MITRE ATT&CK v11 adds ICS matrix, sub-techniques for mobile threats

The MITRE Adversarial Tactics, Techniques and Common Knowledge (ATT&CK) Framework has become a mainstay of the cybersecurity industry. The framework represents relevant adversary behavior, and organizations can leverage it to bolster their cybersecurity defenses and improve their ability to detect common adversary behavior. It details adversary behavior across the attack lifecycle.

The framework has been around since 2013 and continues to get better. The framework and associated matrices have evolved to address emerging technology areas that organizations are increasingly adopting such as infrastructure as a service (IaaS), software as a service (SaaS), and containers. The latest release, MITRE ATT&CK v11, includes sub-techniques for both mobile and the addition of an industrial control systems (ICS) matrix. Those v11 updates are explained below along with insights you can use to help meet recent government requirements as well.

ATT&CK for Mobile updates

Originally launched in 2016, ATT&CK for Mobile helps organizations address the reality that more critical data and systems are being accessed and interfaced with through mobile devices. ATT&CK for Mobile leveraged existing guidance from the U.S. National Institute of Standards and Technology (NIST), U.S. Department of Homeland Security (DHS), and others, but has matured quite a bit since then, including the addition of sub-techniques with v11.

They cover smartphones and tablets using Android and iOS platforms due to their dominance in the market. Malicious actors are targeting these devices as they are used more to interact with organizational applications and data. This has resulted in a rising percentage of data breaches that leverage mobile devices, especially in industries and sectors where they are used to access sensitive data, such as healthcare.

One thing that makes ATT&CK for Mobile, and ATT&CK overall, so useful is the countless use cases it can be leveraged for by organizations. In the mobile context, some use cases include prioritizing defenses, determining effective defensives, and aiding organizations in evaluating mobile products.

With the addition of the sub-technique fields, you can not only see techniques associated with attack lifecycle phases, such as initial access, execution and persistence, but you can drill down into the sub-techniques associated with the initially identified techniques. For example, in initial compromise a technique focuses on supply chain compromise. You can now drill down further into sub-techniques such as compromising software dependencies and development tools, hardware or software supply chain. Each associated sub-technique has its own ID and details. Taking software supply chain as an example, you can look at examples, mitigations, and detections as well as references if you want to dig deeper on the topic.

MITRE published a great article detailing the actions you can take to update your use of ATT&CK for Mobile.

MITRE ATT&CK ICS

Industrial control systems and their associated cybersecurity posture and vulnerabilities continue to receive significant attention, and rightfully so given the critical services and functions they provide. The U.S. Cybersecurity Infrastructure and Security Agency (CISA), which is responsible for leading the efforts to reduce risk to our cyber and physical infrastructure, has cited the need to protect ICS among its most important efforts to defend cyberspace. In 2020 CISA published the “Securing Industrial Control systems: A Unified Initiative,” which laid out both the challenges of securing ICS and also the current and future state of securing ICS. In 2018, the Idaho National Laboratory published a paper on the “History of Industrial Control System Cyber Incidents” and the incidents have only continued since then with examples such as oil pipelines and water treatment facilities.

Much like Mobile and the other matrices, the new MITRE ATT&CK ICS matrix in v11 provides adversary insight across the attack lifecycle. Unlike the ATT&CK for Mobile example, the ICS matrix doesn’t include sub-techniques yet, but they might be added in the future.

Each technique includes new examples, mitigations, detections, and references. One of the first techniques listed is drive-by compromise, which is when a user is compromised through a user visiting a website as part of their normal browsing session. Not only does ATT&CK provide an explanation of this attack technique, it also ties it to specific ICS examples, including information from the DHS and FBI on how Russian malicious actors have used the technique to target energy sector victims.

Future MITRE ATT&CK plans

The MITRE team continues to innovate with the addition of sub-techniques for the Mobile matrix and the addition of ICS. Other examples include covering emerging technologies that enterprises are adopting such as cloud, containers, and Kubernetes. The team also has published its informative 2022 MITRE ATT&CK Roadmap.

One of the most notable additions to keep an eye on is MITRE’s plans for what they call “Campaigns,” which are defined as a “​​grouping of intrusion activity conducted over a specific period of time with common targets and objectives.” These may or may not be linked to a specific threat actor. The reason this is useful is that typically a threat actor group doesn’t stagnate in their tools, techniques, and procedures (TTPs). Just like organizations, threat actors innovate their methods and often outpace defenders.

With the addition of campaigns, MITRE ATT&CK can now capture specific campaigns a threat actor potentially could carry or that is currently or has impacted the industry. It will also allow the framework to describe campaigns that involve multiple threat actors, as these malicious organizations continue to increase their collaboration in a rapidly profitable and growing market of cybercrime.