Threat Frameworks – some quick thoughts


Added some more ideas

Old Post

We reached the stage where we have a number of threat frameworks on ‘the market’ – they all look at the threat taxonomy from different angles – they overlap, they compete, and sometimes they go in some weird directions. I’ve been thinking of the usefulness and completeness of these frameworks for a while and eventually decided to post some quick thoughts about it. What actually inspired me to write this post is the Twit posted by Rick Holland where he said:

I was happy to see that I am not the only one who sees it as a new buzzword and a fad really.


Having said that, I do believe there is a great need to choose _some_ threat framework and use it to model your defensive strategy around that.

And I actually like Att&ck more and more.

If Kill Chain was very high-level, Att&ck attempts to itemize every single tactic & technique that affects Confidentiality, Integrity & Availability. This is actually a great approach as it can very directly drive the anomaly hunting, use cases, choice of additional controls, etc. Being in a position to say you cover this and that % of the Att&ck matrix with your defenses can be a very good quantitative data that can be presented to the senior management, and maybe even auditors.

Before you go to use the Att&ck in its current form, be aware that this is work in progress and it will certainly change in the future.


Because it’s far from being complete.

For instance, looking at techniques, you won’t find a lot of tricks that could be included there, or items for which description could be potentially amended:

  • alternate data streams on NTFS
  • extended attributes on NTFS
  • many persistence tricks
  • cases where malware is found dormant in archives (e.g. mailboxes, backups, or remnants of very old infection) or on removable devices – it’s actually not even an active attack, but it does affect integrity of the system
  • cases where artifacts are downgrading the security posture of the system (e.g. disabling UAC, changing IE zone settings, etc.)
  • cases where malware belongs to old-school OSs e.g. win95/DOS (risk is minimal, but threat taxonomy should include them)
  • remnant from internal pentesting (sometimes can be detected long after the actual test)
  • viral infection, including unusual infection methods like EPO (Entry Point Obscuring)
  • I didn’t seem to be able to find worm
  • trojanized applications (e.g. web shells, but also fake applications on torrent sites)
  • adware, PUA/PUP (is it considered an attack if a legitimate software is bundled with adware?)
  • tracking cookies (not sure if it fits)
  • atombombing and propagate code injection tricks
  • enabling DEBUG/VERBOSE flags of the applications (e.g. to enable logs to include track data that bad guys can collect)
  • hooking is a very loaded technique – it’s actually a class of techniques; the current description talks mainly about Windows, but misses EAT hooking, COM hooking, SSDT hooking, and there is also hooking that can be observed on a web side (e.g. hooking of functions managing php buffers or adding javascript callbacks); there are also cases where hooking is incorporated via a subtle, small patching inside a native OS binary that loads a malicious DLL; and plenty of other tricks like this (I once saw a vendor DLL replaced with a malicious one that injected itself as a man-in-the-middle, observing all buffers transmitted, in plain text)
  • ‘Modify Registry’ is such a loaded technique too – not sure if it should be listed there as a separate technique, since it’s a class of techniques really… on the other hand, I don’t know where else we could place it
  • Accidental data leakage (e.g. github, wikipedia, translation services)
  • LSASS Driver – ‘driver’ word may be a bit misleading – the word is usually reserved for kernel mode drivers
  • etc.

There is also additional complexity which comes from the fact the framework tries to cover Windows, OS/X and Linux platforms in one table (correction: there are various views available, so it helps a lot). Obviously, digging into each item will give you lots of information and references.

Now, it’s easy to sit down and criticize.

I have tried to build some taxonomy in the past myself and it’s an extremely daunting task to build such a multidimensional database – and Att&ck already contains lots of very useful information – we really need to applaud the efforts of the Mitre team!

Fad, or not we are slowly moving from technology- or control-oriented approach to security to more measurable, and reliable risk management-driven approach.