MITRE ATT&CK

Comparing Layers in ATT&CK Navigator

Red Team Use of MITRE ATT&CK

source: https://malcomvetter.medium.com/red-team-use-of-mitre-att-ck-f9ceac6b3be2

I would be willing to bet that most “red teams” repeat the same TTPs (tactics, techniques, and procedures — the things ATT&CK tracks) across their different campaigns. We know real adversaries do this, so it is reasonable to assume red teams do, too. And this makes sense; adversaries (real or simulated) are human, so they tend to develop habits or avoid “reinventing the wheel” (i.e. once a feature is built, why rebuild it?). These habits result in repeated paths across ATT&CK as they walk their attack chain. Tracking these TTPs visually through ATT&CK Navigator (https://mitre.github.io/attack-navigator/enterprise/) makes your red team “watering holes” or “go-to” techniques painfully obvious. Thus it exposes your own weakness in your adversarial approach so that you can diversify in areas you probably forgot.

To counter this, create a metric where your red team tracks TTP coverage across campaigns, especially when repeating targets, and measure how many TTPs get covered during a rolling period (e.g. a year). We call this MITRE ATT&CK Bingo, where our goal is to cover the “bingo card” (the whole framework). In each campaign, our goal is to add 3–5 new TTPs we haven’t used in the last 12 months. This keeps us sharp and ensures the Blue Team sees new and varied attacks. It makes the red team better, which in turn makes the blue team better.

We also use the neat Navigator visualization feature’s multiple colors to “heat map” a campaign based on where we, as the fake adversary, perceive the TTP was used in a very unsophisticated way versus where it requires a larger amount of customization, development, or tuning (e.g. green for weak, yellow for intermediate, red for mature, or vice versa— just pick a scheme and stick with it). This helps a defending organization to understand where their resistance strength is weaker so they can bolster not just their detection, but also their response.

Another red team suggestion (hat tip: Tim McG — https://www.twitter.com/NotMedic) is to use ATT&CK before you even plan your next red team campaign. Roll the dice and randomly select 2–3 TTPs from each column and that becomes the fake adversary that you are emulating. For every honest red teamer I’ve mentioned this to, their reaction was just like my initial reaction: they were horrified. Horrified because — contrary to what the internet tells you — most red teamers are not intimately familiar with every TTP. They may be acquainted with most, but probably haven’t used (therefore they down “own”) that skill. Letting the dice pick your TTPs really forces you out of your comfort zone, and also maybe provides your blue team to be ready for an otherwise unpredictable adversary.