The Modern Cybersecurity Framework – Introduction

Worker using cybersecurity platform

The Cybersecurity Threat Landscape continues to grow more ominous by the day. The year 2021 was peppered with several high-profile breach incidents. Perhaps more significant was the dramatic uptick in breach incidents that failed to make the evening news.

As a Managed IT Services provider serving the SMB community in West Chicago, Dupage County, Kane County, and the other collar counties surrounding Chicago, we pay particular attention to incidents that can kill the dreams of small business owners and, by extension, their employees.

Most cybersecurity incidents start out small – imperceptibly so. This is by design. The garden-variety crypto-locking extortion incident is designed to take place over the course of weeks – if not months. Experienced hackers will take their time, making sure to maximize the impact and the associated dollar value. 

The MITRE ATT&CK Framework

This series of blog posts is designed to help business owners understand the risks they face and the mechanisms deployed against them. The points contained here are based on the MITRE ATT&CK Framework. The MITRE Corporation is a not-for-profit organization that works in the public interest across federal, state, and local governments, as well as private industry and academia.

While the term “MITRE” is not an acronym and its origins are somewhat obscure, the term ATT&CK stands for “Adversarial Tactics, Techniques, and Common Knowledge.” The ATT&CK framework is a curated knowledge base and model for cyber adversary behavior. In essence, hackers are predictable. While the specific direction and pace of attack will vary, the documented behaviors are consistent. As such, anyone with a vested interest in cybersecurity should pay attention to the diligently compiled ATT&CK framework and modify their behaviors accordingly.

The ATT&CK framework was created in 2013 as a result of MITRE’s Fort Meade Experiment. The main focus of that effort was to answer the question “how well are we doing at detecting documented adversarial behavior?” To answer the question, researchers developed the ATT&CK framework, which became one of the most respected tools to categorize adversarial behavior.

The MITRE ATT&CK framework now has three iterations:

  • ATT&CK for Enterprise – Focuses on adversarial behavior in Windows, Mac, Linux, and Cloud environments.
  • ATT&CK for Mobile – Focuses on adversarial behavior on iOS and Android operating systems.
  • ATT&CK for ICS – Focuses on adversarial behavior within Industrial Control Systems networks.

The ATT&CK Matrix is the documentation of techniques used by adversaries to accomplish their specific objectives. MITRE has broken the tactics down to fourteen categories:

  1. Reconnaissance: gathering information to plan future adversary operations, i.e., information about the target organization
  2. Resource Development: establishing resources to support operations, i.e., setting up command and control infrastructure
  3. Initial Access: trying to get into your network, i.e., spear phishing
  4. Execution: trying the run malicious code, i.e., running a remote access tool
  5. Persistence: trying to maintain their foothold, i.e., changing configurations
  6. Privilege Escalation: trying to gain higher-level permissions, i.e., leveraging a vulnerability to elevate access
  7. Defense Evasion: trying to avoid being detected, i.e., using trusted processes to hide malware
  8. Credential Access: stealing accounts names and passwords, i.e., keylogging
  9. Discovery: trying to figure out your environment, i.e., exploring what they can control
  10. Lateral Movement: moving through your environment, i.e., using legitimate credentials to pivot through multiple systems
  11. Collection: gathering data of interest to the adversary goal, i.e., accessing data in cloud storage
  12. Command and Control: communicating with compromised systems to control them, i.e., mimicking normal web traffic to communicate with a victim network
  13. Exfiltration: stealing data, i.e., transfer data to cloud account
  14. Impact: manipulate, interrupt, or destroy systems and data, i.e., encrypting data with ransomware

This blog post is merely the introduction. This series will serve to explain the tactics in plain terms that any layman should be able to comprehend. Thom Infotech follows this cybersecurity framework closely in our efforts to protect the confidentiality, availability, and integrity of our clients’ data and systems. Please follow along as we embark on this journey.