Influence Energy Process

This crucial question drives risk management and selection of defenses. The security community embellishes every new discovery as if every organization needs to drop everything and panic. At the same time, security vendors claim their product will secure you against all advanced threats. This dichotomy creates confusion for organizations to understand what matters to them right now.

Enter the Influence Energy framework and MITRE ATT&CK assessment process.

This process involves an evaluation of each ATT&CK technique at three capability levels: public, altered, and bespoke. These levels refer to how prevalent a given form of a technique is. Something public is readily available and used in a wide range of targets. Something altered is a specific form of the public capability that is maybe only used by a single threat actor or against a particular target set. Something bespoke is used for a specific target by a specific threat actor. Each level represents an increase in attacker skill or sophistication.

For each one, you ask the question “How many hours would it take to teach how to use this capability?”

The first challenge you might raise is, “how to account for people that already know how to use the technique or have foundational knowledge to?” You are right, this matters a lot and so you must standardize on someone with basic computer knowledge but no prior knowledge of offensive security. This is defined as influence energy zero.

So yes, while infrastructure development might only take an hour for someone with a strong devops background, it would take closer to 100 hours for someone with no prior knowledge or experience. As this person develops their skills, their influence energy capacity increases from 0 to 1, 2 and beyond.

The second challenge you might raise is that many techniques require other techniques to have been done first. Command and control techniques are not particularly useful by themselves. They require an agent installed on a system and infrastructure for it to communicate with. Influence energy focuses on cumulative energy and so the energy analysis for something like Data Obfuscation must be on Data Obfuscation specifically. The energy required for the related techniques will be counted separately.

The third challenge is that the energy of a specific capability instance decreases with use. Patient zero of an attack might be compromised by a bespoke exploit, but this capability gets closer to public if the threat actor continues to use it against additional targets. Each use of the exploit exposes it to security analysis. With good operations security this might take a long time but all it takes is one detailed memory analysis or packet capture to alert the security community to the new exploit after which signatures and patches become available.

Capability level thus refers to the cumulative skill of the threat actor to build such an exploit as this means more to future operations vs a specific instance. Examples used in the framework are all public now by nature of knowing about them and it’s important to look at how they were used originally for future prediction. An exploit like ETERNALBLUE, famously enabling the WANNACRY ransomware, represents enormous influence energy (5-6) to create even if the exploit itself is public now. The group(s) behind it have monumental skill and should be expected to have additional such exploits that are not [yet] public.

With these challenges addressed, here is the analysis for ATT&CK technique T1014 Rootkit:

A public rootkit would be something that uses a well-known and simple technique to conceal activities. A common, simple form is to use a user-mode mechanism to hook OS environment variables to load a function which alters directory listing functions to skip over any entries related to the rootkit itself. An example of this is the ebury malware. Adding such functionality to a rootkit requires knowledge of OS functionality and software compilation to set up the shim function for a particular environment. Learning about these prerequisites and testing is estimated at 100 hours (Influence Energy 3).

Another form of a rootkit is to get kernel-level access with a malicious driver. These will be loaded and used by the operating system if digitally signed with a legitimate certificate authority. Using existing drivers from malware packages would be a public rootkit and assembling your own custom driver using the techniques would be altered form. This is now estimated at 1000 hours (Influence Energy 4) due to the additional programming knowledge required to write and debug at kernel level.

Finally, a bespoke rootkit would be some kind of kernel module implementing new forms of cloaking. This would require not only kernel-level programming knowledge, but also a solid understanding of OS internals and how endpoint security solutions perform their monitoring in order to be unique. This would represent Influence Energy 5, or 10,000 hours. Examples of this include nation-state actors. Achieving this influence energy level is rarely done by individuals and is more common of a cybercriminal group where 10 influence energy 4 experts give the group level 5 capabilities.

You can continue this analysis of all ATT&CK techniques to create a finite list of capabilities present at each influence energy level. This enables risk management of defenses against this in order to optimize your defense with Security Energy.

If this sounds like a daunting task, fear not as you have a partner! A full summary of capability levels and corresponding ATT&CK Navigator layers will be available soon on the Security Optimizer github page. Follow @LangrillSec and keep watching this blog for updates.