ALPS blog

The Storybook Approach to MITRE ATT&CK

Original article Trend Micro

The MITRE ATT&CK® knowledge base is an extremely valuable tool that helps drive advancement and alignment throughout the cybersecurity industry. It has standardized the interpretation of an attacker’s approach and provided a common language to describe threat group behaviours. Evaluations conducted by MITRE Engenuity don’t generate any scores, rankings or ratings. Instead, businesses are shown in full transparency how a vendor can help detect attacks from certain threat groups. By aligning to the ATT&CK framework, these evaluations provide a complete story of the attack. In the current evaluation, attacks from two financially motivated threat groups with similar behavior were simulated separately.

However, before we get into the actual evaluation breakdown of what each phase analyzes and highlights, it is important to understand this year’s attack scenarios. The MITRE Engenuity ATT&CK Evaluations builds their simulations based on real world advanced persistent threat (APT) attacks, simulating the tradecraft and operational flows of specific adversary threat groups. This year the evaluation separately simulated two financially motivated threat groups that use similar behaviors, Carbanak on day 1 and FIN7 on day 2 which in total included over 174 steps.

In attacks by the Carbanak and FIN7 groups, respectively, the criminals gain access to a system via spear phishing tactics. After gaining a foothold in the system, the Dynamic Data Exchange (DDE) feature in Windows and legitimate cloud-based services is abused to deliver the malware or establish command-and-control (C&C) communication. After that, the Carbanak backdoor can be used to log keystrokes and capture screenshots, steal and delete cookies, inject malicious code to websites, and monitor various traffic. For lateral movements, the malware abuses remote and system administration tools. Interested parties can find more details about these attacks in a separate entry.

MITRE evaluations test a solution’s ability to detect a targeted attacker. This means that unlike traditional testing, MITRE Engenuity focuses solely on the product’s detection capabilities after an attack has occurred. This year, however, an optional evaluation on a product’s ability to block or prevent an attack was introduced. It tested how effective a product is at detecting a threat in progress and stopping it before further damage is done.

The Compromise: Tricking the Target

The MITRE Engenuity ATT&CK Evaluations story begins with an integral manager, whether at the bank or hotel, being compromised. The simulated attackers sent a spear phishing email with a malicious attachment to the manager with the goal of tricking them into opening it, as this technique relies upon user execution. When the manager opened the attachment, initial access was granted to the threat group.

Maintaining Access: The Leg Work

Now that the threat group has been granted access to the organization’s network, they must collect the necessary information needed to complete their objective. There are several tactics used throughout the attacker’s journey. They maintain access and avoid detection through persistence and defense evasion techniques.

The adversary uses privilege escalation, which commonly involves taking advantage of pre-existing system weaknesses, misconfigurations, and vulnerabilities to gain higher permissions. From here the threat actor will access and collect credentials and work to discover the right systems to target to complete their objective.

The two groups in question are both financially motivated, so they’re looking for information that can give them the highest dollar value when resold. Historically, Carbanak and Fin7 have targeted personally identifiable information (PII) and credit card information for resale.

Lateral Movement: Moving in for the Kill

The threat group will use lateral movement techniques to locate the targeted system that they will take control of for fraud or to steal data that they can sell for financial profit. This is a critical point in attack detection. If the threat actors are still living in your network and moving laterally, data correlation across the environment is crucial in connecting the dots and weeding out the attacker before their final steps.

Trend Micro Vision One is great for this step. Automatically correlating threat data from different areas of the network and endpoint provides better alerts to security teams. We don’t just tell you these individual events have all occurred – we connect the dots for you, showing that they might be related and have similar indicators of compromise as a certain attack group or type.

So let’s summarise the story of the evaluation:

The first advanced attack was from the Carbanak Group who were targeting a bank, which is one of the popular targets for this group. The attack started with compromising the HR Manager, moving laterally to locate the CFO’s system from which collection of sensitive data and spoof money transfers being carried out.

Figure 5 – Carbanak evaluation environment with Trend Micro solution placement for both detection and prevention scenarios.


The second simulation was a staged attack was from the Fin7 group who launched an attack on a Hotel chain in which they compromised the Hotel Manager who silently maintained access until credentials were collected and a new victim systems was discovered, from there moving laterally to an IT admin system, pivoting to an accounting system and setting up persistence to skim customer payment data information.

Figure 6 – FIN7 evaluation environment with Trend Micro solution placement for both detection and prevention scenarios.

In the third scenario, the evaluation simulated 10 attack scenarios involving 96 tests, playing out to test the advanced prevention controls used in rapidly reducing exposure and allowing you to respond to less common threats. Think of it like locking your front door instead of relying on a CCTV system to record someone stepping right in. Ensuring prevention controls are in place alongside detection is a key tenant to depend on to prevent and detect advanced threats like these.

Figure 7 – Blocking early prevents the rest of the attack from spreading.

What Does it Mean for Me?

This is where Trend Micro’s 30+ years of data and threat research become a major value add allowing you to bring all the telemetry together to clearly tell the story of an attack.

Trend Micro Vision One platform can help customers like you deliver impressive results:

  • 96% of attack coverage to provide visibility of 167 out of 174 simulated steps across the evaluations. This broad visibility allows customers to build a clear picture of the attack and respond faster.
  • With Linux gaining huge popularity amongst many organizations, especially moving to the cloud, 100% of attacks against the Linux host were detected, capturing 14/14 attacker steps.
  • 139 pieces of telemetry were enriched by the Trend Micro Vision One platform to provide extremely effective threat visibility to better understand and investigate attacks.
  • 90% of attack simulations were prevented through automated detection and response very early on in each test. Deflecting risk early on frees up investigation resources, allowing teams to focus on the harder security problems to solve.

What else do I need to consider?

When evaluating the performance of vendors, it is important to consider the hierarchy of detection types. There are 5 types identified by MITRE ATT&CK:

  1. None: While no detection information is given, None doesn’t mean that no detection occurred. Rather, it means it did not meet the required detection criteria set by MITRE Engenuity.
  2. Telemetry: Data was processed that shows an event occurred related to the process being detected.
  3. General: A general detection indicates that something was deemed suspicious, but it was not assigned to a specific tactic or technique.
  4. Tactic: A detection on tactic means the detection can be attributed to a tactical goal (e.g. credential access).
  5. Technique: A detection on technique means the detection can be attributed to a specific adversarial action (e.g. credential dumping).

Results that are categorized as a detection type of general, tactic and technique reflect enriched data, which is a good thing. Since these detections such as the individual MITRE ATT&CK technique, and associated tactic can be used to tell the detailed story of the attack. This has resulted in a general understanding that general, tactic and technique detections are one of the priorities across vendors.

Tactics are similar to a chapter of a book. A CISO can outline a story they want to tell with the high-level tactics used in an attack and then refer to the techniques to tell the story of how they accomplished the attack which provides extra detail.

Carbanak and FIN7 evaluation, 65 ATT&CK techniques across 11 ATT&CK tactics are in scope for this evaluation.
Figure 8 – Carbanak and FIN7 evaluation, 65 ATT&CK techniques across 11 ATT&CK tactics are in scope for this evaluation.

So, when evaluating vendors, the most important detection type to weigh is the number of general, tactics and techniques detected.

Telemetry also gives security analysts access to the raw footprints that provide increased depth of visibility they need when looking into detailed attacker activity across assets. Again, it’s not only important to have access to the data, but to make sense of the data.

Trend Micro doesn’t leave that responsibility wholly on you. We start the data correlation process for you to make a larger attack campaign more apparent. You also have the option to further explore relationships to the MITRE ATT&CK framework or get more information on specific attack types and groups from the platform.

Some organizations may want telemetry, while others would want Technique detection.
Figure 9 – Some organizations may want telemetry, while others would want Technique detection.

During the simulation, the Trend Micro Vision One platform detected both attacks successfully with complete visibility across the environment allowing centralized detection and investigation. Collecting over 167 pieces of telemetry and correlating these back to over 139 pieces of enriched data allowing the team to paint a clear story of exactly what the attackers were trying to achieve.

A separate third round was conducted to test prevention controls that are used to prevent risk in the environment. This was an optional protection scenario in which 17 of the 29 vendors participated, including Trend Micro. For this specific test, Trend Micro performed exceptionally with the ability to block 90% of simulations automatically.

Another added element this year which deserves a special mention was the introduction of a Linux servers, where we detected all 14 techniques executed in the simulated attack scenario.

We are always happy to participate in MITRE Engenuity ATT&CK Evaluations to test our products against rigorous attacks. Check out the complete results and more information on Trend Micro Vision One here:




Featured News