MITRE ATT&CK is one of the most comprehensive models for tracking cyber adversary behaviour. In the field of information security, the MITRE Corporation is known for its Common Vulnerabilities and Exposures (CVE) list available at cve.mitre.org. First initiated in 1999, it is a database of known vulnerabilities and has since become one of the most important sources for structuring and identifying software and hardware exploits.
Why is MITRE ATT&CK important?
At the heart of the ATT&CK framework lies the most up-to-date information centre that showcases the behavioural anatomy of attacks and attackers. ATT&CK has the added benefit of being created by observing cyberattacks in the real world.
Using data from the MITRE ATT&CK knowledge base, anyone involved in cyber defence can investigate and compare adversarial behaviours and tactics to understand the best remedial practices. The framework is a free, accessible, and open-source knowledge base.
What is ATT&CK?
The ATT&CK framework was founded on the principle that every adversarial activity leaves some traces of evidence behind that confirm an attack has taken place. By analysing these traces, also known as Indicators of Compromise (IOCs), security professionals can gain insight into what happened during a particular attack, and improve their ability to prevent, detect, and respond to similar threats in the future.
In an attempt to classify threat indicators based on their importance, security expert David Bianco introduced his concept of The Pyramid of Pain in 2013, where each layer in the pyramid represents the “pain” both security experts and adversaries would have to endure to launch or detect the corresponding threat. So, for instance, while collecting and understanding hash values is relatively easy, the same thing cannot be said about applying TTP (tactic, technique, procedure) analysis to identify and mitigate attacks.
Indicators of Compromise (IOCs) & Indicators of Attack (IOAs)
Collecting IOCs is by no means a sufficient defensive strategy for organisations, given the reactive nature of this approach: relying on static piecemeal data that point to a potential breach. Indicators of Attack (IOAs), on the other hand, offer significant insights into what attackers intend to achieve with the data gathered, which is particularly effective in detecting attacks that have not occurred yet.
ATT&CK Model
MITRE introduced the ATT&CK matrix in 2013 to describe and categorise aggressor behaviour (behaviour modelling) based on real-world observations. Before getting into the use of the matrix, let us take a look at the basic concepts:
Tactics
Tactics refer to the goals or objectives an attacker is trying to accomplish and are characterised by the attacker’s behaviour in the different phases of operation. These include initial access, execution, persistence, privilege escalation, defence evasion, credential access, discovery, lateral movement, collection, command and control, exfiltration, and impact.
Example: TA0002 (The attacker wants to execute malicious code).
Techniques
Techniques explain how an attacker achieves their goal, i.e. the tools, technologies, code, exploits, utilities, etc. employed to launch a successful exploit. This is where the details of the attack are elaborated on.
Example: T1059.001 (PowerShell - using PowerShell in an attack)
Procedures
Procedures provide particular instances of how a technique is carried out. These include information about attacker groups, descriptions of associated groups, techniques, versions, creation and modification dates, and software.
Example: APT19 (Detailed information on how the technique is executed)
Mittigations
Mitigations represent security concepts and technologies that can be used to interpret the right TTP approach in addressing a technique or sub-technique.
Example: M1056 (Mitigation ID and techniques are specified in this field)
Groups
Groups refer to activity clusters that are tracked under a shared name, together with the techniques they often employ to carry out adversarial activities.
Example: G0045 (Explaining their identity, other related groups and the techniques they use).
Software
It addresses malware and tools utilised by attacker groups.
Example: S0671 (Tomiris backdoor, containing information on the types, techniques, as well as creation and modification dates).
The ATT&CK - TTP relationship
Tactics are defined by attackers’ motivation when constructing an attack. The diagram below displays the relationship between a particular tactic and the tools, techniques or sub-techniques necessary to apply it.
MITRE ATT&CK provides an objective environment to assess cybersecurity risks and identify potential gaps. Once these gaps are known, objective decisions can then be taken as to how to deploy the best security controls for prioritisation and mitigation.
Cyber Kill Chain
When discussing MITRE ATT&CK, it is important to touch on another related framework used in addressing cyber threats, that is the Cyber Kill Chain (CKC). While bearing many similarities to MITRE, the CKC is different in that it outlines the specific sequence of actions involved in a cyber-attack, whereas MITRE provides a library of the tactics and techniques employed by cyber attackers.
Regardless of the detection framework, malicious DNS requests represent one of the most common vectors used to trigger attacks. This is because 85% of malware-infested domains are not associated with an IP address, and IP-less queries can only be detected via the thorough inspection of DNS logs.
The MITRE ATT&CK matrix began with an internal project known as the Fort Meade Experiment (FME), where a team of security experts were tasked with simulating hostile TTPs on a network and then collecting and analysing the attack data. This data later formed the basis for ATT&CK. Since ATT&CK is a fairly complete description of adversarial behaviour when hacking networks, the matrix is useful for identifying various attack and defence dimensions, appearance models, and other mechanisms (e.g., FSTEC threat modelling).
MITRE has divided threats into three broad matrices: Enterprise, Mobile, and Industrial Control Systems (ICSs). Enterprise threats refer to TTPs used in attacks against organisations, mobile threats relate to TTPs concerning mobile and wearable devices, while ICS pertains to TTPs for industrial systems.
Each of the abovementioned tactics and techniques is related to the subject of matrix. “Enterprise” is the most targeted matrix, consisting of different categories:
There are 3 basic types of attacks. Access to information is granted in groups.
The PRE-ATT&CK matrix provides a framework for assessing adversarial behaviour before a breach has taken place, and may include such processes as gathering information, planning, identifying vulnerabilities and testing.
What can the MITRE model be used for?
Let us examine DNS infrastructure attacks with examples, using MITRE ATT&CK techniques and procedures.
Example-1: DNS Spoofing / Cache Poisoning
DNS spoofing is a type of cyberattack in which an attacker redirects the victim’s traffic (instead of a legitimate IP address) to a malicious website. Attackers use DNS cache poisoning to intercept Internet traffic and steal credentials or sensitive information. DNS cache poisoning and spoofing are identical terms that are often used interchangeably.
The following steps are typically involved in a DNS spoofing attack:
1) Attackers try to inject a spoofed address into the DNS query,
2) The cache is forwarded to the attacker’s server upon successful resolution,
3) The requests are then processed by the attacker’s server.
Each example entails a description and motivation for the tactic. DNS spoofing is commonly believed to be used to compromise third-party DNS servers during an attack. DNS traffic can also be exploited in post-invasion activities for various purposes in command-and-control servers (e.g., Application Layer Protocol).
In the second part, detailed information such as the threat ID, platforms on which it can be launched, versions, as well as creation and modification dates are provided for quick access.
Example-2: DNS Layer Security Threats (DNS Tunnelling)
What is DNS tunnelling?
Web browsers, email servers, and virtually all Internet services and components use the Domain Name System (DNS) protocol to convert IP addresses into human-readable names. DNS was never intended to be used for data transmission, but it has been for years by malicious actors.
Hackers have long realised that it is possible to secretly communicate with a victim’s computer by injecting malicious commands and data into DNS queries and responses. That is the basic idea behind a DNS tunnel.
Mostly used to bypass network security controls for data exfiltration and C2 communication, DNS tunnels utilise protocols such as HTTP, FTP, and SSH over DNS.
DNSSense offers comprehensive DNS tunnelling detection and prevention Through its DNSDome product, which detects, blocks, and reports all DNS tunnelling attempts in near real-time before information reaches the malicious actor’s server. With this feature, any DNS tunnelling attempt is detected, blocked and reported in near real-time, before information reaches the malicious actor’s server.
DNS tunnelling is attackers’ preferred method of data theft, as it is almost undetectable by conventional data loss prevention tools or other application-level security products.
Example-3: Domain Generation Algorithms (DGAs)
DGA is a technique used by cyber attackers to create a large number of domains using certain algorithms. The generated domains are then used to establish communication between a malware and its C&C server. These domains are only registered when the botnet is about to be commanded and has an IP address.
The owner of the botnet has two goals:
Prevent the C&C domains from being discovered by security officers.
Unlock the botnet on a temporal basis.
DGA is listed under the T1568.002 ID number in the MITRE ATT&CK framework, together with related procedure examples, mitigations, and detection methods.
By continuous changing of domain names, DGAs enable attackers to manage malware-infected websites and C&C exploits. Malware on a compromised machine attempts to establish connection to systems under the attacker’s control to receive commands or send back collected information.
Attackers use DGAs to determine the sequence of domains that infected computers attempt to connect to. This is done to prevent control of the compromised infrastructure from being lost when the attacker’s domains or IP addresses written directly into the code are blocked by security systems.
Example-4: PunyCode / Homoglyph Attacks
A homoglyph attack is a deception technique that uses homoglyphs or homographs, in which an attacker abuses the similarity of character scripts to create fake domains of existing brands to trick users into clicking.
One of the most important components users can use to determine if a URL is part of a phishing attack is to compare the host and domain name to what is expected of a legitimate website. For example, an email asking users to enter their banking information on a website with the domain name attackeradgh.com will not receive as many entries as a website hosted under a more reasonable-looking name. There are many common techniques used today and in the past to make links look more reputable. One of them, for example, would be to have the anchor text say something, but point to something else:
Another technique is to confuse users by changing the URL so that the actual hostname comes at the end:
Although some modern browsers send out alerts for these attacks, they can be circumvented using Punycode and homoglyphic techniques.
Normally, DNS labels (separated by dots) follow a certain format. The characters allowed in a label should only contain the ASCII subset of letters, digits, and the hyphen (sometimes referred to as the LDH rule). In addition, a label must not begin or end with a hyphen and is not case sensitive. This limited character set causes problems if someone wants to use a character in a DNS lable that is not LDH-compatible.
Punycode, or the International Domain Names in Applications (IDNA) framework used on the Internet, was developed to convert normally invalid characters in DNS hostnames into valid characters. In this way, domain and host names can be created using characters from a
user’s native language that still need to be translated into something the DNS system can use (assuming the application supports IDNA decoding). For example:
The second aspect of this attack is homoglyphs. A homoglyph is a symbol that looks the same or very similar to another symbol. An example that most people are familiar with is the letter O and the number 0. Depending on the font used, it can be difficult to tell them apart. The letters l (lowercase L) and I (uppercase i) are other common examples.
The dilemma gets even more intriguing when very similar characters from different languages coincide in Unicode. Languages that use diacritical accents, letter-like symbols, and other usable homoglyphs and characters that look like the regular Latin alphabet show up with great regularity, some of them appearing to be almost exact copies of the same symbol. A common example is the Cyrillic alphabet, with very similar homoglyphs for a, c, e, o, p, x, and y. Even the Latin alphabet appears twice in Unicode.
It is represented in both the 0021-007E (Basic Latin) and FF01-FF5E (Full-width Latin) Unicode ranges. This means that switching from one encoding to the other for a given Latin character is as easy as adding 65248 decimal values to the subrange versions. Depending on the font used, mixing character families can result in a “ransom note”-like visual effect as illustrated below:
While IDNA is used to enable internationalised DNS labels, it can also be used to make a URL or hostname look more legitimate than it actually is. The Unicode representation can cause visual confusion for a user or inspire confidence where it should not. Example:
This is because the third slash symbol is not a slash symbol. The actual DNS record looks like this: microsoft.xn--comindex-g03d.html. attackeradghb.com
Two Important Components of the DNS Safety Concept
1) Ensuring the overall integrity and availability of DNS services that resolve hostnames on the network to IP addresses.
2) Monitoring DNS activity to detect potential security problems anywhere on your network
Conclusion
MITRE ATT&CK is a powerful open-source tool for understanding and classifying cyber attacker tactics, techniques, and procedures. MITRE has made it easy to improve cyber defence by providing a unified categorisation system for classifying attackers and their behaviours in a consistent and easily communicated manner. Using MITRE as a guideline, cyber defence teams can devise comprehensive strategies for security controls against potential threats, assess risks, and prioritise and address gaps in their cyber defences.
In this whitepaper, we explained DNS-specific techniques and tactics employed by adversaries as outlined in the MITRE ATT&CK framework. DNSSense helps enterprise networks mitigate these risks by providing active DNS monitoring and advanced DNS visibility. With its three integrated products in DNSEye, DNSDome, and Cyber X-Ray, DNSSense empowers SOC teams with all the necessary tools to detect and take proactive measures against DNS-backed exploits while ensuring a secure digital experience.
Early detection of security breaches relies heavily on the effective monitoring of DNS traffic on your network for suspicious anomalies. With a tool like DNSEye, you will be able to keep an eye on all the important metrics. With intelligent cross-platform integrations, you can set up alerts for a specific period or as a result of a combination of anomalous actions. DNSSense’s artificial intelligence algorithms ensure the highest classification rate among its class and forwards only those logs to your SIEM & SOAR systems that merit attention. This allows you to save over 95% of DNS log processing costs with intelligent SIEM integration.
