The MITRE Center for Threat-Informed Defense, Microsoft, and other industry partners collaborated on a project that created a repeatable methodology for developing a top MITRE ATT&CK® techniques list. The method aims to facilitate navigation of the ATT&CK framework, which could help new defenders focus on critical techniques relevant to their organization’s environment, and aid experienced defenders in prioritizing ATT&CK techniques according to their organization’s needs.
The ATT&CK framework provides an extensive list of specific techniques that may be challenging to navigate in certain situations. This project aims to help defenders who use the framework focus on noteworthy techniques regardless of the attack scenario or environment. For example, using research on 22 ransomware attacks, the repeatable methodology led to the identification of the top 10 ransomware techniques list.
The project also included the development of a customizable, web-based calculator that seeks to prioritize techniques based on a defender’s input, making the methodology even easier to apply to different environments and scenarios. As an example of the insights that can be gained from using this calculator, the project found that the following techniques are present in most attacks and environments:
- Command & Scripting Interpreter (T1059)
- Scheduled Task/Job (T1053)
- Impair Defenses (T1562)
- Remote Services (T1021)
- Create or Modify System Process (T1543)
This methodology considers the continuing evolution of threats, so it supports the creation of criteria that are tailored to an organization’s unique environment. This enables defenders to continuously identify threat trends and decide where to focus resources for detection coverage.
Establishing the top ATT&CK techniques
The methodology for identifying the top ATT&CK techniques factored in three attributes to determine the significance of a technique: prevalence, choke point, and actionability.
Prevalence is the frequency of specific ATT&CK techniques used by attackers over time. A higher frequency of a technique indicates a higher likelihood of it being used in multiple attack scenarios. Therefore, there’s a higher chance of encountering an attack with a high prevalence ranking. Prevalence was determined using the Center’s Sightings Ecosystem project from April 2019 to July 2021, which registered 1.1 million encounters of attacks across the 184 unique ATT&CK techniques. Including prevalence as a criterion aims to cover more attacks with fewer techniques.
Figure 1. Attacks over time (MITRE Sightings Ecosystem Project)
Choke points are techniques that disrupt an attacker due to them being a point of convergence or divergence. In real-world incidents, choke points manifest as one-to-many or many-to-one behaviors or steps in the attack. The inclusion of this criterion aims to identify the critical techniques that can help link activity throughout attack chains.
Figure 2. MITRE ATT&CK Technique Process Injection (T1055) is an example of a possible choke point
Actionability is the opportunity for a defender to detect or mitigate a technique. This is based on publicly available security controls (such as CIS Critical Security Controls and NIST 800-53 Security Controls) and analytics (Splunk detections, Elastic, and Sigma).
Figure 3. Detection to mitigation mapping (MITRE Top ATT&CK Techniques Methodologies)
Top 10 techniques in ransomware attacks
Following the creation of the methodology, the top 10 ransomware techniques list was generated to test this new approach in practice. To create this list, Microsoft and the other partners involved in this collaborative effort analyzed prevalent ransomware attacks from the past three years. A total of 22 specific ransomware attacks were studied specifically for their use of ATT&CK techniques. Based on this research, the top 10 techniques in ransomware attacks are:
- Data Encrypted for Impact (T1486)
- Inhibit System Recovery (T1490)
- Obfuscated Files or Information (T1027)
- Windows Management Instrumentation (T1047)
- Masquerading (T1036)
- Command and Scripting Interpreter (T1059)
- Impair Defenses (T1562)
- Modify Registry (T1112)
- User Execution (T1204)
- Process Injection (T1055)
Organization-specific top techniques list via web calculator
This collaborative project also included the creation of a dynamic, user-friendly calculator for a more customizable, tailored top techniques list. This customizability allows organizations to have unique prioritization based on each organization’s size and maturity.
The calculator takes into consideration various inputs, including:
- NIST 800-53 Controls (all NIST controls or specific ones such as AC-2, CA-2, etc.)
- CIS Security Controls (all CIS Controls or specific ones such as 1.1, 2.5, etc.)
- Detection analytics (MITRE Cyber Analytics Repository, Elastic, Sigma, Splunk)
- Operating systems used in the environment
- Monitoring capabilities for network, process, file, and cloud services in the network
With this calculator, an organization can create a tailored technique list based on various aspects like the maturity of their security operations and the tools that they use. This can serve as a great starting point for companies looking to evaluate and improve their detection and protection capabilities regarding ransomware activities and prioritize the TTPs that are the most actionable for them.
Practical applications and future work
The methodology and insights from the top techniques list has many practical applications, including helping prioritize activities during triage. As it’s applied to more real-world scenarios, we can identify areas of focus and continue to improve our coverage on these TTPs and behaviors of prevalent threat actors. Refining the criteria can further increase results accuracy and make this project more customer-focused and more relevant for their immediate action. Improvements in the following areas can be of particular benefit:
- Fine-tuning the choke point analysis by adding machine learning models to visualize and predict all viable paths an attacker could take, which can be used to create a corresponding attack graph. This attack graph could be tied in with the user-implemented filters to identify relevant paths based on an organization’s current functionality. Future integration with the Attack Flow project might be a step towards this enhanced choke point analysis.
- Developing a metric to identify subjective filters like “Damage Impact” and “Significance” as they are important when making decisions on covering different attacks.
- Performing a comparison of results between this current analysis and global data sets to validate the accuracy of the current findings.
- Enhancing prevalence data to ensure a broad and timely data set is driving the analysis. Community contributions to the Sightings Ecosystem project is critical.
Insights from industry-wide collaborations like this project help enrich the protection that Microsoft provides for customers through solutions like Microsoft 365 Defender and Microsoft Sentinel. These solutions are further informed by trillions of signals that Microsoft processes every day, as well as our expert monitoring of the threat landscape. For example, our comprehensive view and research into the ransomware ecosystem enables us to deliver cross-domain defense against human-operated ransomware, leveraging a Zero Trust approach to limit the attack surface and minimize the chances of ransomware attacks succeeding.
In the recent MITRE Engenuity ATT&CK® 2022 Evaluations, Microsoft demonstrated complete visibility and analytics on all stages of the attack chain, with 100% protection coverage, blocking all stages in early steps (pre-ransomware phase), including techniques within the top 10 ransomware techniques list that were tested.
This collaboration and innovation benefits everyone in the security community, not only those who use the MITRE ATT&CK framework as part of their products and services, but also our valued ecosystem of partners who build services on top of our platform to meet the unique needs of every organization, to advance threat-informed defense in the public interest. Microsoft is a research sponsor at the Center for Threat-Informed Defense, partnering to advance the state of the art in threat-informed defense in the public interest. One of our core principles at Microsoft is security for all, and we will continue to partner with MITRE and the broader community to collaborate on projects like this and share insights and intelligence.
Gierael Ortega, Alin Nagraj, Devin Parikh
Microsoft 365 Defender Research Team