MITRE ATT&CK™

Most common MITRE ATT&CK tactics and techniques: CISA shares most common RVAs

Greg Belding
March 11, 2021 by
Greg Belding

Introduction

CISA has released a list of Risk and Vulnerability Assessments, or RVAs, to the MITRE ATT&CK Framework and have released their findings to the public in a data-packed report. It breaks down the different tactics and techniques observed over the course of 44 RVAs and reports the percentage of time that they were successful across all RVAs. 

This article will detail the report and will explore how RVAs map to MITRE and will walk through some select tactics and techniques within each of the categories of MITRE ATT&CK.

CISA encourages those working as network administrators and IT professionals to examine the infographic and to apply the defensive strategies it recommends to safeguard against the tactics and techniques contained within.

How the RVAs map to the MITRE ATT&CK Framework

Upon request, CISA will perform an onsite assessment where they identify vulnerabilities that can be potentially exploited to compromise the organization’s security controls, which is the RVA. CISA then maps the RVA to the MITRE ATT&CK Framework by combining what was learned in the assessment with national threat information. The end result is a tailored risk analysis report for the organization requesting it, and the grand sum of the whole thing is this CISA infographic.

How it works

The MITRE ATT&CK tactics and techniques are divided into the five Attack Path categories that CISA used while conducting the RVAs to lateral and escalate. Each category is made up of subcategories that may repeat or even merge with other subcategories across the RVAs. These categories are:

  • Gone Phishin’
  • You’ve Poisoned My LLMNR
  • The Ol’ Discover and Dump
  • I Like My Kerberos Well-Done
  • Is That a Cleartext Password or SSH Key, I See?

This article will explore each category and the tactics/techniques it contains and will illustrate some of the categories with real-world instances where they were used in actual attacks.

Gone Phishin’

This category is composed of the following different subcategories of tactics and techniques:

  • Initial Access
  • Execution
  • Defense Evasion
  • Command & Control

For the Initial Access attacks, the Spearphishing Link technique is far outpacing the others in terms of success rate:

  • Spearphishing Link: 45.5%
  • Exploit Public-Facing Application: 4.5%
  • Spearphishing Attachment: 2.3%

The Spearphishing Link technique uses a malicious link to gain access to the victim’s systems if they click the link. In 2018, the Cobalt cybercriminal gang targeted the European Banking Federation with email campaigns that used malicious links as infection vectors that made possible the first stage of attack. In one attack on June 19th of 2018, a URL was sent that (based on its domain) appeared to belong to a leading ATM manufacturer. Instead, it pointed to a malicious word document.

You’ve Poisoned My LLMNR

This category covers:

  • Credential Access
  • Discovery

From Credential Access, with a success rate of 68.2%, is LLMNR/NBT-NS Poisoning. This is short for Link-Local Multicast Name Resolution and NetBIOS. These components are alternate host identification methods used by Microsoft Windows. 

By responding to LLMNR/NBT traffic, it is possible to spoof an authoritative name resolution source in order to force communication with a victim machine under adversary control. This can then be used to gather and relay authentication data. 

The Ol’ Discover & Dump

This category covers:

  • Discovery
  • Execution
  • Persistence/Defense Evasion

In the Discovery sub-category, Account Discovery was the most successful across all RVAs, with a 63.6% success rate. This is where the adversary seeks a listing of accounts within a target system/environment. This can inform which accounts may aid in follow-on behavior. 

In September of 2015, the Mofang Chinese attack group targeted an organization in Myanmar with the ShimRatReporter tool. During the early stages of the attack, ShimRatReporter created a list of non-privileged and privileged accounts available on target machines, which eventually led to a hijacking of the national Myanmar government airline to stage its payload.

I Like My Kerberos Well-Done

This category covers:

  • Initial Access
  • Persistence/Defense Evasion/Privilege Escalation

For Persistence, valid accounts edged out the other tactics and techniques with a 25% success rate. For valid accounts, adversaries use the permissions overlap between domain, local and cloud accounts to pivot to a higher access level, with domain or enterprise administrator being the goal (if needed), and with persistence being a shorter-term goal. 

From 2018 to 2019, the Chimera APT Group used valid accounts to establish persistence via a scheduled task. As a result, Chimera was able to maintain persistence for over a year before being discovered.

Is That a Cleartext Password or SSH Key, I See?

This category covers:

  • Credential Access
  • Persistence/Defense Evasion/Privilege Escalation

Coming in with a whopping 88% for Credential Access is the technique Credential Dumping. This is when an adversary attempts to dump acquired login and credential material for an account, which is in the form of a cleartext password or a hash from the OS (or software). 

In 2012, the Axiom operated the VOHO campaign which used credential dumping throughout the operation. As a result, 1,000 organizations spanning four different industries were impacted.

Mitigations

MITRE ATT&CK also normally lists mitigations that can be used against these tactics and techniques and this report is no exception. Below is a list of the top mitigations to use:

  1. User Training
  2. User Account Management
  3. Privileged Account Management
  4. Password Policies
  5. Operation System Configuration
  6. Network Segmentation
  7. Network Intrusion Prevention
  8. Multi-Factor Authentication
  9. Filter Network Traffic
  10. Disable or Remove Feature Program
  11. Audit

Conclusion

The RVA Mapped to the MITRE ATT&CK Framework is an infographic report that is packed full of insights regarding the MITRE ATT&CK Framework in which an on-site assessment is combined with national threat information. This data is a compilation of data spanning 44 RVAs and demonstrates the success rate of the various tactics and techniques in the MITRE Framework. 

There was far too much interesting information to include in this article. Why not take a look at the report yourself here?

 

Sources

Risk and Vulnerability Assessment (RVA) Mapped to the MITRE ATT&CK Framework, CISA

MITRE ATT&CK Framework, MITRE

Axiom Threat Actor Report, Novetta

Greg Belding
Greg Belding

Greg is a Veteran IT Professional working in the Healthcare field. He enjoys Information Security, creating Information Defensive Strategy, and writing – both as a Cybersecurity Blogger as well as for fun.