On April 30, 2019, MITRE released an update to its ATT&CK framework. The most noteworthy changes were the addition of a new Impact Tactic with 14 new Techniques and the addition of seven Techniques to existing Tactics. The update includes many welcome additions that expand the framework to cover more recent developments in the threat environment. Next, I will go over some of the highlights from the update:
T1486: Data Encrypted for Impact
We’re very happy to see this Technique added to the ATT&CK framework, as there previously hadn’t been any Techniques that adequately addressed this behavior for Ransomware.
This new Technique describes behavior most commonly associated with Ransomware as the malware encrypts data on a system rendering them unusable. Adversaries are often either financially motivated, in which case the victim is often requested to pay a ransom in order to get a key to decrypt affected files, or destructive, in which case the encryption of files is the end goal without the chance to recover data or control of the infected host.
Next in line are two new Techniques that cover denial-of-service (DoS) attacks:
T1499: Endpoint Denial of Service
This Technique covers DoS and DDoS attacks that are targeting system resources or exploiting a system vulnerability in order to render services unavailable or to cause a crash. These types of attacks don’t necessarily have to leverage a large botnet and can instead use a few specially crafted requests that exploit a specific vulnerability. For example, a U.S. power company was hit by a DDoS attack targeting an undisclosed vulnerability in early March 2019, causing interruptions to electrical system operations. The issue was mitigated by deploying an existing patch to vulnerable systems.
T1498: Network Denial of Service
This Technique covers DoSand DDoS attacks that attempt to deplete network resources in order to make the target unavailable to legitimate users. As these attacks are often measured in volume of traffic (Gbps or Tbps) they tend to gain a lot of media coverage as new peaks of bandwidth are reached, crowning the attack as the “largest” ever measured.
Also, due to the volume of traffic it’s possible to have collateral damage as the attack traffic traverses through the shared Internet infrastructure to reach its target.
This Technique covers attacks, including the 2016 attack against the DNS provider Dyn, which was hit by a Mirai botnet, then the largest DDoS attack on record at 1.2Tbps. In 2018, Github was hit by another large volume DDoS attack reaching peak bandwidth of 1.35Tbps. A little more than a year later, the crown of largest attack has been passed to other incidents, demonstrating a continuing trend toward larger and larger DDoS attacks driven partly by unsecure Internet of Things (IoT) devices.
T1496: Resource Hijacking
Similar to the above three Techniques, Resource Hijacking is an especially great addition to the ATT&CK framework due to the rapid increase in Cryptomining malware and browser-based mining schemes, such as now-defunct Coinhive. Previously, there weren’t any Techniques that adequately described these behaviors. From a control validation perspective, it’s important to validate detection of this type of behavior, not only to detect Cryptomining but also because some controls (e.g., Endpoint Detection and Response (EDR) software) can include bypass rules or conditions that can degrade their detection capabilities under a heavy load or when system resources are depleted.
The last Technique that I want to mention is Compile AfterDelivery, which is not one of the 14 Techniques added with the Impact Tactic, but instead was added under the Defense Evasion Tactic.
T1500: Compile After Delivery
We’ve seen several attacks leveraging this Technique and compiling malicious C# code to evade detection. The initial payload appears benign until the payload is retrieved, decoded, or compiled. The Technique can evade many detections, especially static file and binary analyses. Though not necessarily related, it’s another novel Technique similar to Template Injection (T1221) that helps attackers to deliver the initial payload through most security controls.
Thank you for taking the time to read our highlights on the recent changes to the MITRE ATT&CK framework. We’re very excited for these additions as it allows us to better tag some of our existing content. If you would like to see the full list of changes, please see MITRE ATT&CK’s release notes here.
As always, customers with active Verodin subscriptions receive content updates at no additional charge and can now download our most recent content pack here, which includes several new Actions and updates to existing content that cover the new ATT&CK tags.