their cloud environment to “authenticated” users. These “authenticated” users could have valid credentials but are unauthorized for the organization or application. As a result, “authenticated” users may gain access to confidential information within the cloud, putting organizations at risk of a data breach or cyber attack.

MITRE ATT&CK vs. Cyber Kill Chain

The Cyber Kill Chain and the MITRE ATT&CK framework can be used to analyze an attacker’s tactics and techniques for targeting cloud infrastructures. Organizations can reference both frameworks to increase their understanding of adversary behavior and improve their cloud infrastructure controls.

Cyber Kill Chain is an adaptation of the military’s kill chain. It is a cyberattack framework developed by Lockheed Martin in 2011 that traces the stages of a cyber attack, identifies vulnerabilities, and helps security teams stop the attacks at every stage of the chain.

Cyber Kill Chain categorizes all cyber attack behaviors into sequential tactics, beginning with reconnaissance to achieving objectives. The framework aims to help organizations understand and combat security breaches, ransomware, and other common cyber attacks.

The Cyber Kill Chain consists of 7 stages:

  1. Reconnaissance
  2. Weaponization
  3. Delivery
  4. Exploitation
  5. Installation
  6. Command and Control
  7. Actions on Objectives

While the Cyber Kill Chain addresses the cyber attack process from a high level with its seven phases, MITRE ATT&CK contains a more granular mapping of tactics, along with detailed supporting techniques and associated mitigations for each. The goal of the MITRE ATT&CK Framework is to help cybersecurity practitioners understand how adversaries approach, prepare for and execute cyber-attacks.

The MITRE ATT&CK Framework features the following tactics on its Enterprise matrix:

  • Initial Access
  • Execution
  • Persistence
  • Privilege Escalation
  • Defense Evasion
  • Credential Access
  • Discovery
  • Lateral Movement
  • Collection
  • Exfiltration
  • Command and Control
  • Impact
  • Resource Development
  • Reconnaissance

One key difference between the Cyber Kill Chain and the MITRE ATT&CK framework is the fact that MITRE tactics are listed in no particular order — unlike the step-by-step linear structure of the Cyber Kill Chain. Other differences between the Cyber Kill Chain and the MITRE ATT&CK Framework are highlighted in the table below:

 

MITRE ATT&CK Framework vs. Cyber Kill Chain
MITRE ATT&CK Framework vs. Cyber Kill Chain

What are MITRE Engenuity and ATT&CK Evaluations?

MITRE Engenuity, a subsidiary of MITRE, is a tech foundation that focuses on solving security-related challenges to help governments, academia, and private sectors build cyber defenses. In 2021 MITRE Engenuity introduced a methodology for using MITRE ATT&CK to describe the potential impact of vulnerabilities.

MITRE Engenuity has also introduced an ATT&CK Evaluations program that brings cybersecurity solution providers and MITRE experts together to help organizations evaluate a given tool’s ability to protect against cyber threats within the context of ATT&CK. Cybersecurity vendors turn to the Evaluations program to provide defenders with insights into their product’s capabilities and performance and improve their product offerings. Understanding each tool’s capabilities helps security teams make more informed decisions about leveraging the right products to protect their network.

What is the difference between MITRE Engenuity and MITRE ATT&CK?

The MITRE ATT&CK framework is a valuable tool that helps organizations define and understand an attacker’s approach and provides a common language to describe adversary behavior. On the other hand, MITRE Engenuity is a foundation that provides cyber defense resources to organizations. One of these resources is ATT&CK Evaluations which evaluates a security solution’s ability to detect an adversary performing a targeted attack. Organizations can use this information to determine their product’s protection efficacy.

MITRE Engenuity and the MITRE ATT&CK framework can be used together to improve cyber risk resilience. CISOs can leverage the MITRE ATT&CK Framework to assess their cyber risk, determine coverage gaps and discover where they may be vulnerable to threats. After they have identified their security needs, CISOs can use the MITRE Engenuity ATT&CK Evaluations to compare vendors and determine which solutions are best suited to fill the gaps.

Is it possible to map vulnerabilities and deployed endpoint security controls at the enterprise to the MITRE ATT&CK framework?

Yes, the MITRE ATT&CK Framework can be used for vulnerability management, notably to prioritize which vulnerabilities to fix first and to improve security controls. With a risk-based vulnerability management solution like Balbix, organizations can automatically map common vulnerabilities and exposure (CVE) to tactics, techniques, and procedures (TTPs). This enables security teams to better assess the impact in the case a particular CVE is exploited, as well as take action to mitigate their risk and implement controls to improve their cyber security posture. Balbix also allows security teams to map TTPs to their endpoint security controls to improve resource allocation and productivity so time is not wasted on cyber risks that matter less.

Frequently Asked Questions

What is the MITRE ATTACK Framework and why is it important for the cloud?

The MITRE ATT&CK Framework is a knowledge base of adversarial tactics, techniques, and procedures (TTPs) that provides a common taxonomy to describe known cyber threats. It is a powerful tool that can help organizations identify, prioritize and mitigate cyber-attacks. With cloud computing becoming more common amongst organizations, the MITRE ATT&CK framework can be used to highlight the different ways that attackers can target cloud environments. With this knowledge, organizations can better protect their environments to prevent data breaches and cyber-attacks.

What is a MITRE ATT&CK Matrix?

A MITRE ATT&CK matrix outlines a set of techniques and procedures used by adversaries to accomplish specific objectives, known as tactics. The MITRE ATT&CK Framework comprises four matrices – PRE-ATT&CK, Enterprise ATT&CK, Mobile ATT&CK and ICS ATT&CK. Each matrix includes detailed descriptions of the systems covered in that matrix, techniques and tactics, detection and mitigation approaches and examples of real-world usage.

MITRE ATT&CK for Cloud

The Cloud Matrix is a subset of the MTRE ATT&CK Enterprise Matrix and maps specific tactics, techniques and procedures (TTPs) that threat actors could use in their attacks on Cloud environments. It covers the following platforms: Azure AD, Office 365, Google Workspace, SaaS, and IaaS.

MITRE ATT&CK vs. Cyber Kill Chain

Cyber Kill Chain categorizes all cyberattack behaviors into seven sequential steps, from reconnaissance to achieving objectives. The framework aims to help organizations understand and combat security breaches, ransomware, and other common cyber attacks at every stage of the chain. On the other hand, MITRE aATT&CK includes more granular details about cyberattacks, such as attack tactics, techniques, and procedures. The goal of the MITRE ATT&CK Framework is to help cybersecurity practitioners understand how adversaries approach, prepare for and execute cyber-attacks.

What are MITRE Engenuity and ATT&CK Evaluations?

MITRE Engenuity, a subsidiary of MITRE, is a tech foundation that focuses on solving security-related challenges to help governments, academia and private sectors build cyber defenses. ATT&CK Evaluations brings cybersecurity solution providers and MTRE experts together to help organizations evaluate a tool’s ability to protect against cyber threats within the context of ATT&CK.

What is the difference between MITRE Engenuity and MITRE ATT&CK?

The MITRE ATT&CK framework is a valuable tool that helps organizations define and understand an attacker’s approach and provides a common language to describe adversary behavior. On the other hand, MITRE Engenuity is a foundation that provides cyber defense resources to organizations. One of these resources is ATT&CK Evaluations which evaluates a security product’s protection efficacy.

Should your organization use MITRE Engenuity or MITRE ATT&CK?

MITRE Engenuity and the MITRE ATT&CK framework can be used together to improve cyber risk resilience. CISOs can leverage the MITRE ATT&CK Framework to assess their cyber risk, determine coverage gaps and discover where they may be vulnerable to threats. After they have identified their security needs, CISOs can use the MITRE Engenuity ATT&CK Evaluations to compare vendors and determine which solutions are best suited to fill the gaps.

Is it possible to map vulnerabilities and deployed endpoint security controls at the enterprise to the MITRE ATT&CK framework?

Yes, the MITRE ATT&CK Framework can be used for vulnerability management, notably to prioritize which vulnerabilities to fix first and to improve security controls. With a risk-based vulnerability management solution like Balbix, organizations can automatically map common vulnerabilities and exposure (CVE) to tactics, techniques and procedures (TTPs) as well as to their endpoint security controls.

Recommended Resources

Insight
What is the MITRE ATT&CK Framework?
Feature image - TTP
Insight
Tactics, Techniques, and Procedures (TTPs) in Cyber Security
Blog
Product Announcement: Operationalizing the MITRE ATT&CK Framework for use in Vulnerability Management