If you are new to the cybersecurity field, you may be unfamiliar with MITRE. But for those who have been around, you might correlate MITRE with CVEs (Common Vulnerabilities and Exposures) and might be the place you visit quite frequently.

MITRE has been around for a quite long time since 1958 focusing on any type of defense system, Thus including critical issues in defense, aviation, homeland security, health, cybersecurity, and more.

One of MITRE’s most notable contributions is the creation and maintenance of ATT&CK®, a globally accessible knowledge base of adversary tactics and techniques based on real-world observations. ATT&CK® is used by cybersecurity professionals around the world to understand and counter various threats, from ransomware to nation-state actors.

But MITRE is more than just a collection of data and tools. It is also a community of innovators, experts, and collaborators who share a common vision: solving problems for a safer world. Whether it’s developing AI solutions, enhancing global air traffic efficiency, or supporting public health emergencies, MITRE applies systems thinking and objective insights to deliver impactful results for the public good.

If you are curious about MITRE and want to know more about this unique organization, read on!

MITRE ATT &CK® Framework

MITRE ATT&CK® was designed to document typical TTPs (Tactics, Techniques, and Procedures) that persistent adversaries employ against Windows business networks. ATT&CK® is the result of a need to document adversary behaviors for a MITRE research project called FMX.

ATT&CK® arranges these techniques into a set of tactics to help provide context for the technique. Each technique contains information that’s useful to both an attacker or penetration tester for understanding the nature of how a technique operates and also to a defender for understanding the context surrounding events or artifacts produced by a technique in use.

You can go here to find more information.

ATT &CK® Matrix for Enterprise

If you visit the url we provide, you might see there are 14 categories of techniques where the adversaries could use this to conduct their attack and you could find more specific techniques under each category.

When you hover over each technique, you might also see the ID of the corresponding techniques, thus making it easier while searching on it. Some techniques may also have their own sub techniques that will show up when we click on the gray bar on the right side.

To get a better understanding of the specific technique, you can click on it and you will be given all related information regarding the technique, including a brief description, Procedure Examples , Mitigations , and Detection.

For example, if you look under the Execution category, you could see Scheduled Task Job , which means the adversaries could use this to facilitate initial code execution. As we know it, in Linux, we have Cron to schedule some tasks, and if you click the gray bar, you might see it as a sub-technique under Scheduled Task Job. Because Cron works as a time-based scheduler mechanism in Linux or Unix, adversaries may modify the crontab file to add or modify cron entries that run their code, such as scripts, binaries, or commands. This way, they can maintain their foothold on compromised systems across restarts, changed credentials, or other interruptions. Thus making it not only belong to the Execution category, but also belong to the Persistence category.

If you already read our [article](https://www.binaryte.com/blog/enumeration-101-the-key-to-successful- linux-privilege-escalation), you may know that Cron executes the system-wide crontab file at /etc/crontab with root privileges by default. This means that any commands or scripts in the crontab file will also run with root privileges. It makes Cron susceptible as a target for the reason that the adversaries would seek a way to escalate their privilege into root, making it belong to the Privilege Escalation category as well. You can find this information listed inside the brief description at the Tactics.

Reference: https://attack.mitre.org/

CAR (Cyber Analytics Repository) Knowledge Base

CAR MITRE is a knowledge base of analytics developed by MITRE based on the MITRE ATT&CK® adversary model.The page also gives us information about Pseudocode , Splunk , DNIF , Eql , Logpoint , and Sigma.

For example, we will examine CAR-2013-08-001: Execution with schtasks. If you check it, you can see that CAR contains more detailed explanations under Implementations , such as pseudocode, DNIF version, and Logpoint version. A pseudocode is a simple, human-readable way to explain a set of instructions or algorithms that a program or system will execute.

You can also find additional information beside Implementations called Unit Tests. A unit test is a **test case that can be used to verify the functionality and accuracy of an analytic. It comprises a set of configurations, actions, and expected results that can be used to trigger the analytic and check its output.

Looking at the implementations, we can see that the pseudocode is used to find instances of schtasks.exe running as processes. Schtasks.exe is a Windows tool that can be used to create, run, query, delete, change, or end scheduled tasks. It consists of three steps:

• The first step is to search for Process:Create events, which indicate that a new process has been created on a system.

  process = search Process:Create

• The second step is to filter the results of the first step where the exe field is equal to “schtasks.exe”, which means that the process is schtasks.exe.

  schtasks = filter process where (exe == “schtasks.exe”)

• The third step is to output the results of the second step, which are the instances of schtasks.exe running as processes.

  output schtasks

The output should include the command_line field, which shows the arguments or flags used with schtasks.exe. These flags can indicate the type of schtasks command, such as /create, /run, /query, /delete, /change, or /end.

Reference: https://car.mitre.org/

MITRE ENGAGE

MITRE Engage is based on the premise that network compromise is often inevitable, but it does not mean loss. By engaging adversaries, defenders can increase the cost and reduce the value of the adversary’s cyber operations, as well as gain valuable intelligence and insights into their behavior.

The traditional approach to cyber defense is to use layered technologies that prevent the adversary from reaching an organization’s networks or vital cyber assets. In this scenario, the adversary wins whenever they can compromise a new system or steal data from the network. But when a defender adds fake artifacts and systems, it creates confusion for the adversary. The adversary has to wonder if the system they just breached is real or not. The data they just obtained, is it genuine or not? These doubts increase the operational cost for the adversary, while reducing the value of their cyber activities.

There are two main points that work as a foundation of Adversary Engagement approach, Cyber Denial and Cyber Deception. Cyber denial is the capability to block an adversary’s access to conduct operations, which reduces their options or efficiency of their actions. Cyber deception, on the other hand, deliberately confuses the adversary to make them act inappropriately. Similar to MITRE ATT&CK®, MITRE ENGAGE has its own matrix.

It comprises 5 main categories.

• Prepare : Assist the defender in defining their objectives for the operations (input).
• Expose : Expose the ongoing activities of the adversary.
• Affect : Hinder the adversaries’ operations.
• Elicit : Gain insight into adversaries’ TTPs (Tactics, Techniques, and Procedures)
• Understand : Ensure that the defender is acquiring, applying, and enhancing the knowledge gained to improve the defender’s position.

Reference: https://engage.mitre.org/

MITRE D3FEND

MITRE D3FEND can be seen as complementary to the MITRE ATT&CK® framework, which describes the common tactics, techniques, and procedures (TTPs) used by cyber adversaries. While ATT&CK® focuses on the offensive side of cyber operations, D3FEND focuses on the defensive side, providing a common language and structure for describing how to counter various cyber attacks, stands for Detection, Denial, and Disruption Framework Empowering Network Defense.

MITRE D3FEND includes a matrix that links different defensive techniques to the ATT&CK® tactics, such as harden, detect, isolate, or evict. Each technique has a unique ID and a detailed explanation of its components, capabilities, references, and relations to other techniques and tactics. The matrix helps defenders assess the pros and cons of different countermeasures, as well as their operational suitability and effectiveness.

There are 6 main categories for D3FEND.

• Model : The model tactic is used to analyze the security of digital systems and their users, operations, and interactions.
• Harden : The harden tactic is used to make computer network exploitation more costly and difficult. Hardening is usually done before a system is online and operational, unlike Detection.
• Detect : The detect tactic is used to discover adversary intrusion or illicit activity on computer networks.
• Isolate : The isolate tactic creates logical or physical barriers that limit the chances for adversaries to gain more access.
• Deceive : The deceive tactic is used to lure, attract, and grant potential attackers access to a monitored or manipulated environment.
• Evict : The eviction tactic is used to expel an adversary from a computer network.

Reference: https://d3fend.mitre.org/

Adversary Emulation Plans

MITRE created Adversary Plans to help defenders test their networks and defenses using ATT&CK® and threat reports. It uses open threat reports to identify APT groups (listed in ATT&CK®) and their techniques. Due to this, it may have some limitations and to overcome this, MITRE provides a sample way to string the ATT&CK tactics together and Compile a list of other ways to exhibit the same behavior as the APT’s tools. MITRE also provide a cheat sheet for commands in common red teaming tools.

Currently there are [several plans](https://github.com/center-for-threat- informed-defense/adversary_emulation_library) available, such as APT3, menuPass, Carbanak Group, APT29, FIN6, FIN 7, etc. These plans basically work as a step-by-step guide to mimic specific threat groups.

References:

• https://attack.mitre.org/resources/adversary-emulation-plans/
• https://github.com/center-for-threat-informed-defense/adversary_emulation_library

Conclusion

The MITRE ATT&CK® framework is a valuable resource for defenders who want to understand the common tactics, techniques, and procedures (TTPs) used by cyber adversaries. It provides a structured and comprehensive way to describe and analyze cyber attacks, as well as to identify gaps and opportunities for improvement in cyber defense. However, ATT&CK® is not enough by itself. Defenders also need to know how to counter the adversary’s actions, how to engage them in a proactive and dynamic way, and how to learn from their behavior and adapt accordingly. That’s why MITRE has developed other complementary frameworks, such as MITRE ENGAGE, MITRE D3FEND, and Adversary Emulation Plans. These frameworks help defenders to design, implement, and evaluate effective cyber defense strategies, using a common language and structure that aligns with ATT&CK®.

By using these frameworks together, defenders can gain a holistic and realistic view of the cyber threat landscape, and improve their readiness and resilience against cyber attacks.