How MITRE ATT&CK® helps users of Threat Intelligence & Attribution

Dmitry Volkov
CEO & Co-Founder, Group-IB
The MITRE ATT&CK® framework became the industry standard to describe attack tactics and techniques. It's actively used by SOC analysts, DFIR experts, Red teams, threat hunters, threat intelligence analysts and reverse engineers, because it provides quick answers about how different threats operate and how security teams can detect and stop them. The matrix gives teams a concise overview, as well as the ability to deep dive should they still need thorough threat intelligence. The versatility of the MITRE ATT&CK® framework is why we map all of the intelligence we gather to the matrix for our clients. We use this framework within Group-IB's Threat Intelligence & Attribution system in three different scenarios:

  • To describe activity of the threat actor
  • To describe techniques relevant to the particular malware family
  • As a separate tool for security experts
    The MITRE ATT&CK® in threat actor profiling
    We moved away from providing just a threat bulletins to reporting on adversaries. Now any event or activity reporting is assigned to a threat actor either cybercriminal or nation-state. We do this because every attack has a threat actor behind it, with distinct behaviors, preferred methods and known infrastructure.

    Threat actor profiles consist of:
    • Timeline with campaigns and critical events
    • Description of attacks
    • Timestamps, targeted countries, sectors and companies (when known)
    • MITRE ATT&CK® matrix
    • Indicators of compromise
    • Files and how they are linked
    • Malware employed in campaigns
    • Legitimate tools they use
    • CVE, affected software, available exploits
    • Contact details and accounts on Dark web
    • Information about threat actor's partners and clients
    Group-IB uses the MITRE ATT&CK® matrix to share not only information about individual events, in addition we provide an aggregate view of threat actors' entire campaign history. The aggregated MITRE ATT&CK® matrix combines all techniques that we observed as relevant to the threat actor. If a user wants to get more finely tuned data they can filter by industry, region, country or across a timeline to see what techniques are relevant to selected filters.
    As shown in the screenshot above, the North Korean nation-state threat actor Lazarus was observed by Group-IB to have used 251 techniques mapped to the MITRE ATT&CK® framework. In the first column we show tactics and in the second and third columns relevant techniques.

    Every time Group-IB reports about a new campaign we try to provide details about techniques that are verified by our in-house team of experienced threat analysts. This helps our clients immediately assess their preparedness by how much they understand about these techniques and how protected their organizations are from the threat. Because every threat report includes a matrix, analysts are able to understand the context of the campaign, significantly improving analysis and attack simulation if it is used by the client's red team.
    The MITRE ATT&CK® in malware profiling and detonation
    Unlike many threat intelligence providers we have a unique cyber security ecosystem with each solution supporting and improving its neighbor. The ecosystem includes our own malware detonation platform that is a part of our Threat Hunting Framework. And this malware detonation platform is also available for Threat Intelligence & Attribution clients as a part of the system and gives our client an ability to submit files or links for detonation in an isolated environment. Once malware has been detonated, we provide not just a verdict but full context of the execution including techniques used by the malware mapped to MITRE ATT&CK® with a number of indicators that match the specific technique.
    Imagine that you are involved in an incident response or hunting for threats proactively and you need to quickly understand what to search for to be able detect compromised hosts inside your network. If you already have a malware sample used to attack you just upload it to a malware detonation platform that will extract relevant indicators of compromise mapped to techniques and then use your existing security solutions to check these IoC across organizations. For example, you see that malware edits specific registry keys and values for persistence or collects personal data from local email clients by reading specific registry keys like on the example below from the Snake keylogger.
    Then you can quickly check with an EDR to see if there are any computers in your network that have the same registry keys or processes that access such registry keys. The same exercise can be done with every technique that is used by the malware.

    Within our solution, we provide not just a malware detonation platform but also malware profiles. Such a profile provides human readable descriptions of the malware family with Suricata, YARA rules for detection and hunting, together with network and file indicators that we collect from our traffic analysis, malware detonation and Group-IB's external threat hunting system.

    Group-IB's native malware detonation capability allows us to record the different indicators of compromise that occur during malware execution. This data is aggregated in the reports that aim to give our clients a full picture of techniques for relevant families rather than just from one specific sample. Furthermore, the threat matrix can be enriched by our malware reverse engineers and incident responders manually to add more insight.
    The MITRE ATT&CK® analytical tool
    Group-IB's Threat Intelligence & Attribution system (TI&A) provides a dashboard allowing any user to analyze tactics and techniques of selected threat actors in moments. By default, the TI&A users see only techniques associated with the threat actors that are part of their organizations threat landscape.
    TI&A users can select one or more different threat actors based on their current needs to see relevant techniques. Techniques can be filtered by region, country, industry, and date. Users can also choose between Enterprise, Mobile or ICS matrices. This can help users to answer questions like: "What techniques were active to attack the energy industry?" or "What were the most popular techniques within the last 30 days?"

    This built-in tool in the Threat Intelligence & Attribution system is popular among threat researchers, incident responders and red teams who need to simulate techniques used by a specific actor such as the Cobalt gang, which orchestrated targeted attacks on financial organizations, Conti ransomware that is very active and attacks organizations across many different industries, or any nation-state actors. This helps security teams check if their infrastructure is resilient to these threats. The results can be exported from the Group-IB Threat Intelligence & Attribution system in CSV and JSON formats and then be used in attack simulation systems that the organization may have or for custom reporting.

    We also give a heat map to and counters to demonstrate how often we saw these techniques were mentioned in our reports about selected threat actors to focus on detection and prevention from them.

    By clicking on a technique, information appears in the sidebar about the attackers, countries, industries where it was used, as well as its description and execution samples. The MITRE ATT&CK® framework is also used here to deliver not just the matrix of the techniques but also detailed descriptions and mitigations tips.
    The MITRE ATT&CK® framework is an essential component of threat intelligence solutions for communicating important data about how threat actors operate, and as a standalone analytical tool. Security teams should make use of advanced threat intelligence services that support mapping to MITRE ATT&CK® to enhance and simplify cyber threat intelligence data. In order to be able to do effective mapping threat intelligence must have detailed profiling of the threat actors, malware and have technologies that automates this process.
    Increase your security investment returns with Group-IB Threat Intelligence & Attribution