- CrowdStrike is a Research Sponsor and contributor for the new Top ATT&CK Techniques project — an initiative of the Center for Threat-Informed Defense, a non-profit, privately funded research and development organization operated by MITRE Engenuity — to provide prioritization for adversary attack techniques
- The Center for Threat-Informed Defense will introduce three critical new components to help analysts prioritize adversary techniques: actionability, choke point and prevalence
- The new components are based on the ability to detect or mitigate against each technique, identify and disrupt adversary objectives, and assess the frequency of encountered techniques
- The research reveals the most important MITRE ATT&CK® techniques for stopping ransomware — the CrowdStrike Falcon®® platform automatically detects and defends against these techniques
matrix revolutionized security, providing a common language and taxonomy for companies and security vendors to use when talking about and measuring cybersecurity, with an emphasis on adversary behaviors. However, building a defensive strategy using this insight can be overwhelming due to its 14 tactics, 191 techniques and 386 sub-techniques, and often thousands of implementation procedures for each technique that change constantly.
When thinking about adopting ATT&CK into an enterprise as part of a defensive strategy, many play “ATT&CK bingo” and ensure that the capability exists across the whole matrix. But coloring in all of the boxes doesn’t necessarily equate to better security — and given the sheer volume of techniques, this approach can actually be counterproductive. Not all techniques and sub-techniques are created equal, and crafting an effective defensive strategy requires a deeper understanding of adversary tactics, techniques and procedures (TTPs) that is grounded in threat intelligence.
At CrowdStrike, we’re on a mission to stop breaches. We know that a key component of an effective strategy for stopping breaches is prioritizing techniques that prevent an adversary from achieving their objectives. To that end, we are proud to collaborate with the MITRE Engenuity Center for Threat-Informed Defense to sponsor and contribute to the Top ATT&CK Techniques project, creating a powerful tool enabling defenders to build an effective cybersecurity strategy for their enterprise. The Top ATT&CK Techniques project declares a methodology for prioritizing ATT&CK techniques and provides a web-based calculator that prioritizes techniques based on user input. The research also analyzed the techniques of 22 ransomware groups over the past three years to reveal the top 10 techniques defenders should focus on when protecting their organization. For example, some popular techniques associated with ransomware involve Process Injection (T1055), User Execution (T1204), Modify Registry (T1112), Impair Defenses (T1562), and Command and Scripting Interpreter (T1059), according to the research.
Ransomware Top Ten ATT&CK Techniques | |
Technique ID | Technique Description |
T1486 | Data Encrypted for Impact |
T1490 | Inhibit System Recovery |
T1027 | Obfuscated Files or Information |
T1047 | Windows Management Instrumentation |
T1036 | Masquerading |
T1059 | Command and Scripting Interpreter |
T1562 | Impair Defenses |
T1112 | Modify Registry |
T1204 | User Execution |
T1055 | Process Injection |
Figure 1. Ransomware Top Ten ATT&CK Techniques
With the three new components for prioritizing techniques — actionability, choke point and prevalence — security analysts and organizations can use the new Top ATT&CK Techniques methodology and web-based calculator to protect against, detect and mitigate cyberattacks.Top ATT&CK Techniques Methodology
The methodology gives a different weight to the three different components (actionability, choke point, and prevalence), which combine into an overall score. Because not all techniques are created equal, the methodology is designed to help identify and prioritize techniques that defenders should focus on when building protections for their organization. Attackers can always change their techniques and toolset when targeting an organization, making defense difficult in a live environment. The value of the Top ATT&CK Techniques research involves helping defenders identify the most frequently occurring current techniques that have a higher likelihood of being used during an incident. This helps focus defense efforts on high-priority techniques and also helps assess if existing tools can defend against, prevent and offer visibility and context around the techniques prioritized by attackers.Actionability
Actionability, described as providing defenders with the opportunity to take action against a technique, is broken down into detections and mitigations. In essence, it's important that a security solution provides actionable information on a given technique so that defenders can immediately take mitigation actions.Let’s take Application Layer Protocol HTTPs as an example. The point of modern encryption is that you can't break into the data while it is still useful. Given that the protocol is ubiquitous, the information is only actionable if there is a man-in-the-middle proxy that can inspect the traffic. This means the technique would have a very low actionability score. Conversely, an attacker who stole credentials has a very high actionability score, which means defenders can immediately mitigate and take action — such as leveraging multifactor authentication (MFA), locking out the account or resetting the password — to disrupt the attacker.
Choke Point
Choke point describes a technique that is a common denominator in multiple attacks, where eliminating that technique disrupts the adversary and shuts down the attack. For instance, techniques that drive lateral movement and privilege escalation are critical for an attacker to execute successfully, which makes them common in attacks. From a defender perspective, if an attacker cannot move laterally (i.e., “break out”), they will be significantly impeded in achieving their objective, whether it’s accessing the critical data infrastructure and exfiltrating data or executing a successful ransom.Services like Remote Desktop or Windows Management Instrumentation (WMI) often require credentials to be successful as part of an identity-based attack, meaning defenders would want to concentrate defenses on said choke points to get better outcomes. The same is true for privilege escalation where many techniques are not possible without elevated privileges.
Prevalence
Prevalence describes the current techniques observed most frequently during intrusions and is meant to help defenders adapt their detection tools based on the popularity of these techniques. For example, the Command and Scripting Interpreter (T1059) ATT&CK technique is revealed in the Top ATT&CK Techniques research as one of the most prevalent for ransomware groups, meaning defenders should prioritize this technique and deploy adequate mitigations when it’s detected.
CrowdStrike and MITRE Partnership Advances the State of Threat-Informed Defense
CrowdStrike is a Research Sponsor of the Center for Threat-Informed Defense, partnering to advance the state of the art in threat-informed defense in the public interest. We are committed to helping organizations solve real-world problems and improve visibility and understanding of adversary tradecraft and technology to better defend their security posture. CrowdStrike’s continued and ongoing support will help improve existing Center research and solve difficult problems that the cybersecurity industry faces. CrowdStrike continues to support ATT&CK coverage by using the ATT&CK framework throughout the Falcon platform to describe adversary tactics and techniques and by contributing to research that helps equip defenders with the right data at the right time to stop breaches.CrowdStrike remains committed to helping customers and organizations secure data and protect their environments from any threat, including insider risks. The Falcon platform can detect and defend against these attack techniques, providing complete visibility across workloads, threats, identities, cloud infrastructure and business applications.
Additional Resources
- Learn more about the CrowdStrike partnership with MITRE in this blog: CrowdStrike Partners with MITRE CTID, Reveals Real-world Insider Threat Techniques
- Read the MITRE Engenuity blog “Launching a community-driven insider threat knowledge base.”
- Visit the Insider Threat TTP Knowledge Base.
- Check out the CrowdStrike eBook “A Frictionless Zero Trust Approach to Stopping Insider Threats.”
- Learn about CrowdStrike Falcon® Identity Protection solutions.