When thinking about malicious cyber-attackers, we often imagine someone in a hooded jumper sneaking around the shadows of the underworld, waiting for an opportunity to strike. This cunning and deception have proved to be highly successful over the years, with threat actors, it seems, continuously able to stay one step ahead of those trying to protect themselves or their businesses against threats.
Defenders have had to adapt to be as equally cunning when it comes to security, and this thinking underpins the popular ‘MITRE ATT&CK’ framework. An abbreviation for ‘adversarial tactics, techniques, and common knowledge,’ this database contains known attacker tactics and techniques to help cybersecurity defenders and red teamers stay ‘in the know’ on how attackers think and operate. This information helps organizations with their mitigation strategies, allowing them to recover from breaches faster and even catch malicious actors red-handed.
Yet, how useful is the MITRE ATT&CK framework in the real world? Here we put it to the test and deconstruct a real-world ransomware attack against Colonial Pipeline last year using the framework. Hopefully, the findings will help organizations better prepare against the newest means of attack because it’s about addressing the technique, not the tool.
Deconstructing the Colonial Pipeline attack
- Phase 1 – recon: The essential first step to any attack is combing through the publicly available information on the target – and the Colonial Pipeline attackers reportedly launched a Metasploit listener to keep an ear on incoming connections. They also used simple phishing techniques, such as faking an email from the organization’s IT department, to ensure users downloaded infected software to create an easily accessible backdoor for the attacker.
- Phase 2 – initial access: With secret entry achieved, the attackers installed a program that allowed them to see the company’s internal infrastructure – and plan the best way to attack – before carefully deleting any trace of activity to remain undetected.
In this attack, threat actors seemingly used several MITRE-defined techniques to get initial access – including phishing attacks, social engineering campaigns and exploiting public-facing applications. This combined approach allowed them to find any small crack in the cybersecurity protections. In this case, they targeted credentials and compromised identities and exploited them without being detected. - Phase 3 – execution: Once the attack was fully underway, threat actors looked for information about the account controlling the domain, alongside its IP address and hostname. This is the ‘crown jewel’ for an attacker, and not protecting it properly can be devastating for organizations. Getting access to this information allows an attacker to pose as a legitimate user, meaning they can travel the network without looking suspicious – the perfect disguise. Being undercover in this way then means they’re free to steal precious data, spread ransomware or otherwise wreak havoc.
Most importantly, with this access to the domain controller, attackers can establish themselves as the system admin – gaining unlimited access and the ability to execute devastating attacks.
In this situation, the importance of the ‘assume breach’ mentality can’t be emphasized enough – it’s key to securing your programs immediately, even if you’re unsure whether they’ve been targeted yet.
- Phase 4 – persistence: Patience and persistence are essential to successful ransomware attacks. Once a hacker has established themselves as a system admin, they can schedule tasks that keep the back door open, allowing them to consistently return to the scene (server) of the crime and cause more damage.
In the Colonial Pipeline attack, this allowed hackers to run exploits and collect password hashes – exporting a ton of data that could be made readable (with a bit of persistence and a suitable program) and could contain critical admin passwords.
In this case, a system that automatically regenerates passwords could have been a crucial mitigation step. Crucially, during an attack, this system can prevent lateral and upward movement, limiting the amount of damage an attacker can do across a certain time span and giving organizations time to address the problem before irreparable damage is done.
- Phase 5 – escalation: During an attack of this kind, the goal is almost always privilege escalation – gaining more and more access to important members of the organization. In this case, the attackers showed persistence in getting better credentials until they found the perfect spot to upload their ransomware for maximum impact.
- Phase 6 – evasion: After initial access, an attacker’s second priority is defense evasion. The ability to remain undetected is critical. This is where those cunning and deceitful defense skills come in – the secret invader will try their best to cover their tracks by deleting output directories, CSV files, etc. Yet, a carefully layered defense-in-depth approach to ransomware should help an organization spot these moves, and the sooner you spot an attack, the sooner you can start to mitigate it.
- Phase 7 – credential access: As has proven common in ransomware attacks, Colonial Pipeline attackers targeted privileged credentials, which provided them with far-reaching administrative access to sensitive data and systems.
For this reason, privileged access management controls that grant users the minimum set of rights are an essential part of a layered security approach while also contributing to a Zero Trust philosophy.
The Next Big Attack Probably Won’t Look Like This
The MITRE ATT&CK framework is certainly a useful starting point for those looking to mitigate against threat actors, but it needs to be a fluid resource to keep up with the constant innovation of attacks. There’s a continuous stream of new techniques evolving in the wild, and we must learn from each incident – whether it uses new or older techniques – to better understand and defend against threat actors.
In summary, being proactive, creative and thinking like an attacker are necessary approaches to cybersecurity. Yet, when we’re able to balance the knowns and unknowns, we stand the best chance at winning not just the battle but also the war.