"Networking" to defend the "network": the MITER ATT & CK case

(To Orazio Danilo Russo)
As mentioned in one of mine previous article, any hacker has a "attack operating profile", recognizable by the observation of its Tactics, Techniques and Operating Procedures (TTPs); in response - from the evidence resulting from the investigations and from the study of the numerous cyber and cyber attacks - the intelligence and cyber-security structures have long since refined adequate countermeasures for prevention and repression.

There are several systems of characterization and cataloging of cyber attacks, generally reasoned for "modus operandi" of the opponent; some are obviously covered by the secrecy of States and Alliances or by the investigative confidentiality of law enforcement agencies, in order to maintain the information superiority over the enemy or the effectiveness of judicial-repressive action. However, there are also public sharing initiatives of this important knowledge framework: the first and most important defensive cornerstone, in fact, is the "common factor" a glossary, a method and a set of security measures widely known and applied among those who share networks, information systems and IT services.

In this regard, the initiative of The MITER Corporation, a non-profit organization active since 1958. Founded on the operation of research and development centers financed with US public funds, MITER is active in R&D support for the Government of the United States of America. MITER has developed a publicly accessible knowledge repository - The MITRE ATT & CK - which exposes in an indexed way, the tactics of cyber attack. The acronym ATT & CK is going to "Adversarial Tactics, Techniques and Common Knowledge"

In the library the TTPs they are described by identifying the exploited vulnerabilities and listing the criminal groups of greatest interest, their operating profiles and malicious codes used, describing their algorithms and effects. For each category, MITER ATT &CK combines the countermeasures generally considered suitable to prevent or mitigate tactics, to respond effectively and on several fronts to the various incidents, including the measures necessary for monitoring and detecting elements "dormant" o "undercover" operating clandestinely in information systems or networks.

Il data base it has an intuitive and multi-modal graphic interface, so the search can be done regardless of whether it starts from tactics, rather than from techniques, countermeasures, malicious codes or observed criminal groups. The archive allows you to finalize the search by type of infrastructure or technology: you can therefore verify the specific attack methodologies and the cyber threat models that target clients, laptops or desktops, rather than centralized processing infrastructures, storage and service or even to networks, whether wired or radio.

A section of the application is dedicated to threats to industrial control systems (ICS). Here the cataloging of offensive actions and the indication of defense and response measures becomes more complicated and less immediate. The cause is the heterogeneity of the industrial technological environment, understandably affected by legacy and often developed in-house infrastructure solutions. Poor standardization translates into a diversification of platforms, protocols and applications that makes it difficult to standardize commonly suggested detection and mitigation techniques. MITRE ATT & CK mitigates the problem by suggesting a high-level categorization of industrial control assets that simplifies and guides the user in adapting protection and response philosophies to their specific technological platform.

The application also offers a training course in the effective use of the resources made available, as well as a section dedicated to feeding, refining and updating the archive. The latter is facilitated by an interface for collecting reports of new evidence that web users send to contribute to this effort to "shared collective knowledge".

In short, a common resource, this of MITER ATT & CK, which cannot but be part of theparaphernalia of a security professional and whose interaction I highly recommend both to those who are training and to those - already mature in professionalism - who intend to collaborate by bringing elements of personal experience or reporting - in the section "Contribute" - new TTPs observe.

This is also how the collective prevention and response system is improved: "networking to defend the network!"

To learn more: