Using MITRE ATT&CK framework to thwart active adversaries

Chinese hacker attacks America. China vs USA. East versus West. Information war of two nations.

In the eBook “Active adversaries: Who they are and how they’re targeting your organization,” we outlined recent research from the Sophos X-Ops team on how active adversaries are breaching organizations in two primary ways: exploiting software vulnerabilities and using compromised credentials.

Sophos X-Ops research found exploited vulnerabilities to be the most prevalent attack vector, comprising 37% of the incidents they evaluated.

The good news is that many attacks are avoidable as attackers exploit long-unpatched software vulnerabilities. Notably, the ProxyShell and the Log4Shell vulnerabilities significantly contributed to these attacks.

Compromised credentials accounted for the root cause of 30% of the cases, as attackers attain access by leveraging stolen or weak login information. This method often indicates the presence of initial access brokers within the network, who facilitate access for other criminals by selling or using these credentials. There’s also good news here, as organizations are within the control of hardening their credentials and improving their identity and access management capabilities.

To help organizations better protect themselves, we’ve correlated some of the most common active adversary attack techniques with the MITRE ATT&CK (Adversarial Tactics, Techniques, and Common Knowledge) framework. MITRE ATT&CK is a comprehensive and globally accessible knowledge base that documents adversary tactics and techniques observed in real-world attacks. It is an excellent tool for improving cybersecurity defenses by understanding adversary behavior.

Here are the relevant MITRE ATT&CK techniques and mitigations that will help organizations defend against active adversaries:

Active adversaries target external remote services (T1133)

The External Remote Services technique (T1133) within the MITRE ATT&CK framework involves attackers gaining initial access through remote services, often requiring valid accounts. Attackers frequently use VPNs, remote access services, Windows Remote Management, and VNC to gain access to enterprise networks. They do so often with valid authentication credentials to access the remote access gateways that manage these connections.

Mitigations: The best defense is disabling or completely removing unnecessary remote access paths, limiting access to devices on the network, network segmentation to reduce what can be targeted should attackers gain entry, and requiring multi-factor authentication. Such attacks can be identified by application and network monitoring. Also, authentication logs should be collected to identify suspicious logon activity. 

Exploit public-facing applications (T1190)

If attackers don’t have valid credentials, active adversaries will attempt to exploit vulnerabilities in applications accessible from the internet, such as firewalls or VPN gateways.

Exploited applications are also commonly web servers and websites, Internet-connected databases, services such as SSH and SMB, and common administration and management protocols. This also includes cloud systems, containerized applications, and edge network appliances.

Mitigations: The mitigations for attacks targeting internet-facing applications include typical application security best practices such as regular vulnerability assessments and patch management, application isolation, and sandboxing techniques, as well as privileged account management.

Valid accounts (T1078)

In many cases, attackers use valid credentials to gain access to systems, which is often paired with the abuse of external remote services. This is used to gain initial access, but attackers will use valid credentials to evade defenses because they can often use valid credentials to operate without detection. They will also use their access as a launchpad to gain even higher privileges and access to more sensitive systems and data.

Mitigations: The best defenses involve effective identity management practices – user and privileged account management, effective password policies, user training and continuous monitoring of systems and application access for nefarious activity. For applications developed in-house, always make sure that they are designed with effective and secure credential management.

Bring your own vulnerable driver (BYOVD)

This technique, called Exploitation for Privilege Escalation by MITRE ATT&CK, has seen an increase in use, where attackers bring a vulnerable driver to exploit and gain higher privileges within the system. Adversaries may include the vulnerable driver with files delivered during Initial Access or download it to a compromised system via Ingress Tool Transfer or Lateral Tool Transfer.

Mitigations: The key mitigations advised by MITRE include application isolation and sandboxing to limit exploit impact, as well as execution and exploit prevention to block known vulnerable drivers and to detect malicious activity. Organizations are also advised to utilize timely intelligence to identify the software exploits currently used by attackers.

Impair Defenses (T1562)

To make things even more challenging for defenders, attackers will hinder and disable the defensive capabilities of their targets. They will attempt to shut down anti-malware systems, firewalls, log and analysis capabilities, and intrusion detection/prevention systems.

Mitigations: Key recommendations include restricting file, directory, and registry permissions to prevent unauthorized modification of security tools and configurations. Also, proper user account management is critical so that only authorized users have permission to disable or interfere with security services, logging, and firewall capabilities.

Inhibit system recovery (T1490)

Here, attackers disrupt or entirely disable the capabilities of organizations to recover from attacks, such as compromising backup catalogs, volume shadow copies, backups, and other system restoration features.

Mitigations: Ensure backups are stored securely off-system, protected from unauthorized access or destruction, and enable versioning for cloud storage objects. Also, technical controls should be considered to stop the disabling of services or the deletion of files that are part of any system recovery process. Additionally, monitor for suspicious activity, such as unexpected volume shadow copy deletion or modifications to boot configuration data.

System services: service execution (T1569.002)

Attackers may abuse system services to execute malicious services, which can be part of an execution technique. These include Windows service control manager, PsExec, and other tools and system utilities that can be used to command remote execution. Often, this is done to execute malware on the targeted systems.

Mitigations: Again, good management of privileged account processes and restricting file and directory permissions will help to prevent unauthorized creation or modification of services. Employing application-allow lists can also block unapproved services from launching. Monitoring for suspicious process creation, service installations, and command execution will also help spot malicious service use.

Regardless of whatever steps a defender takes, attackers -- especially active adversaries --  will change their focus areas within the business-technology environment, which is less protected, and expect that attackers will try new techniques as credentials get hardened with multi-factor authentication, vulnerabilities get patched, and the mitigations advice within the MITRE ATT&CK framework is implemented.

George V. Hulme

An award winning writer and journalist, for more than 20 years George Hulme has written about business, technology, and IT security topics. He currently freelances for a wide range of publications, and is security blogger at InformationWeek.com. From

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.