Overview of MITRE ATT&CK Framework and Initial Access Tactic (TA0001)
Introduction to MITRE ATT&CK:
In today’s modern world, cyber threats are becoming more and more sophisticated, causing an urgent need for organizations across the world to understand how adversaries operate, so that they can protect their digital assets from being compromised.
MITRE ATT&CK (Adversarial Tactics, Techniques and Common Knowledge) framework acts as a helpful resource for security teams in organizations to identify and analyze the attack patterns, techniques and tactics used to achieve exploitation. It is a globally accepted, continually updated and publicly available framework based on real-world observations of the latest cyber attacks. It keeps track of APT (Advanced Persistent Threat) groups and TTPs (Tactics, Techniques and Procedures) to provide guidance on procedures followed by the adversaries to compromise an organization’s resources. It is widely used in the cybersecurity field to improve security measures for organizations by enhancing their defensive capabilities.
Here are some key words to be familiarized with before we dive deeper.
APT (Advanced Persistent Threat):
These are advanced groups of cyber attackers, heavily backed and funded to perform cyber-attack campaigns for a long period of time without getting detected.
TTPs (Tactics, Techniques and Procedures):
Tactics: It deals with the objective and goal of attackers
Techniques: It deals with how attackers are going to accomplish their objective
- Sub-Techniques: It provides a more granular detail about the implementation of a specific technique
Procedures: It deals with the implementation of techniques or sub-techniques to attain the objective.
The current version of Enterprise ATT&CK matrix includes 14 tactics with each tactic containing multiple techniques and sub-techniques.
Below are the tactics included in Enterprise matrix with their brief overview:
- TA0043 Reconnaissance: Gather information about the target.
- TA0042 Resource Development: Accumulate and prepare resources to carry out attacks.
- TA0001 Initial Access: Infiltrate into the target’s infra or network or system.
- TA0002 Execution: Run malicious code on victim’s system.
- TA0003 Persistence: Maintain access to the compromised system.
- TA0004 Privilege Escalation: Elevate privileges to access more sensitive information.
- TA0005 Defense Evasion: Bypass security detections.
- TA0006 Credential access: Steal credentials.
- TA0007 Discovery: Learn more about the compromised system’s environment.
- TA0008 Lateral Movement: Hop to other system’s connected in the same network.
- TA0009 Collection: Gather sensitive information.
- TA0011 Command and Control: Establish remote communication with compromised system.
- TA0010 Exfiltration: Steal data from the compromised system.
- TA0040 Impact: Destruction or manipulation of data or system, making it unavailable for victim
Introduction to Initial Access Tactic (TA0001):
As the name explains, Initial access means gaining access to the network. Initial Access tactic provides all the possible techniques used by adversaries to gain access and enter a network. This is a crucial phase in the attack lifecycle as the attacker looks for an entry point to step their foot into the network. Successful initial access can open the door to a wide range of exploitations like privilege escalation, confidential data theft and much more.
Let us now quickly go through the techniques that fall under Initial Access and understand them.
1. Content Injection (T1659):
Content Injection is a web application vulnerability where an attacker tries to manipulate and inject malicious content into a web page through a vulnerable endpoint within the application.
Attackers can inject any type of content like harmful HTML, JavaScript or alter the existing content on the web page, which could lead to harmful consequences. Ideally, this type of attack takes place upon user interactions (click, enter data, submit a form).
Example: File inclusion or upload
2. Drive-by Compromise (T1189):
Using Drive-by compromise technique, the adversary typically tries to compromise the victim’s browser through a malicious or compromised website. Attackers inject malicious code such as malware, ransomware or exploit kits into the web page, which is then automatically executed when the victim visits the page without their knowledge or interaction.
Example: Cross-Site Scripting
3. Exploit Public-Facing Applications (T1190):
In this technique, attackers attempt to exploit vulnerabilities in publicly accessible web applications, web servers, or databases to gain access to a network. Vulnerability in the application, security misconfigurations, inadequate access control mechanisms, or the use of outdated or unpatched software are some of the possible reasons for these attacks. Such weaknesses provide attackers the opportunity to gain unauthorized access, escalate privileges, or compromise sensitive data.
Example: SQL Injection
4. External Remote Services (T1133):
Adversaries target to enter an organization’s network by exploiting weaknesses in external sources like VPNs, Remote Desktop Protocol (RDP), Citrix, Cloud Services, external file sharing and others that allow remote access to the internal systems.
Lack of proper authentication mechanisms, access control, VPN misconfiguration and usage of insecure connections lay the path to this type of attack.
5. Hardware Additions (T1200):
In this technique, the attacker exploits the target system/network by connecting new hardware, networking devices or other computing devices to gain access. Attackers can use USB keyloggers to capture keystrokes and steal credentials or can use routers/switches/passive network tapping/network traffic modification that can intercept or control networks. As this technique involves physical hardware, it provides persistent access to the attacker even if the software’s defenses are intact.
6. Phishing (T1566):
Phishing is a technique in which attackers exploit an individual/organization by sending deceptive emails, texts, files that appear to be from trusted and legitimate sources. Attackers craft and design the content to trick users into clicking malicious links, downloading attachments, or revealing personal sensitive information such as usernames, passwords, or financial details. A more targeted form of phishing is called Spearphishing.
-
(.001) Spearphishing Attachment:
This is a type of phishing in which an attacker sends an email or text with malicious files attached to them, such as executable files, PDFs, or Word Documents. When a user opens/downloads an attachment, a malicious payload will be injected into the system.
-
(.002) Spearphishing Link:
Here, adversaries send emails or texts with malicious links in it that look legitimate. When a user clicks or copy and pastes the URL into a browser, it can download the malicious content into the system or sometimes, the users are tricked into entering their personal information like credentials, bank details, Unique Identity numbers. -
(.003) Spearphishing via Service:
Here, adversaries use third party online services or platforms like social media services, personal web mail as the source to conduct their phishing attack. -
(.004) Spearphishing Voice
: Here, an attacker compromises a victim with voice communication. The attacker pretends to be a person from trusted organizations such as banks or government officials and tricks the victims into revealing sensitive information over the phone.
7. Replication Through Removable Media (T1091):
Replication through removable media is a technique in which adversaries use removable media like USB drives, external hard disks to spread malicious payloads and also to replicate the malware between systems. Sometimes, malicious code can automatically execute when the device is plugged in if the system has autoplay or autorun enabled, or the attacker might rely on user interaction to run the malicious payload.
8. Supply Chain Compromise (T1195):
In Supply Chain Compromise, an adversary targets and compromises a company’s supply chain such as suppliers, vendors, or third-party service providers before receipt by the end customer. Attackers can introduce malicious elements into Software updates, hardware or Dependent sources before its delivery.
-
(.001) Compromise Software Dependencies and Development Tools:
Here, an adversary tries to manipulate the third-party open-source software system, development tools or service providers that are being used by the organization.
-
(.002) Compromise Software Supply Chain:
Attacker manipulates software updates, libraries, or repository used for distributing software before it reaches out to the final customer. This compromised patch will be unknowingly installed by the organization when they update or install software.
-
(.003) Compromise Hardware Supply Chain:
Here, an attacker manipulates hardware components or devices before they reach the end-user. Once the device is installed within an organization, it provides a persistent backdoor for attackers.
Example: Insecure Deserialization, log4j
9. Trusted Relationship (T1199):
In Trusted Relationship technique, adversaries exploit the relationship between the target organization and their partners, vendors, or internal users to gain access. Adversaries focus the trusted entities and leverage them as sources of attack because these entities are typically subjected to less stringent scrutiny and may have elevated permissions to critical systems within the target organization, which adversaries can exploit to carry out their attack.
Example: Unsafe Consumption of APIs
10. Valid Accounts (T1078):
The Valid Accounts technique is one of the most common methods adversaries use to gain unauthorized access to systems by exploiting legitimate credentials. Attackers attempt to use stolen credentials or guessed passwords to gain access to the systems, leveraging the compromised or weak credentials as this can bypass security mechanisms, gain persistent and privileged access.
Example: Brute Force
-
(.001) Default Accounts:
Here, adversaries try to exploit credentials of default accounts like Guest or Administrator accounts. Default accounts also include factory/provider set accounts on other types of systems, software, or devices, including the root user account in AWS and the default service account in Kubernetes. Failing to change the credentials provided for default accounts exposes the organization to high security risks.
-
(.002) Domain Accounts:
Here, adversaries exploit user or system credentials that are part of a domain. Domain accounts are managed by Active Directory Domain Services, where access and permissions are set across systems and services within the domain.
-
(.003) Local Accounts:
Adversaries exploit the credentials of local accounts. Local accounts are typically configured by an organization for use by users, remote support services, or for administrative tasks on individual systems or services.
-
(.004) Cloud Accounts:
Adversaries exploit valid credentials of cloud accounts to access cloud-based services and infrastructure. As organizations increasingly rely on cloud environments such as Amazon Web Services (AWS), Microsoft Azure, Google Cloud, and other cloud platforms, adversaries target cloud accounts to exploit resources, steal data, or perform further malicious activities within the cloud environment.
How F5 can help?
F5 security solutions like WAF (Web Application Firewall), API security, and DDoS mitigation protect the applications and APIs across platforms including Clouds, Edge, On-prem or Hybrid thereby reducing security risks. In addition to the above solutions, F5 bot and risk management solutions effectively mitigate malicious bots and automation, which can enhance the security posture of your modern applications.
The example attacks mentioned under techniques can be effectively mitigated by F5 products like Distributed Cloud, BIG-IP and NGINX. Here are a few links which explain the mitigation steps.
- Mitigating Cross-Site Scripting (XSS) using F5 Advanced WAF
- Mitigating Injection flaws using F5 Distributed Cloud
- Mitigating Log4j vulnerability using F5 Distributed Cloud
- Mitigating SQL injection using F5 NGINX App Protect
For more details on the other mitigation techniques of MITRE ATT&CK Initial Access Tactic TA0001, please reach out to your local F5 team.
NOTE: This is the first article in MITRE series and stay tuned for more tactics-related articles.