Adversarial Tactics, Techniques & Common Knowledge Mobile Profile

From mobile
Jump to: navigation, search
Welcome to ATT&CK

MITRE’s Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK™) is a curated knowledge base and model for cyber adversary behavior, reflecting the various phases of an adversary’s lifecycle and the platforms they are known to target. ATT&CK is useful for understanding security risk against known adversary behavior, for planning security improvements, and verifying defenses work as expected.

Note: A MITRE Partnership Network (MPN) account is not required to view and use the ATT&CK site.


Notice

This software (or technical data) was produced for the U. S. Government under contract SB-1341-14-CQ-0010, and is subject to the Rights in Data-General Clause 52.227-14, Alt. IV (DEC 2007)

(c) 2018 The MITRE Corporation. All Rights Reserved. Approved for Public Release; Distribution Unlimited. Case Number 17-0836

If you have any questions, please email attackmobile@mitre.org.

What's Different

This is the initial version of the ATT&CK Mobile Profile.

In addition to profiling ATT&CK for the mobile environment, several structural changes exist relative to the standard ATT&CK web site:

  • The ATT&CK Mobile Profile does not focus on Advanced Persistent Threat (APT) groups but rather on a general adversary. The Groups functionality found in ATT&CK is present in the ATT&CK Mobile Profile, but has a very limited set of content at this time.
  • The ATT&CK Mobile Profile incorporates not only post-adversary access tactics and techniques ("Use Device Access") but also tactics and techniques for gaining initial adversary access to mobile devices ("Obtain Device Access") as well as tactics and techniques that can be used without direct adversary access to mobile devices ("Network-Based Effects").
  • The ATT&CK Mobile Profile includes links to applicable entries in NIST's Mobile Threat Catalogue.
  • The ATT&CK Mobile Profile provides individual wiki pages describing each mitigation rather than free-form text fields within each adversary technique, providing the ability to correlate each mitigation with the adversary techniques that it addresses.

Introduction

ATT&CK Tactic Categories

Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK™) is a model and framework for describing the actions an adversary may take while operating within an enterprise network. Full details can be found at [1]. This site provides the ATT&CK Mobile Profile, a profile of ATT&CK for the mobile environment.

NIST published Draft NISTIR 8144, Assessing Threats to Mobile Devices & Infrastructure: The Mobile Threat Catalogue and the accompanying Mobile Threat Catalogue website, a detailed list of threats against mobile devices and other elements of the mobile ecosystem, intended to support development of mobile security capabilities, solutions, and best practices to protect enterprises as they deploy mobile devices.

The ATT&CK Mobile Profile builds upon NIST's Mobile Threat Catalogue, providing a model of adversarial tactics and techniques used to gain access to mobile devices as well as tactics and techniques to then take advantage of that access in order to accomplish adversarial objectives. The ATT&CK Mobile Profile also depicts network-based effects, which are adversarial tactics and techniques that an adversary can employ without access to the mobile device itself. Each adversarial technique includes a technical description along with applicable mitigation/countermeasure approaches, applicable detection analytics, and examples of use.

The tactic categories for ATT&CK were derived from the stages of a seven-stage Cyber Attack Lifecycle[1] (first articulated by Lockheed Martin as the Cyber Kill Chain®[2]). The ATT&CK tactic categories and techniques provide a deeper level of granularity in describing adversary actions.

Many security architecture differences exist between traditional enterprise PCs and today's mobile devices that necessitate a mobile-specific profile of ATT&CK. Mobile devices benefit from lessons learned in the PC environment, notably with sandbox capabilities that provide protection from vulnerabilities and malicious behavior by controlling the allowed interactions between applications and between each application and underlying device components. However, the unique attributes and advanced capabilities of mobile devices, including their almost always powered-on state, ubiquitous network connectivity, multiple radio interfaces, and environmental sensors introduce new threats. The sandboxing capabilities of mobile devices, while providing critical security protections, severely limit the capabilities of third-party host-based security products (e.g. antivirus software or other endpoint detection and response products) to detect and respond to threats. Network-based security monitoring also faces challenges in the mobile environment. Mobile devices are only sometimes connected to an enterprise network while at other times are connected to cellular networks or public Wi-Fi networks that cannot be monitored by an enterprise. Mobile devices and applications typically treat the network as untrusted, encrypting most or all network communication and often using techniques such as certificate pinning to resist network-based attacks but also increasing the difficulty of monitoring network traffic. These security architecture differences mean that the same detection and mitigation approaches used in the traditional enterprise PC environment may not work in the mobile environment and alternative approaches must be used.

To view the contents of the ATT&CK Mobile Profile, use the left navigation pane, which breaks out techniques by tactic category or view All Techniques.

Development of the ATT&CK Mobile Profile was sponsored by the National Cybersecurity Center of Excellence (NCCoE) at the National Institute of Standards and Technology (NIST) in support of the Study on Mobile Device Security by the Department of Homeland Security.

ATT&CK Mobile Matrix

The MITRE ATT&CK Matrix™ provides a visual representation of the adversarial tactics and techniques described in the ATT&CK model. Tactic categories are listed on the top row, and individual techniques as cells underneath each tactic to denote that technique can be used to accomplish that particular tactic. Techniques can span multiple tactic categories signifying that they can be used for more than one purpose. Below are three ATT&CK Mobile Matrices, one for adversarial tactics and techniques to obtain device access, one for adversarial tactics and techniques to make use of device access, and one for network-based effects that can be used by adversaries without device access.

Obtain Device Access - ATT&CK Mobile Matrix

Use Device Access - ATT&CK Mobile Matrix

Persistence Abuse Device Administrator Access to Prevent RemovalApp Auto-Start at Device BootModify OS Kernel or Boot PartitionModify System PartitionModify Trusted Execution EnvironmentModify cached executable code
Privilege Escalation Exploit OS VulnerabilityExploit TEE Vulnerability
Defense Evasion Application DiscoveryDisguise Root/Jailbreak IndicatorsDownload New Code at RuntimeModify OS Kernel or Boot PartitionModify System PartitionModify Trusted Execution EnvironmentObfuscated or Encrypted Payload
Credential Access Abuse Accessibility FeaturesAccess Sensitive Data in Device LogsAccess Sensitive Data or Credentials in FilesAndroid Intent HijackingCapture Clipboard DataCapture SMS MessagesExploit TEE VulnerabilityMalicious Third Party Keyboard AppNetwork Traffic Capture or RedirectionURL Scheme HijackingUser Interface Spoofing
Discovery Application DiscoveryDevice Type DiscoveryFile and Directory DiscoveryLocal Network Configuration DiscoveryLocal Network Connections DiscoveryNetwork Service ScanningProcess DiscoverySystem Information Discovery
Lateral Movement Attack PC via USB ConnectionExploit Enterprise Resources
Effects Encrypt Files for RansomGenerate Fraudulent Advertising RevenueLock User Out of DeviceManipulate App Store Rankings or RatingsPremium SMS Toll FraudWipe Device Data
Collection Abuse Accessibility FeaturesAccess Calendar EntriesAccess Call LogAccess Contact ListAccess Sensitive Data in Device LogsAccess Sensitive Data or Credentials in FilesCapture Clipboard DataCapture SMS MessagesLocation TrackingMalicious Third Party Keyboard AppMicrophone or Camera RecordingsNetwork Traffic Capture or Redirection
Exfiltration Alternate Network MediumsCommonly Used PortStandard Application Layer Protocol
Command and Control Alternate Network MediumsCommonly Used PortStandard Application Layer Protocol

Network-Based Effects - ATT&CK Mobile Matrix

Purpose

The ATT&CK Mobile Profile is a constantly growing common reference for tactics and techniques that may be used by adversaries in the mobile environment. It enables a comprehensive evaluation of computer network defense (CND) technologies, processes, and policies against a common enterprise threat model. We do not claim that it is a comprehensive list of techniques, only an approximation of what is publicly known; therefore, it is also an invitation for the community to contribute additional details and information to continue developing the body of knowledge. Contributions could include new techniques, categories of actions, clarifying information, examples, other platforms or environments, methods of detection or mitigation, and data sources. See the Contribute page for instructions on how to get involved.

The result will help focus community efforts on areas that are not well understood or covered by current defensive technologies and best practices. Developers of current defensive tools and policies can identify where their value and strengths are in relation to the ATT&CK framework. Likewise, cyber security research can use ATT&CK as a grounded reference point to drive future investigation.

ATT&CK Use Cases

  • Prioritize development and/or acquisition efforts of defensive capabilities
  • Conduct analyses of alternatives between defensive capabilities
  • Determine “coverage” of a set of defensive capabilities
  • Describe an intrusion chain of events based on the technique used from start to finish with a common reference
  • Identify commonalities between adversary tradecraft, as well as distinguishing characteristics
  • Connect mitigations, weaknesses, and adversaries
  • Determine effective security testing strategies
  • Identify defensive gap areas for which adequate countermeasures do not yet exist

API

An API is available to query for information within the ATT&CK Mobile Profile. See Using the API for more details.

Related Efforts

MITRE is well known for its work in leading communities in the standardization of threat and vulnerability information. While ATT&CK is not as of yet an independent formal information standardization effort within the existing portfolio, we are working closely with related efforts to define how ATT&CK fits in that landscape. See the Related Efforts page to see how ATT&CK relates to other relevant information standardization efforts.


References

  1. "Threat-based Defense - Understanding an attacker’s tactics and techniques is key to successful cyber defense" by The MITRE Corporation
  2. "Intelligence-Driven Computer Network Defense Informed by Analysis of Adversary Campaigns and Intrusion Kill Chains" by Lockheed Martin: Hutchens, et al.