{"id":7573,"date":"2022-03-23T11:28:20","date_gmt":"2022-03-23T18:28:20","guid":{"rendered":"https:\/\/blogs.infoblox.com\/?p=7573"},"modified":"2022-03-25T09:40:31","modified_gmt":"2022-03-25T16:40:31","slug":"mitre-attck-and-dns","status":"publish","type":"post","link":"https:\/\/www.infoblox.com\/blog\/security\/mitre-attck-and-dns\/","title":{"rendered":"MITRE ATT&CK and DNS"},"content":{"rendered":"

The MITRE ATT&CK\u2122 framework, developed by The MITRE Corporation, is a comprehensive knowledge base of cyber attacker tactics and techniques gathered from actual observation of attacker behavior. The MITRE Corporation is a nonprofit organization which was founded in 1958. MITRE does work for U.S. Government agencies in a wide variety of areas. MITRE ATT&CK (Adversarial Tactics, Techniques, And Common Knowledge) was developed and released by Mitre Corp. in 2015.<\/span><\/p>\n

As an important knowledge base, MITRE ATT&CK enables anyone on the cyber defense team to review and contrast attacker activity, and then understand the best options for defense. So you know, there is also MITRE PRE-ATT&CK, which helps cyber defenders prevent an attack before the attacker can gain access to the network. The 15 top-level tactic categories for PRE-ATT&CK correlate to the first two stages of the Lockheed Martin Cyber Kill Chain\u00ae.\u00a0 PRE-ATT&CK presents the tactics, underlying techniques, and procedures that a cyber attacker will use to define targets, gather information, and then launch an attack.<\/span><\/p>\n

Given the greatly increased porosity of the perimeter, the movement to the cloud and mobile devices, and the greater ability of attackers to morph and change tools that were previously found by static signatures, it is likely that at some point an attacker will successfully penetrate your network. Given this assumption, a detailed focus on attacker behavior, such as provided by MITRE ATT&CK, is the best way to find and stop an ongoing attack before data exfiltration or destructive behavior can be achieved.<\/span><\/p>\n

MITRE ATT&CK brings a common lexicon to describe the activities of cyber attackers, and the step-by-step tactics and techniques which they will use. This enables you to communicate clearly with others in the cyber defense community on the exact details of the threat. ATT&CK also provides a strong framework for describing your current security controls and processes. At a very basic level, MITRE ATT&CK allows the security operations defenders to clearly identify the nature of a threat, map that threat back to the controls that should protect against it, and then ultimately determine whether or not that control is effective.<\/span><\/p>\n

Sources of reliable data used by MITRE to develop the knowledge base included malware samples, security conference presentations, threat intelligence reporting, and a variety of other public and private sources including social media, blogs, and webinars.\u00a0<\/span><\/p>\n

Red teams and the techniques that they use have also been an excellent source of data.<\/span><\/p>\n

The MITRE ATT&CK framework provides a comprehensive taxonomy to post-exploitation cyber attacker behavior. A detailed focus on attacker behavior, such as provided by MITRE ATT&CK, is the best way to find and stop an ongoing attack before data exfiltration or destructive behavior can be achieved. This helps you balance your defensive measures against the steps an attacker will take.\u00a0 The end goal in using MITRE ATT&CK is to make better decisions about assessing risks, deploying new security controls, and better defending your network.\u00a0 MITRE ATT&CK has segmented attacks in a very consistent way that makes it easy to compare them and to determine how an attacker might have exploited your network.\u00a0 Most attacker analysis focuses on their activities in terms of perimeter defense. MITRE ATT&CK takes a much closer look at them once they get in.\u00a0<\/span><\/p>\n

\"\"<\/p>\n

MITRE ATT&CK is presented as a series of easily navigable matrices that contain critical information about attacker behavior. This information includes attacker Tactics, Techniques (& Sub-techniques) and Procedures.\u00a0<\/span><\/p>\n

\"\"<\/p>\n

This can be logically represented in the MITRE ATT&CK matrix with column headings (Tactics), row entries under each column (Techniques), and the steps the attacker takes to execute one technique, or perhaps to string together a bunch of techniques. These steps are called the Procedures. Together these represent the Tactics, Techniques, and Procedures (TTP\u2019s) of the attacker.<\/span><\/p>\n

Now we can look at all of the Tactics, one at a time, and determine which techniques & sub-techniques utilize or rely on DNS to move the attacker closer to their goals. Here is the full list of MITRE ATT&CK enterprise tactics in this graphic:<\/span><\/p>\n

\"\"<\/p>\n

Now lets focus in on those that impact or touch DNS in any way.<\/span><\/p>\n

Here is just the Reconnaissance Tactic:<\/span><\/p>\n

\"\"<\/p>\n

And here you can see which techniques under Reconnaissance utilize DNS.<\/span><\/p>\n

\"\"<\/p>\n

This is the specific detail of these techniques & sub-techniques provided by MITRE. You can see why you need a modernized DDI environment and why using DNS security is so important:<\/span><\/p>\n

T1590. Gathering Victim Network Information. Adversaries may gather information about the victim’s networks that can be used during targeting. Information about networks may include a variety of details, including administrative data (ex: IP ranges, domain names, etc.) as well as specifics regarding its topology and operations.<\/span><\/p>\n