Applying the Linux MITRE ATT&CK Framework with Capsule8

December 18, 2019

The MITRE ATT&CK™ framework is becoming increasingly adopted as a way to validate detection coverage. If you aren’t yet familiar with it, ATT&CK is an open-source knowledge base of tactics and techniques used by attackers. ATT&CK buckets tactics across the kill chain, from initial access to exfiltration or impact, then lists techniques that facilitate those tactics. This allows for a straightforward “check the box” methodology for defenders, who can evaluate their existing or prospective detection capabilities by testing whether they are detecting attacks across multiple phases (tactics) and specific actions (techniques).

Many of our customers evaluate us using the MITRE ATT&CK framework, so we decided to share our coverage publicly to provide transparency into our detection. Of course, we eagerly welcome anyone to test us out for themselves and verify our claims!

Capsule8 and ATT&CK

Capsule8 is focused on protecting enterprise Linux infrastructure at scale, detecting attacks and other unwanted activity as it happens. With specific expertise in Linux as well as exploit development, we’ve lovingly crafted our detection from day one to monitor the specific points within the Linux subsystem that attackers must hit in each stage of their operations. We aren’t just throwing machine learning at the wall to see what sticks—we know how attackers exploit Linux (because we’ve done it ourselves) and what system data is important to collect (hoovering up everything isn’t a performant strategy).

So, while ATT&CK is primarily focused on techniques attackers use to compromise Windows, Capsule8 still provides detectors that map to ATT&CK techniques—and plenty of detectors beyond ATT&CK’s current scope that still are critical for Linux protection. With that said, the following table shows Capsule8’s current coverage across the ATT&CK matrix.

Capsule8 Coverage of MITRE ATT&CK Framework

+ Current coverage, +^ Current Coverage Unique to C8, * Planned Coverage

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Valid Accounts+	Command-Line Interface+	.bash_profile and .bashrc+	Sudo+	Clear Command History+	Network Sniffing+	File and Directory Discovery+	Cloud Access Keys+^	Automated Collection*	Commonly Used Port*	Exfiltration Over Alternative Protocol*	Data Destruction*
Exploit Public-Facing Application+	Local Job Scheduling+	Bootkit+	Valid Accounts+	Compile After Delivery+	Bash History*	Network Sniffing+	Application Deployment Software*	Data from Local System*	Port Knocking*	Exfiltration Over Command and Control Channel*	Data Encrypted for Impact*
Hardware Additions*	Space after Filename+	Create Account+	Container Escape+^	File Deletion+	Brute Force*	Permission Groups Discovery+	Exploitation of Remote Services*	Data from Network Shared Drive*	Remote Access Tools*	Transfer Data to Cloud*	Disk Content Wipe*
	User Execution+	Hidden Files and Directories+	Exploitation for Privilege Escalation*	Hidden Files and Directories+	Credential Dumping*	Account Discovery*	Remote File Copy*	Data from Removable Media*	Remote File Copy*	Data from Cloud Storage Object*	Disk Structure Wipe*
	Scripting*	Kernel Modules and Extensions+	Process Injection*	Install Root Certificate+	Credentials in Files*	Network Service Scanning*	Remote Services*	Email Collection*	Standard Application Layer Protocol*		Firmware Corruption*
	Source*	Local Job Scheduling+	Setuid and Setgid*	Rootkit+	Exploitation for Credential Access*	Password Policy Discovery*	Third-party Software*		Standard Non-Application Layer Protocol*		Resource Hijacking*
	Trap*	Valid Accounts+	Web Shell*	Space after Filename+	Private Keys*	Remote System Discovery+			Uncommonly Used Port*		Runtime Data Manipulation*
	Third-party Software*	Port Knocking*	Sudo Caching*	Valid Accounts+	Cloud Instance Metadata API*	System Information Discovery+			Web Service*		Stored Data Manipulation*
		Setuid and Setgid*		Disabling SMEP/SMAP+^	Account Manipulation*	Process Discovery*			Exfiltration Over Command and Control Channel*
		Systemd Service*		Disabling Security Tools*		System Network Configuration Discovery*
		Trap*		Exploitation for Defense Evasion*		System Network Connections Discovery+
		Web Shell*		File and Directory Permissions Modification*		Cloud Service Discovery*
		Implant Container Image*		Indicator Removal on Host*		Software Discovery*
				Port Knocking*		System Owner/User Discovery*
				Process Injection*
				Scripting*
				Timestomp*
				Web Service*
				Scripting*
				Unsupported Cloud Regions*
				HISTCONTROL*

As noted above, there are gaps in Techniques for Linux environments—and we’re excited to be actively working with MITRE to help build out this coverage, given how important Linux is for modern enterprise operations. For now, we’re including techniques like “Disabling SMEP/SMAP” under the Defense Evasion Tactic, since disabling these security mechanisms native to the Linux kernel is a common step when attackers seek to escalate privileges or otherwise exploit the kernel. But, we’re already working to keep building out our coverage of existing ATT&CK techniques in the meantime, and will update this post accordingly.

If you want to learn more about how our detection actually works, check out “The Capsule8 Way” section within our post about different approaches to monitoring Linux servers.

Get a Personalized Demo to Learn More

To arrange a demo of Capsule8 Protect and its coverage of the MITRE ATT&CK framework, visit https://info.capsule8.com/request-a-demo.

Refreshed quarterly. Last update on 12/17/2019.

Capsule8