MITRE ATT&CK® for Purple Teaming

Malicious cyber actors are no different than any other business in at least one aspect – they are seeking to maximize their Return on Investment (ROI). If a technique works, there is no reason to re-invent the wheel for the next attack. This makes criminals efficient, but it also provides an opening for the defense. If attackers are using the same techniques to achieve their objectives, we can theoretically classify and map these techniques in order to systematically test our defenses.

MITRE’s Adversarial Tactics, Techniques and Common Knowledge (ATT&CK) framework has moved this effort beyond the theoretical and delivered a tool that can help guide your testing engagements. This highly granular classification matrix is an excellent way for Red and Blue teams to identify vulnerable phases in the attack lifecycle (tactics) and quickly choose discrete methods for testing defenses against specific techniques in that phase.

MITRE has built the ATT&CK matrix from a vast amount of real-world threat intelligence, much of which is informed by their access to agencies battling nation-state actors, or Advanced Persistent Threats. The techniques that they offer are not theoretical – they are observed actions from some of the most capable adversaries on the planet. That doesn’t mean that every technique is a jaw-dropping technical exploit – remember, attackers seek ROI. ATT&CK is built to reflect what actions adversaries are taking today to achieve their objectives – which means these are attacks that may likely be launched against your environment.

Using the ATT&CK® Lifestyle

Phases of the attack lifecycle are generally iterative – you must gain initial access before you can begin privilege escalation or lateral movement. But “Privilege Escalation” is not an action itself – it is an objective. The Techniques are the methods by which the objectives of the phase (or in ATT&CK parlance, Tactic) are achieved. You may achieve Privilege Escalation through any number of methods (or Techniques) such as Access Token Manipulation, Application Shimming, Parent PID Spoofing, etc.

Because phases of the attack lifecycle are generally iterative, having strong defenses in any given tactic can break the chain and prevent the adversary from achieving their ultimate goals. Comprehensive testing against all techniques within a tactic can be a more methodical and comprehensive way of building your defenses than a generalized penetration test. That’s a lot of work – the list of techniques for some tactics stretches into the dozens. But you don’t have to do it all at once and having a framework to track your testing progress will help your team prevent duplicate work and achieve greater ROI from your testing efforts.

While the Techniques provide the method for achieving the objectives of the attack phase, they still don’t provide the specific test criteria. That’s where tools like Red Canary’s Atomic Red Team can be incredibly useful. These specific actions, or procedures, are an amazing bolt-on to the ATT&CK framework that provide the actual commands to execute to test a given technique.

Purple Teaming with ATT&CK®

Engagements where Red and Blue teams collaborate on both the test objectives and real-time execution are an incredibly powerful and efficient way of finding and fixing vulnerabilities within any given tactic. ATT&CK provides a common framework for establishing the scope and objectives of Purple Team engagements.

Most Purple Team engagements are short in duration and thus need to be highly focused. ATT&CK provides the structure that allows teams to rapidly build test plans centered on a narrow set of adversary objectives in the attack lifecycle. Subsequent iterations can move further along the attack lifecycle to test defenses against respective techniques while avoiding rework.

The structure brought to testing by ATT&CK isn’t only useful for facilitating internal communication and tracking. An ever-expanding community has grown around the framework, allowing remediators to share effective defenses against vulnerabilities in any given technique. If adversaries don’t re-invent the wheel on the offense, why should we on the defense?

Making the Most of the ATT&CK® Framework

ATT&CK is robust and can seem daunting. Adversaries are clever and have adopted many techniques – testing and tracking them all is no small task. So while ATT&CK can guide your activities, you still need methods for automating and optimizing your efforts.

Creating and executing a test plan with discrete Red Team actions is made much easier with the previously mentioned open-source Red Canary Atomic Red Team. At https://github.com/redcanaryco/atomic-red-team, you will find the actual command-line syntax used to test almost all of the Techniques in ATT&CK.

MITRE does include multiple procedures for testing in most of their Techniques (attack.mitre.org). These however lack the level of detail found in the Atomics that would allow a junior tester to execute “out of the box.” Some Googling is required, but they are still another great starting point for the specific procedures to include in your test plan.

SCYTHE (scythe.io) has developed an amazing automated attack simulation platform which maps each activity to a specific ATT&CK technique. While no automation platform will ever completely replace comprehensive manual testing, SCYTHE brings the ability to almost instantly test and retest defenses. Their results can both act as triggers for immediate remediation actions and inform test planning for those manual Purple Team engagements.

Purple Teaming with ATT&CK® and PlexTrac

Resources like the Atomic Red Team and SCYTHE can reduce the manual workload that comes with the systematic, iterative assessments the ATT&CK® framework can guide. But how do you track and integrate the data from all automated and manual assessments? The answer is PlexTrac.

The PlexTrac platform aggregates and tracks the data acquired from all your sources in executing ATT&CK® so you can use it to strategize, systematically assess, and report. It provides the ability to create a quick feedback loop or iterative cycle for highly focused testing. PlexTrac facilitates regular, recurring and rapid testing – which provides much better ROI than mammoth projects that span months. Using PlexTrac with MITRE ATT&CK® will help your team collaborate, strategize, systematically assess, and shore up your environment from all angles.

Learn more about how PlexTrac is using MITRE ATT&CK® to support purple teaming in the “Purple Teaming Made Easy with ATT&CK®” webinar on Wednesday, May 13 at 12:00 pm MDT.

Check Out Our Latest Posts