MITRE ATT&CK: The Magic of Endpoint Protection

In our first blog, we introduced the Magic of Mitigations. They’re the key to getting started with MITRE ATT&CK. Now let’s look at some of the most magical ones, starting today with Behavior Prevention on Endpoint (M1040), Exploit Protection (M1050) and Execution Prevention (M1038).

Wait, what’s the difference?

At a quick glance, they might all sound about the same. So let’s clarify them with a quick level-set:

  • Behavior Prevention on Endpoint. Okay, “on endpoint” is the easy part. This Mitigation is clearly focused on endpoint activity and not, say, network activity. With that said, “behavior prevention” aims to identify and stop strange stuff like when a system process starts running unexpected code. For example, if svchost.exe executes code in a DLL it never did before then, hey, let’s stop that right now. There’s a good chance that code is malicious, so check it out before letting it run. So you see, this Mitigation is about looking out for and preventing wonky-looking activity on your endpoints. The story changes a little when the activity is a known exploit, so that takes us to the next Mitigation.
  • Exploit Protection. Some suspicious system activity might prove to be normal, but you have to investigate first and find out. However, without question, you absolutely must terminate all known exploits immediately. You’ve heard the term Indicators of Compromise, which means we know exactly what to look for. That’s what Exploit Protection is about. It advises you to find all known exploits and defend against them. Think of a Drive-by Compromise situation where malicious code reaches your endpoints through normal browsing, sometimes from legitimate but compromised websites. Sure, the website itself might have been legit, but don’t blindly trust it! Exploit Protection stops all known malware, for example, no matter what site serves it up.
  • Execution Prevention. What happens when a system installs an app downloaded from a questionable source? What if an attacker exploits unnecessary desktop support or remote access software, tools that shouldn’t have been left there in the first place? These may not show up as suspicious behavior or a known exploit. Therefore, Execution Prevention is about endpoint application visibility and control. It’s about discovery and blocking. It permits endpoints to run sanctioned apps and scripts — you know, the ones your mission requires, and your security policy allows — while blocking everything else.  Execution Prevention also relates to Limit Software Installation (M1033) which controls approved/unapproved software, and who’s allowed to install what.

Take Three. They’re Big.

These three Mitigations cover a big chunk of MITRE ATT&CK TTPs. How big? Well, Behavior Prevention covers 2 Techniques and 15 Sub-Techniques, Exploit Protection covers 9 Techniques, and Execution Prevention covers 18 Techniques — and way more Sub-Techniques than I feel like counting. Here’s another way to think about it: Act on just these three Mitigations, and you’ll absolutely devour some of your biggest cybersecurity risks.

In my mind, these group together under a general heading of “Endpoint Protection,” even though MITRE doesn’t actually label them that way. And not to throw more industry jargon out there, but the basic tenets of Zero Trust also come to mind. One of them, according to the NIST Zero Trust Architecture (NIST SP 800-207), is this: “The enterprise monitors and measures the integrity and security posture of all owned and associated assets. No asset is inherently trusted.”

With that said, let me ask you: How can you ever trust endpoints that (a) run unauthorized or unnecessary software, (b) show clear signs of compromise, or (c) display suspicious or unusual behavior? Uh… you can’t. That’s why these three Endpoint Protection Mitigations are so critical. Magical, even.

Magical Endpoint Protection, only from Cisco.

It would be a shame if I ended the blog here without explaining what you can do about it. May I show how one innovative technology, Cisco AMP for Endpoints, bites deep into these three Mitigations?

  • Behavior Prevention on Endpoint. Wow, AMP for Endpoints does so much on this topic, but let me highlight just one of its capabilities: Behavioral Protection. Its name is almost identical to the ATT&CK Mitigation because we intentionally use simple terms to describe what things actually do. Behavioral Protection in AMP detects and stops threats based on system behavior, just as the Mitigation recommends. It quarantines files, ends processes and, when more information is needed, uploads the file to the AMP Cloud for further analysis. If we prove the file’s behavior is malicious, we automatically stop it too.
  • Exploit Protection. AMP for Endpoints has another similar-sounding capability called Exploit Prevention, or ExPrev for short. ExPrev defends endpoints from memory corruption and process injection attacks often used by obfuscated malware, and system exploits that target software vulnerabilities of protected processes. On Windows hosts, it works together with AMP’s System Process Protection to defend system processes from being tampered with or compromised. How’s that for exploit protection?
  • Execution Prevention. Did you know that AMP for Endpoints also controls applications running on endpoints? It prevents unauthorized applications from executing and disables vulnerable applications until you can patch them. If you suspect an endpoint file is malicious, but need time to investigate, then it simply limits the file’s use without removing it. That way, if it’s okay, you can just release the hold. If it’s harmful, well, then you’re always in full control.
  • Built-in ATT&CK. AMP for Endpoints maps indicators of compromise directly to ATT&CK, so we’ve done that work for you already. And check out overview of Orbital Advanced Search. Just more proof that we’re building ATT&CK directly into our solutions, thereby making it easier for you to benefit from ATT&CK.

What do you think? Intrigued? Then give AMP for Endpoints a try. Just click here.

Going forward, keep this in mind: Our comprehensive security portfolio does so much more that what’s described here. Check out this detailed whitepaper for complete details, and this website for more on how we support MITRE ATT&CK and other cyber best practices.

And keep it here for our next blog, where we’ll analyze a few more Magic Mitigations.

Until then, stay safe, and please share your experience in the comments section below. I’d love to hear your thoughts!