See our new Attack Masterclass Webinar: How to Beat the Phishing and Ransomware Surge  — Sign Up Now

Request a Demo of Tessian Today.
Automatically stop data breaches and security threats caused by employees on email. Powered by machine learning, Tessian detects anomalies in real-time, integrating seamlessly with your email environment within minutes and starting protection in a day. Provides you with unparalleled visibility into human security risks to remediate threats and ensure compliance.

Where Does Email Security Fit Into the MITRE ATT&CK Framework?

  • 13 August 2021

Tessian’s mission is to secure the human layer by empowering people to do their best work, without security getting in their way.

If you’re aiming to achieve compliance with the MITRE ATT&CK Framework, email security will be among your top priorities. Why? Because securing your organization’s email is critical to detect, mitigate, and defend against some of the most widespread and harmful online threats.

In this article, we’ll offer a brief overview of the MITRE ATT&CK framework, then consider which attack techniques you can mitigate by improving your organization’s email security.

MITRE ATT&CK Framework 101

Here’s a brief introduction to the MITRE ATT&CK framework. 

Outlining the framework is important as it’ll help you see how its components tie in with your email security program. But feel free to skip ahead f you already know the basics.

ATT&CK stands for Adversarial Tactics, Techniques, and Common Knowledge. The ATT&CK framework has three iterations—ATT&CK for Enterprise, ATT&CK for Mobile, and Pre-ATT&CK.

We’re focusing on ATT&CK for Enterprise, covering threats to Windows, macOS, Linux, AWS, GCP, Azure, Azure AD, Office 365, SaaS, and Network environments.

You can check out the Mobile Matrices here, and the PRE Matric here.

MITRE ATT&CK tactics, techniques, sub-techniques, and mitigations

At the core of the framework is the ATT&CK matrix—a set of “Tactics” and corresponding “Techniques” used by “Adversaries” (threat actors).

The ATT&ACK for Enterprise matrix includes 14 Tactics:

  • TA0043: Reconnaissance
  • TA0042: Resource Development
  • TA0001: Initial Access
  • TA0002: Execution
  • TA0003: Persistence
  • TA0004: Privilege Escalation
  • TA0005: Defense Evasion
  • TA0006: Credential Access
  • TA0007: Discovery
  • TA0008: Lateral Movement
  • TA0009: Collection
  • TA0011: Command and Control
  • TA0010: Exfiltration
  • TA0040: Impact

Think of these Tactics as the Adversary’s main objectives. For example, under the “Collection” Tactic (TA0009), the adversary is “trying to gather data of interest to their goal.”

If you want to learn more about these tactics, or see a full list of the Techniques, Sub-Techniques, and Mitigations we mention below, click here

A set of Techniques and sometimes “Sub-Techniques” is associated with each Tactic. Techniques are the methods an Adversary uses to achieve their tactical objectives. Sub-Techniques are variations on certain Techniques.

We won’t list all the MITRE ATT&CK Techniques here, but we’ll identify some relevant to email security in just a second.

But first (and finally) there are “Mitigations”—methods of preventing or defending against adversaries. Examples of Mitigations include M1041: “Encrypt Sensitive Information,” and M1027: “Password Policies.”

Back to email security…

MITRE and Email Security

Now we’ll identify the MITRE ATT&CK framework Tactics and Techniques that are relevant to email security specifically. We’ll consider MITRE’s recommended Mitigations and look at how you can align your email security program to meet the framework’s requirements.

Technique T1566: Phishing

“Phishing” is a MITRE ATT&CK Technique associated with the “Initial Access” Tactic (TA0001).

As you’ll probably know, phishing is a type of social engineering attack—usually conducted via email—where an adversary impersonates a trusted person and brand and attempts to trick their target into divulging information, downloading malware, or transferring money.

Want more information about phishing? Start by checking out What is Phishing?

The MITRE ATT&CK framework identifies both targeted phishing attacks (a technique known as “spear phishing”) and more general phishing attacks (conducted in bulk via spam emails).

Now let’s look at the three Sub-Techniques associated with the Phishing Technique.

📎 T1566.001: Spearphishing Attachment

Sub-Technique T1566.001 involves sending a spear phishing email with a malicious attachment. The attachment is malware, such as a virus, spyware, or ransomware file that enables the adversary to harm or gain control of the target device or system.

A spear phishing attachment is usually disguised as a harmless Office, PDF, or ZIP file, and legacy email security software and spam filters can struggle to determine whether an attachment is malicious.

The spear phishing email itself will usually try to persuade the target to open the file. The Adversary may impersonate a trusted person and can even provide the target with instructions on opening the file that will bypass system protections.

For more information about malicious email attachments, read What is a Malicious Payload?

🔗  T1566.002: Spearphishing Link

Alternatively to using a malicious attachment, a spear phishing email can include a link that leads to a malicious site such as a fraudulent account login page or a webpage that hosts a malicious download.

Like with the “Spearphishing Attachment” Sub-Technique, the “Spearphishing Link” Sub-Technique will normally employ social engineering methods—this time as a way to persuade the target to click the malicious link.

For example, the spear phishing email may be disguised as a “security alert” email from Microsoft, urging the target to log into their account. Upon following the link and “logging in,” the target’s login credentials will be sent to the adversary.

We’ve written in detail about this type of attack in our article What is Credential Phishing?

📱T1566.003: Spearphishing via Service

The “Spearphishing via Service” Sub-Technique uses platforms other than email to initiate a spearphishing attack—for example, a LinkedIn job post or WhatsApp message.

This Sub-Technique is not directly related to email security—but email security is still relevant here. For example, if an Adversary is able to establish rapport with their target via social media, then they might follow up with a spear phishing email.

❌ Phishing Detection and Mitigation

Now let’s look at which Mitigations MITRE recommends for dealing with the Phishing Technique and its three associated Sub-Techniques:

  • M1049: Antivirus/Antimalware — Quarantine suspicious files arriving via email.
  • M1031: Network Intrusion Prevention — Monitor inbound email traffic for malicious attachments and links.
  • M1021: Restrict Web-Based Content — Block access to web-based content and file types that are not necessary for business activity.
  • M1054: Software Configuration — Use anti-spoofing methods to detect invalid Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM) signatures.
  • M1017: User Training — Educate employees to help them detect signs of a phishing attack.

Note: None of MITRE’s recommended Phishing Mitigations is sufficient on its own. 

Antivirus Software, for example, can quarantine malicious files but is less likely to detect suspicious links. User Training helps embed a security-focused workplace culture—but you can’t expect employees to recognize sophisticated social engineering scenarios.

To prevent phishing attacks, it’s vital security leaders take a layered approach, including training, policies, and technology. Your best bet when it comes to technology? A next-gen email security solution that can automatically scan internal and external email communication for signs of malicious activity based on historical analysis. 

Email security software can use several methods of detecting phishing attacks. Older solutions rely on techniques such as labeling and filtering—an administrator manually inputs the domain names, file types, and subject lines that the software should block.

Tessian is a modern email security solution driven by machine learning. As well as monitoring inbound emails for signs of phishing, the software scans your employees’ email activity to learn how they “normally” act, and flags suspicious behavior.

This intelligent, context-driven approach means Tessian will allow your employees to work uninterrupted, access the legitimate files and links they need— while being alerted to anomalous and suspicious email content. 

Once Tessian Defender detects a potential threat, a warning is triggered, offering employees context about why the email was flagged as malicious.

These in-the-moment warnings help reinforce training, and nudges employees towards safer behavior over time. 

Download the Tessian Platform Overview to learn more. 

Technique T1534: Internal Spearphishing

The “Internal Spearphishing” Technique is associated with the “Lateral Movement” Tactic (TA0008) and is distinct from the “Phishing” Technique.

Internal Spearphishing takes place once an adversary has already penetrated your system or account. The adversary leverages existing account access to conduct an internal spear phishing campaign.

Internal Spearphishing is particularly damaging because the emails come from a genuine (albeit compromised) account. This makes them virtually impossible to spot, and therefore very persuasive.

Internal Spearphishing Detection and Mitigations

MITRE notes that detecting an Internal Spearphishing attack (also known as Account Takeover) can be difficult. There are no mitigations associated with the “Internal Spearphishing” Technique in the MITRE ATT&CK framework.

According to MITRE, the main difficulty associated with detecting and mitigating Internal Spearphishing attacks is that “network intrusion detection systems do not usually scan internal email.”

The main hallmarks of a spear phishing email—such as email impersonation or spoofing—are not present once an adversary has successfully compromised an internal email account. This means legacy email security software may be unable to detect Internal Spear Phishing attacks.

However, an AI-driven email security solution such as Tessian can scan internal email and will pick up on small inconsistencies in the sender’s email behavior and communication patterns.

If a sender is communicating outside of their normal internal networks or writing in an uncharacteristic style, Tessian can flag this unusual behavior and notify the recipient of any suspicious emails.

 Learn more about how Tessian Defender defends against internal spear phishing.

Technique T1598: Phishing for Information

T1598: Phishing for Information is a MITRE ATT&CK Technique associated with the “Reconnaissance” Tactic (TA0043).

While Phishing involves an attempt to penetrate an organization’s defenses, Phishing for Information is a way to gather information about the target for use in an attack.

As such, Phishing for Information may occur via email—or via other communications channels, such as instant messaging applications or social media.

Phishing for Information Detection and Mitigations

To detect Phishing for Information, MITRE suggests monitoring for suspicious email activity. Email security software can monitor signs of a phishing attack, including DKIM misconfiguration, suspicious language, or erratic communication methods.

But legacy email security programs can only detect the more obvious indicators of phishing. On the other hand, Tessian is uniquely equipped to identify the subtle but distinctive signs that a sender is not who they say they are. 

Tessian Defender uses machine learning (ML), anomaly detection, behavioral analysis, and natural language processing (NLP) to detect a variety of suspicious signals: 

  1. Unusual sender characteristics: This includes anomalous geophysical locations, IP addresses, email clients, and reply-to addresses 
  2. Anomalous email sending patterns: Based on historical email analysis, Tessian can identity unusual recipients, unusual send times, and emails sent to an unusual number of recipients
  3. Malicious payloads: Tessian uses URL match patterns to spot suspicious URLs and ML to identify red flags indicative of suspicious attachments 
  4. Deep content inspection: Looking at the email content – for example, language that conveys suspicious intent – Tessian can detect zero-payload attacks, too

Leveraging email security for MITRE ATT&CK framework compliance

We’ve seen how email security is a major factor in meeting the MITRE ATT&CK framework requirements.

To recap, Tessian can serve as a key Mitigation in respect of the following Techniques and Sub-Techniques:

  • T1566: Phishing
    • T1566.01: Spearphishing Attachment
    • T1566.02: Spearphishing Link
    • T1566.03: Spearphishing via Service
  • T1534: Internal Spearphishing
  • T1598: Phishing for Information

Learn more about how Tessian can transform your organization’s cybersecurity program.

[if lte IE 8]
[if lte IE 8]