By Moshe Hayun and Kobi Eisenkraft, Threat Prevention R&D

This is the first installment of a three-part series about how Check Point employs the MITRE ATT&CK framework to prevent cyberattacks. Read Part 2 and Part 3.

What is MITRE ATT&CK?

MITRE ATT&CK™ is a globally-accessible knowledge base of adversary tactics and techniques based on real-world observations. The ATT&CK framework is important because it creates a common language in the security industry and provides a clear view of the adversary’s goals. These goals are called tactics, and each one of them consists of a set of techniques that the adversary uses to achieve their objectives. The table below describes the list of tactics used by the MITRE ATT&CK framework.

Figure 1: MITRE ATT&CK tactics

Leveraging the MITRE ATT&CK framework to improve security

Check Point SandBlast Network and SandBlast Agent prevent attacks by covering MITRE ATT&CK techniques. Check Point recently integrated the MITRE ATT&CK matrix within its SandBlast Zero-Day protection forensic reports to enable customers to investigate the incident, assess the motivation of the attacker, and the potential damage of the attack.

Figure 2: Excerpt from SandBlast Network report

Analyzing AgentTesla using SandBlast Network Forensics Report

Using the example of AgentTesla, we will show how the new ATT&CK matrix in the SandBlast Network Forensics Report can be used to gain better visibility into the malware chain of attack and garner other useful insights.

AgentTesla is an advanced remote access Trojan (RAT) that functions as a keylogger and password stealer. The malware is capable of monitoring and collecting the victim’s keyboard input and system clipboard, taking screenshots, and exfiltrating credentials from software installed on a victim’s machine including Google Chrome, Mozilla Firefox and Microsoft Outlook email client.

Figure 3: AgentTesla Infostealer Attack Matrix

A detailed report that includes the MITRE ATT&CK matrix is generated after the AgentTesla file goes through Check Point’s threat emulation engine. The ATT&CK matrix highlights the techniques the AgentTesla malware used to achieve its goal, for example gaining persistence on the victim’s machine and credential access.

By clicking on Windows Management Instrumentation, under the EXECUTION column heading, T1047 by MITRE brings up a new window that provides general information about the technique as well as the specific indicators observed by SandBlast Network. The indicators show that AgentTesla queried machine information like operation system and processor information.

Figure 4: Windows Management Instrumentation technique employed by AgentTesla

Another technique detected is Credentials from Web Browsers, T1503 by MITRE. As we can see from the indicator, AgentTesla attempted to steal the victim’s Chrome login data.

Figure 5: Credentials from Web Browsers technique employed by AgentTesla

By integrating the MITRE ATT&CK framework within SandBlast’s forensics reports security professionals have an industry standard way to investigate incidents, determine what the attacker seeks, and the potential damage of every attack.

Stay tuned for Part 2 of this blog series, which will be published on January 16, where we will discuss how you can unlock the data hidden in logs using the MITRE ATT&CK framework.

You may also like