Developing Your Knowledge of Network Attacks
by Robin Simmons
February 3, 2020
During 2020, a sophisticated online espionage campaign was able to operate undetected for several months. Exploiting a SolarWinds product, the attackers were able to read and copy untold amounts of sensitive emails, documents, research data, and software tools from thousands of organizations, including several departments and agencies of the U.S. government. It took a sophisticated security company, FireEye, to discover the attack. This is a real-world illustration that “it is really more of a question of when, than if” organizations will experience a data breach, according to Michael Bruemmer, Experian Vice President (Quoted by Sammi Caramela in Business News Daily, 27 Feb 2017).
Detecting a sophisticated attacker inside your network is very difficult. If you don’t know exactly what to look for, finding the attacker on your systems or in your network traffic amid all authorized users and network activity is worse than finding a needle in a haystack. The growth in mobile devices, Internet of Things devices, video teleconferencing, and other networked applications will produce even more network traffic that can conceal the attacker’s activities.
In the absence of specific indicators of compromise, organizations must analyze events, behaviors, patterns, and trends to identify clues that reveal an attacker’s unauthorized activity. Using audit and log information, network flow data, sophisticated analytical tools, and knowledgeable and experience staff, many organizations are able to hunt for attackers. A resource that defenders, security analysts, and other threat hunters can use to help guide their detection and analysis activities is a database of attacker tactics and techniques.
MITRE ATT&CK Model
MITRE has developed a model called ATT&CK that describes over 200 actions (techniques) that an attacker can take when inside your network to gain access, elevate their privileges, explore the network, conceal their actions, embed malware, and use the malware to perform actions such as data theft. One of the better-known components of ATT&CK is a matrix (see Figure) of all the techniques used by attackers. The online matrix is an active page that can access the database of ATT&CK techniques.
It takes a sophisticated team to search through network logs and sensor data to identify the techniques that are described across the MITRE ATT&CK matrix. Organizations that are interested in performing this type of analysis need to either develop their own security and analytical staff, or they need to acquire that expertise from a company that can provide it. But ATT&CK is also useful by smaller or less-skilled organizations that don’t have an experienced team of security analysts.
Use ATT&CK to Develop Your Knowledge
Use the ATT&CK matrix to learn what attackers can do. Study what has been published about previous attacks to learn what the attacker did inside the target networks. If you are aware of an attacker who might be focusing on your industry sector, study that attacker’s tactics and techniques using the matrix.
Then use the ATT&CK matrix to determine what technique (or techniques) you are already able to detect in your own IT environment. The techniques listed in the ATT&CK matrix provide likely data sources. If you have an analytical (System Information and Event Management) tool, study the data you are collecting to learn what is normal behavior and what might indicate unusual behavior. The ATT&CK website provides reference material and additional links to help you learn how to use ATT&CK. Several vendors explicitly reference the ATT&CK approach, showing how their solutions can help identify an attacker’s behaviors and data.
After a network attack has been made public, security experts normally publish indicators of compromise, such as indicators that were published after the SolarWinds-based attack. You can use these indicators to search through your logs and audit files to determine if you can detect the attacker. As one would expect, it is easier to discover if an attacker is inside your network if you know exactly what to look for.
Unissant is a company with significant data analytics expertise and is striving to help other companies identify the presence of sophisticated attackers within their networks. For more information, please contact us.
ATT&CK is a registered trademark of The MITRE Corporation.
About the Author
Rob Simmons is Unissant’s Cybersecurity Practice Lead. A cybersecurity engineer and leader with technical expertise and operational experience, before joining Unissant Rob worked at the Mitre Corporation, where he was most recently their Senior Principal Cybersecurity Engineer. A former Air Force officer, Rob earned his Bachelor of Science (BS) in Electrical Engineering at the University of Michigan and his Master of Science (MS) in Electrical Engineering from the Air Force Institute of Technology. He’s also a public speaker and teaches courses on English as a Second Language.
About Unissant, Inc.
Unissant is a data-driven & cyber security services provider with expertise in healthcare and health IT, national security, finance, and energy. Founded in 2006, Unissant is a prime contractor on various government vehicles such as CIO-SP3, GSA PSS, GSA HealthIT SIN, and GSA 8(a) STARS II and is a CMMI Level 3, ISO 9001 & 27001 certified company headquartered in Herndon, Virginia with a satellite office in San Antonio, Texas. Unissant is the recipient of various industry awards such as “Government Project of the Year,” “Health IT Innovation Award” and most recently the “Disruptive Technology in Government” award.
Return to Unissant Eye On: Cyber Security