Using ATT&CK to Score Red Team Engagements
DISCLAIMER:
I have had this on my backlog for most of a year waiting for me to finish creating the images for it. I finally decided that was silly. As a result I’m publishing this without the helpful pics to illustrate the example cases. Mea Culpa.
Summary:
Lots of people/teams (myself included) have embraced the model of tracking and describing red team engagements using the Mitre ATT&CK Matrix. It allows you to clearly and consistently communicate what steps were taken and what techniques were used. It also presents the possibility of being able to effectively compare the results between different engagements.
I’ve seen a variety of proposals for complicated scoring options and (as a believer in Occam’s Razor) haven’t seen a clear reason to embrace their complexity. In this post I’d like to suggest a few simple ways of using ATT&CK for consistent scoring of an environment that are easy enough to start using immediately and straightforward enough that your customers should be able to immediately understand why you are using the method.
I envision implementing either of these using ATT&CK Navigator: https://mitre-attack.github.io/attack-navigator/
Scoring option 1 (KISS)
This first option is very simple. Assume that the attacker has to perform a minimum of 1 action per column and set that as the baseline score. With the current version of ATT&CK that would be 14 points. The attacker gets one action for “free” (it is covered with the default point) in each column. If they don’t need to do anything in a specific column the point is deducted. If the attacker needs more than one action in a column then a point is added.
In essence:
- Set baseline as one point per column.
- Score of less than zero indicates less work for the attacker (defenses are weaker)
- Score of greater than zero indicates more work for an attacker (defenses are stronger)
Scoring option 2 (Nuance matters)
The problem with option #1 is that anyone who has worked with ATT&CK knows you don’t really need to use all the columns for every engagement. That means that method will default to a score that suggests things are easier for an attacker. A more nuanced option would be to instead agree that certain columns are always necessary. For instance;
Necessary columns:
- Initial Access
- (Command) Execution
- Discovery
- Collection
- Command & Control
Other columns are going to be optional:
- Persistence
- Privilege Escalation
- Defense Evasion
Some may be required only in specific engagements (for instance if the attacker you are emulating uses these techniques then you will as well)
Indeterminate columns:
- Credential Access
- Lateral Movement
- Ex-Fil
There are some further considerations or rules for scoring that I believe make this a more useful approach. Obviously this starts moving toward increased complexity and therefore it needs to be done very intentionally.
- If the red team is emulating a specific attacker then when they have to use techniques outside the known one for that attacker in order to move forward that counts for more points
- Impact is separate and not included since that’s about attacker choice not about necessity
- For columns that are always necessary the minimum value is 1
- For columns that are not always necessary the minimum value is 0
Result:
By using a simple approach like this it becomes possible to create scores not just for all engagements going forward but to create scores for all past engagements with minimal effort. Your customers/partners/targets have more context in which to understand the results of any engagement and the debate of “who won” or “are things improving or not” goes away.
Let me know what y’all think
