Cyber attackers are now targeting any kind of information that can reward them: from personal data to corporate information to government secrets. However, behind each attack, there is a long chain of thoroughly selected actions.

While most organizations focus their attention on protecting the perimeter of their corporate network, the cybersecurity experts from MITRE advise expanding their ability to understand the behavior of adversaries.

Hackers select their victims long before their attack and carefully collect information about them before executing any malicious actions. Nowadays, the internet provides them with a great variety of data about almost any company, so adversaries can learn enough not only about a company’s activity but also about its cybersecurity weak spots.

To help security officers understand how hackers choose their victims and prevent an attack before it even begins, MITRE, a non-profit corporation that tackles cybersecurity problems, has created the PRE-ATT&CK matrix that is a part of the Adversarial Tactics, Techniques, and Common Knowledge, also known as the ATT&CK framework.

What is the PRE-ATT&CK matrix?

PRE-ATT&CK allows security officers to prevent a possible attack before an adversary penetrates into their network. The PRE-ATT&CK matrix contains 15 tactics and more than 150 techniques that explain the adversary planning, information gathering, reconnaissance, and setup when preparing their attack.

The tactics in PRE-ATT&CK explain the typical adversarial techniques and procedures for selecting a victim, obtaining information about it, and launching the cyber attack. This information provides security officers with a broader understanding of adversary behavior before any indicators of compromise appear.

PRE-ATT&CK allows security officers to find answers on the following questions:

•        Are there any signs that cyber attackers are targeting your organization?
•        What adversary techniques may an attacker apply to your company?
•        How can you analyze the collected data to notice a hacker’s interest into your organisation?

Analyzing the PRE-ATT&CK techniques and tactics, defenders can get a better understanding of cyber attacker activities. They can use this knowledge to make appropriate decisions on what technical measures and mitigations to adopt in order to reduce hacker’s chances on properly preparing an attack on their organization.

How to use the PRE-ATT&CK matrix

The PRE-ATT&CK matrix provides detailed information about how adversaries prepare for arranging a cyber attack. The PRE-ATT&CK tactics explain what goals an aversary sets for themselves, while each technique shows how these goals can be achieved. The tactics in PRE ATT&CK reflect such attacker goals:

•        Priority definition
•        Victim selection
•        Gathering information about a victim
•        Victim weakness identification
•        Persona development
•        Capabilities setup

The PRE-ATT&CK techniques show how adversaries perform each tactic and allow enterprise defenders to track and organize attack statistics and patterns.

Priority definition

Using this tactic, an adversary weighs all the pros and cons of arranging an attack. They set their goals by considering how the information they are getting can benefit them and what kind of information has the biggest value for them. At this stage, cyber criminals compare the cost of cyber intrusions with the expected reward from their activity.

Victim selection

Taking into account their priorities, adversaries begin to look for their victims. They take their strategic considerations and then narrow them down tactically and operationally until a victim is selected. Depending on their target, adversaries can decide to attack it directly or through business partners. However, for making the right decision, hackers usually need to collect all possible information about their target.

Gathering information about the victim

After adversaries select their victim, they can’t blindly execute an attack. They first need to gather all information about their target: the type of technical system the victim uses, the personnel that works for the victim, and the victim organization itself.

Attackers usually collect information about their victims by using open-source intelligence tools and techniques. Such data about a victim as organization’s domains, email address format, names of top personnel can be freely found online by combining phishing and social engineering techniques.

While organizations can’t minimize their presence on the internet nowadays, security officers can consider how the public data of their company may be abused and define vectors of possible attacks.

Identifying victim weaknesses

By analyzing all the data collected at the previous stage, adversaries can find potential weaknesses of their victim. The discovered vulnerabilities become the basis of creating a plan of the attack. Weakness identification also allows adversaries to test and configure their own systems for attack execution.

At this stage, defenders can consider the Pyramid of Pain that will help them define the importance of indicators of compromise.

Persona development

Though the internet is a place where you can find everyone, it’s also a place where anyone can create a fake persona. A hacker can develop their persona by providing a fake email address and personal information to one of the social media sites. Getting in contact with a potential victim, an adversary can gain greater access to the victim’s personal profile with an intention to abuse this data later.

Unfortunately, most social media don’t inform their users whether someone viewed their profile. However, organizations can establish tight privacy control for their corporate accounts in social media by establishing trusted connections, blocking suspicious content, and educating their employees.

Capabilities setup

After getting in contact with potential victims, an adversary will establish capabilities for arranging an attack. Though some cyberc riminals may be really technology-savvy, most of them look for the easiest way to maintain their own internet infrastructure.

There are plenty of cost-effective ways to anonymously use servers, autonomous systems, and networks. Adversaries often abuse this anonymity for achieving their malicious goals. Paying just several dollars per month, they can get a virtual presence enough for compromising your organization.

Even if your logs detected adversarial activity from a specific server, it would be very difficult to legally pursue that source because of the lack of evidence. Though it may seem nearly impossible to detect an adversary at this stage of the cyber attack, security teams should pay attention to behavioral patterns that indicate hacker’s activity.

While PRE-ATT&CK describes only the adversarial behavior before an attack, MITRE has recently integrated some PRE-ATT&CK techniques into ATT&CK to let security teams define the potential vectors of attacks on their organizations and improve their security measures accordingly.

Enterprises that integrate PRE-ATT&CK into their security best practices can significantly enhance their protection measures and prevent adversaries long before they actually begin their malicious campaigns.

Conclusion

It’s not a secret that cyber attacks are now more targeted than any time before. Cyber criminals carefully select their next victim and conduct a thorough investigation before penetrating into your corporate network. Using the PRE-ATT&CK matrix from MITRE, security teams can reveal the early signs of adversarial behavior and prevent an attack before hackers compromise your organization.  

This article is a contribution from Marcell Gogan.  Marcell is a specialist within digital security solutions, business design and development, virtualization and cloud computing, R&D projects, establishment and management of software research direction – working with Ekran System. He also loves writing about data management and cybersecurity.