MITER ATT&CK Spotlight: Understanding the DNS Attack Surface


By: Mohammed Al-Moneer, Regional Director, META at Infoblox

The MITER ATT&CK framework

The MITER ATT&CK (Adversarial Tactics, Techniques, and Common Knowledge) framework was developed and published by the MITER Corporation in 2015. It is a comprehensive knowledge base of cyber attacker TTPs gathered from the observation of attacker behavior. MITER is a nonprofit organization that works with US government agencies in a wide variety of areas.

As an important knowledge base, MITER ATT&CK allows all members of a cyber defense team to examine and compare attacker activity, then understand the best defense options. In addition, there is also MITER PRE-ATT&CK, which helps cyber defenders prevent an attack before the attacker can gain access to the network. PRE-ATT&CK’s 15 high-level tactical categories correspond to the first two stages of the Lockheed Martin Cyber ​​Kill Chain. PRE-ATT&CK introduces the tactics, underlying techniques, and procedures a cyber attacker will use to define targets, gather information, and then launch an attack.

MITER ATT&CK introduced a lexicon that is now in common use and describes the activities of cyber attackers and the step-by-step tactics and techniques they use. This lexicon allows researchers to clearly communicate the exact details of a threat.

MITER ATT&CK provides a consistent method for describing current security controls and processes. This allows cyber defenders to clearly identify the nature of a threat, associate that threat with the controls that should protect against it, and then determine whether that control is effective.

The MITER ATT&CK framework provides a comprehensive taxonomy of cyber attacker post-exploitation behavior. The framework provides detailed insight into attacker behavior and can be the best way to detect and stop an attack in progress before data exfiltration or destructive behavior occurs. MITER ATT&CK can help organizations make better decisions about assessing risk, deploying new security controls, and defending networks. Security solutions have also begun to integrate the MITER ATT&CK framework into their solutions, helping researchers and analysts more easily map security information and events from these solutions to the framework.

MITER ATT&CK has broken down the structure of the attacks very consistently, making it easy to compare them and then determine how an attacker might have exploited the targeted network. The analysis of the attackers mainly focuses on their activities in terms of perimeter defense. MITER ATT&CK takes a very focused look at the attackers once they enter.

Map the DNS attack surface with MITER ATT&CK

Everything on your networks, whether on-premises, cloud, Internet of Things (IoT), or mobile, will need to use DNS services. DNS provides centralized visibility and control of all computing resources, including users and servers in a micro-segment, down to an individual IP address. Cyber ​​attackers can take advantage of unprotected DNS services in several ways.

In the ATT&CK framework, a tactic is the goal an attacker is trying to achieve, and techniques and sub-techniques are the means to achieve that goal. Mitigating these techniques and sub-techniques requires comprehensive DNS security solutions. The following MITER ATT&CK techniques and sub-techniques explicitly define how attackers will target and use DNS services.

MITER ATT&CK techniques that use DNS

Let’s take a closer look at reconnaissance tactics: gathering information that can be used to plan future attacks. MITER ATT&CK defines two techniques (and several sub-techniques) that attackers use widely to use DNS:

  • T1590: Collection of information on the victims’ network

The information may include administrative data (such as IP address ranges and domain names) and details about network topology and operations.

  • .001 domain properties: Information may include the domain(s) owned by the victim, administrative data (such as names and registrars), and more actionable information such as contacts (email addresses and telephone numbers), business addresses and name servers.
  • .002 DNS: DNS information may include registered name servers and records describing the addressing of a target’s subdomains, mail servers, and other hosts.
  • .004 Network Topology: Information may include the physical and/or logical layout of external and internal network environments. This information can also cover details about network devices (such as gateways and routers) and other infrastructure.
  • .005 IP addresses: Public IP addresses can be assigned to organizations in blocks or as a range of sequential addresses; adversaries could attempt to determine which IP addresses are being used. IP addresses can allow an adversary to obtain other details about a victim, such as the size of the victim’s organization, the victim’s physical location(s), the internet service provider and/or where and how the victim’s public infrastructure is hosted.
  • T1598: Phishing to obtain information

Adversaries send phishing messages to obtain sensitive information that can be used in targeting. Information phishing attempts to trick targets into divulging information, often credentials or other actionable information. Information phishing is different from phishing in a general sense: the objective of the former is to collect data from the victim, but the objective of the latter is to execute malicious code.

.003 Spear Phishing Link: Adversaries can send spear phishing messages with a malicious link, to obtain sensitive information that can be used in targeting. Spear phishing for information is an attempt to trick targets into divulging information, often credentials or other actionable information. Information spear phishing often involves social engineering techniques, such as impersonating a source with a reason for collecting information (such as setting up accounts or compromising accounts) and/or sending several seemingly urgent messages.

All of these techniques and sub-techniques related to MITER ATT&CK–DNS define potential risk areas for your organization. If your DNS, DHCP, and IPAM infrastructure is unprotected, attackers will quickly discover and use these zones.

It is a fact that most malware and advanced threats must rely on the use or compromise of DNS to execute and carry out their attack, and DNS can often be used to evade detection by standard security tools. Having a DNS security solution will close this security gap and can enhance the rest of the security ecosystem to strengthen defenses against sophisticated threats.

DNS security works at the ground level, which is why we say it’s fundamental. It is designed to prevent users or devices from connecting to malicious destinations and to detect abnormal behavior in the network such as C&C communications, advanced persistent threat activity, threat generation algorithm activity. domain (DGA), botnet communications, DNS tunneling and data exfiltration, and more.

Previous The Costs and Damages of DNS Attacks
Next DNS Abuse Institute Launches Centralized DNS Abuse Reporting Service - Domain Name Wire