About MITRE ATT&CK Framework
The MITRE ATT&CK framework serves as a globally recognized knowledge base documenting the tactics, techniques, and procedures (TTPs) employed by adversaries throughout the cyber attack lifecycle. It fosters a common language for cybersecurity professionals, enabling them to:
- Identify and classify attacks: By mapping detected activities to the ATT&CK matrix, organizations can gain a deeper understanding of the attacker’s objectives and the specific TTPs used.
- Refine threat detection and prevention strategies: Aligning security controls with the ATT&CK framework allows organizations to prioritize defences against the most relevant threats based on their industry, attack surface, and risk profile.
- Improve collaboration and communication: The standardized terminology within the ATT&CK framework facilitates clear communication between security teams, analysts, and incident responders.
CAASM & MITRE ATT&CK Framework Alignment:
CAASM solutions offer capabilities that directly address various stages of the attack lifecycle across an organization’s entire attack surface, which includes both on-premises and cloud environments.
At Notus, we research and develop solutions that are closely aligned with the MITRE ATT&CK framework, significantly contributing to the mitigation of risks associated with these identified attack surfaces.
Mitigation of MITRE ATT&CK Threats
Notus specialises in discovering and monitoring cyber assets, integrating with existing tools to enable organisations to dynamically track their cyber state and optimise their security practices. Notus’ services include mapping to elements of the MITRE ATT&CK framework, offering a comprehensive strategy for identifying and mitigating the tactics, techniques, and procedures (TTPs) used in cyberattacks.
Cybersecurity Asset Management
- T1583: Acquire Infrastructure / T1584: Compromise Infrastructure
- T1210: Exploitation for Privilege Escalation
- T1548: Abuse Elevation Control Mechanism
- T1052: Exfiltration Over Physical Medium – Attackers use physical media devices to exfiltrate data from a target network.
- T1530: Data Exfiltration from Cloud Storage Object
- T1543.003: Asymmetric Cryptography – Attackers abuse asymmetric cryptography to conceal and exfiltrate sensitive data.
Notus Mitigation:
Notus guarantees adherence to regulatory and compliance standards, including cryptographic usage policies, thereby mitigating the risk of cryptographic abuse for data exfiltration. Through the maintenance of an exhaustive cyber asset inventory, Notus aids in detecting unauthorised or unexpected infrastructure alterations, potentially flagging infrastructure acquisition by attackers. Furthermore, Notus offers real-time cyber asset inventory management, assisting organisations in identifying and monitoring any unauthorised usage.
Continuous Monitoring
- T1071: Application Layer Protocol – Adversaries communicate using application layer protocols to avoid detection or network filtering, blending in with existing traffic.
- T1016: System Network Configuration Discovery
- T1087: Account Discovery
- T1033: System Owner/User Discovery
- T1596: Modify Cloud Compute Infrastructure
- T1082: System Information Discover
- T1212: Exploitation for Credential Access
- T1057: Process Discovery
- T1046: Network Service Scanning
- T1043: Commonly Used Port
- T0886: Remote Services
- T0881: Service Stop
Notus Mitigation:
Continuous monitoring of the digital landscape can reveal unauthorised external remote services, enabling timely mitigation steps. Notus can detect unusual application layer protocol activities, indicating potential exploitation.
Notus enhances endpoint visibility and control to detect and manage hidden files and directories, reducing the risk of undetected persistence mechanisms.
Vulnerability Management
- Threat: T1068: Exploitation for Privilege Escalation – Adversaries exploit software vulnerabilities to elevate privileges, often by taking advantage of programming errors in a program, service, or the operating system itself.
- T1082: System Information Discovery
- T1010: Application Window Discovery
- T1049: System Network Connections Discovery
- T1043: Commonly Used Port
- T1087: Account Discovery
- T1219: Remote Access Tools
- T1110: Brute Force
- T1212: Exploitation for Credential Access
- T1068: Exploitation for Privilege Escalation
- T1200: Hardware Additions
Notus Mitigation:
In-depth examination of software versions and patch levels helps identify vulnerabilities that could lead to supply chain compromises. Identifying and patching vulnerabilities can prevent exploitation attempts aimed at gaining higher privileges.
Policy Management
- Threat: T1222: File and Directory Permissions Modification – Adversaries attempt to modify file and directory permissions to escalate privileges, conceal malicious activities, or gain unauthorized access to sensitive data.
- Threat: T1562: Impair Defences – Such as disabling security controls, anti-virus software, or security monitoring systems.
- T1110: Brute Force
- T1562: Impair Defences
- T1059: Command-Line Interface
- T1064: Scripting
- T1499: Endpoint Denial of Service
- T1070: Indicator Removal on Host
- T1200: Hardware Additions
Notus Mitigation:
Notus’s Policy Management module automates policy enforcement through continuous monitoring, automated checks, alerts for violations, and remediation actions. This ensures asset compliance with security policies, reducing risks and simplifying policy management. Additionally, Notus can assign tasks to specific teams or individuals responsible for resolving each issue, streamlining the incident response process and ensuring timely and effective resolution of security policy violations
Asset Risk Prioritization & Management
- T1078: Valid Accounts – Attackers use valid credentials to compromise systems and maintain persistence.
- T1135: Network Share Discovery – Attackers perform network share discovery to identify accessible shares for lateral movement and data exfiltration.
- T1486: Data Encrypted for Impact (Ransomware) – Adversaries encrypt data on systems or networks, hindering access to resources and potentially demanding ransom for decryption keys.
- T1566: Phishing – Adversaries send phishing messages to gain access to victim systems, a tactic encompassing various forms of deceptive electronic communication.
- T1005: Data from Local System
- T1499: Endpoint Denial of Service
- T1203: Exploitation for Client Execution
- T1068: Exploitation for Privilege Escalation
- T1078: Valid Accounts
- T1210: Exploitation of Remote Services
- T1200: Hardware Additions
- T0812: Default Credentials
Notus Mitigation:
Notus gathers extensive data from all cyber assets, simplifying risk management and prioritization. It helps pinpoint critical assets and identifies potentially vulnerable devices that may be overlooked and susceptible to threats like ransomware. Assigning risk scores to assets aids in prioritizing defences against phishing threats, particularly for high-risk cyber assets.
Notus enables the continuous discovery and fixing of insecure or improperly configured assets, reducing the risk of unauthorised account usage and maintaining secure access control.
Incident Detection & Response
- T1547: Boot or Logon Autostart Execution – Adversaries leverage mechanisms like registry keys, startup folders, or scheduled tasks to launch malicious code during system boot or user logon, ensuring persistence and covert access to compromised systems.
- T1565: Data Manipulation – Adversaries manipulate data within systems or networks, altering, deleting, or modifying information to disrupt operations, compromise integrity, or achieve their malicious objectives.
- T1574: Hijack Execution Flow – Attackers hijack the control flow of a program to execute arbitrary code or perform malicious actions.
- T1059: Command-Line Interface
- T1203: Exploitation for Client Execution
- T1070: Indicator Removal on Host
- T1043: Commonly Used Port
- T1089: Disabling Security Tools
- T0836: Modify Parameter
- T0812: Default Credentials
- T0881: Service Stop
Notus Mitigation:
Notus’s Incident Detection & Response capabilities assists incident response teams by providing contextual information about affected assets, including their criticality and associated vulnerabilities. This capability aids in prioritizing incident response efforts, allowing teams to focus on addressing the most critical risks and minimizing the potential impact of cyberattacks.
Notus’s Service Desk Integration automates task assignment to dedicated teams or individuals, speeding up incident response and ensuring prompt security issue resolution. It seamlessly integrates with tools such as Jira, ServiceNow, ManageEngine, HubSpot, and SolarWinds to monitor progress towards objectives, offering improved visibility into potential access token manipulations.
Final thoughts
Notus’s approach empowers organizations to proactively defend against the ever-evolving threat landscape outlined within the MITRE ATT&CK framework, regardless of the location of their assets. Our innovative solutions transcend geographical limitations, empowering organizations to take a proactive approach to cybersecurity. This forward-thinking strategy ensures businesses maintain robust defenses, constantly updated to combat the dynamic nature of cyber threats, ultimately safeguarding their digital ecosystems regardless of location. Notus’s dedication to comprehensive visibility and continuous monitoring exemplifies a crucial shift towards more resilient and adaptable cybersecurity practices.
