Twitter was buzzing. SwiftOnSecurity tweeted a series of tweets praising MITRE ATT&CK: “If I had MITRE ATT&CK when I started… you have no idea the value of this.” She was right, I had no idea the value, but I wanted to learn, so I headed over to the MITRE ATT&CK website to check it out. I took a look at the MITRE ATT&CK matrix, clicked on a few of the links, and immediately relegated it to the backlog of things that I want to look at later, but which somehow never seem to make it to the top of my TODO list. This article is meant to save you from that same fate by showing an example of applying the MITRE ATT&CK framework to recent threat intelligence to get you past the first hurdle of learning the framework.
On its face, the matrix looks like any index to most any computer security book which makes it hard to just pick up and read. That is misleading however, because the framework is just the taxonomy and the value comes in its application as a map of real attack scenarios. In a blog post on their site, Intezer identified a new campaign from the threat actor group ChinaZ and performed an in-depth analysis of the group, the group’s relationships, and the techniques of the group’s DDoS campaign. We will take this post, pluck out the information about the group, the software, and the group’s attack techniques to find the associated information in the MITRE ATT&CK framework.
In a nutshell, Intezer detected ChinaZ’s activity via a honeypot. ChinaZ begins their campaign by performing brute-force SSH/telnet attacks looking for vulnerable servers to enroll in their DDOS botnet. Once in, the attacker runs scripted commands to download botnet files hosted in an ephemeral “Chinese Http File Server (HFS) panel”. They change the permissions of the executable, turn off the firewall, and attempt to execute the tool. If execution fails, the script tries a different directory. If they are able to get the tool to execute, they try to ensure persistence by writing a simple init script (on Linux hosts). Then they are ready to receive commands from the CNC server.
PRE-ATTACK Taking what we learned from Intezer’s blog post and turning now to the MITRE ATT&CK framework, most attack campaigns begin with some preparation by the threat actor group which MITRE describes as the PRE-ATTACK phase (or domain). The blog post shows that multiple of the group’s tools use the same domain name for the CNC server. Thus, the group must have registered this domain which is represented in the framework as T1328 Buy domain name. The group is using several pieces of software, some of which were previously known to threat analysts, others of which may have been tailored for this campaign. Preparing software for the attack is represented in the framework as T1346 Obtain/re-use payloads. The group uses Chinese Http File Server (HFS) instances to host the malware which is represented as T1307 Acquire and/or use 3rd party infrastructure services.
Initial Access With the infrastructure in place, the campaign begins by SSH/telnet brute force attacks on ssh and telnet looking for valid accounts with weak passwords: T1078 Valid Accounts.
Execution, Persistence, and Defense Evasion Once the attackers have access to a system, the botnet payload is downloaded from the file server using the command line T1059 Command-Line Interface. It ensures that the payload can run by changing permissions T1222 File Permissions Modification, disabling the firewall T1089 Disabling Security Tools, and putting it in a compatibly mounted directory. It ensures persistence by creating an rc.local init script. The MITRE ATT&CK framework lacks a Linux-specific init script technique, but the Windows specific T1050 New Service technique and the MacOS specific T1160 Launch Daemon are pretty close.
Command and Control Finally, the blog post mentions that some of the CNC server communications are encrypted using an RC4 key which is represented in the Command and Control Domain as T1032 Standard Cryptographic Protocol.
Other Domains The Intezer blog post does not describe any attempts at Credential Access, Discovery, Lateral Movement, Collection, nor Exfiltration. That is expected because this campaign is focused on creating a DDoS botnet.
Groups and Software The MITRE ATT&CK framework Groups section lists threat actor groups. Unfortunately, ChinaZ is not yet listed. The philosopy of the MITRE ATT&CK framework is to contain information of enduring value about attacker behavior rather than serving as an enumeration, so it is not entirely clear to me that the framework intends to enumerate all of the threat actor groups. It does not enumerate all known threat actors, however, it does list enough threat actors to show examples of how threat actors can be characterized by their behavioral attack patterns. See for example the information on APT28. Reading through the techniques used by individual threat actor groups is another great way to jumpstart your understanding of the framework. Florian Egloff and others maintain a public spreadsheet of threat actor group names which maps names assigned by different threat analysts to each other.
According to the blog post, ChinaZ makes use of Billgates, MrBlack, DDOSClient, a Gh0st RAT variant (BX.exe), and a port scanning tool written in Python to perform the SYN flood. The malware is also infected with Nitol and Parite. Of these, only Gh0st is enumerated in the framework. As with the Groups section, the Software section is interesting to explore because it shows how attacks are constructed of multiple attack techniques.
This exercise demonstrates that there are still some gaps in the MITRE ATT&CK coverage, particularly on Linux. As it turns out, MITRE has an open call for contributions specifically requesting Linux contributions. This exercise also demonstrates that even highly detailed threat intelligence coverages concentrates heavily on the interesting and novel particulars of a campaign rather than on a comprehensive description of the entire attack.
If this all seems a bit cumbersome to you, remember this is a learning exercise to start understanding the breadth and depth of the MITRE ATT&CK framework and how to use it. There are tools which will help you get a handle on using the frame work and tools which will automate the mapping of techniques being used against your infrastructure. One such tool is the open source MITRE ATT&CK Navigator. Another tool is the Cyber Adversary Framework Mapping Application in QRadar Advisor with Watson 2.0.0+.
There are many more groups, software, and attack techniques in the MITRE ATT&CK framework that we didn’t cover in this article. We barely even scratched the surface, but I hope that this will give you a practical introduction to the framework, so that you can start using it to understand how attacks against your infrastructure are progressing.