Why do we need a MITRE ATT&CK-style framework for bots?

Since launching in 2015, MITRE’s ATT&CK framework has been the cybersecurity industry standard for understanding cyber-attacks and their kill chains. Now the BLADE framework is set to develop a similar understanding of business logic attacks fueled by malicious bots.

In this post, we will look at why MITRE ATT&CK is so important and examine why BLADE is needed now more than ever.

What is MITRE ATT&CK?

MITRE ATT&CK (Adversarial Tactics, Techniques & Common Knowledge) is a curated knowledge base of cybersecurity threats and the approaches used by adversaries (hackers and criminals) to execute them. Originally spearheaded by the Mitre Corporation, ATT&CK is a vendor-neutral, continuously updated community project.

ATT&CK is split into many tactics, or stages of cyber-attacks, with each of these containing specific techniques. By mapping cyber-attacks across the ATT&CK framework and into kill chains, organizations can develop threat intelligence models and defend more effectively against such malicious activity.

MITRE ATT&CK is widespread globally in its use and has standardized much of the terminology used in cybersecurity. Industry experts estimate that 80 per cent of companies use the ATT&CK framework, including the FBI.

The focus of MITRE ATT&CK on code-level hacks makes it indispensable in the fight against adversaries looking for technical exploits, many relying on specific tools, skills and entry points into applications.

However, there is another kind of attack causing billions of dollars’ worth of damage to businesses annually, which does not rely on code-level weaknesses or technical expertise to execute – business logic attacks.

What is the difference between technical threats and business logic attacks?

Business logic attacks are so called because they rely on an application’s own design and intended purpose. For example, account takeover (ATO) attacks are possible because applications must allow users to access their accounts using specific credentials. This necessary functionality can be exploited by credential stuffing bots to give criminals access to sensitive assets.

These types of attacks are growing year on year, with a 10-15% increase last year according to Forrester Research.

Automated bots are a hallmark of business logic attacks because they allow attackers to carry out human-like behavior much faster or in far greater volumes than humans could. This is often used to exploit weaknesses and gain unfair advantages, for example monopolizing inventory for resale or capturing large amounts of pricing data to undercut the target site elsewhere. The BLADE framework is uniquely designed to identify the intent of these bots and how they fit into larger attacks.

To use a real-world comparison, MITRE ATT&CK describes the equivalent of a gang drilling a tunnel into a bank vault, whereas a business logic attack would be like the criminals successfully impersonating the banks’ customers, making a withdrawal from the bank teller and walking out of the front door with all the gold.

Because applications will always be constrained to work within defined business logic (e.g. users must be able to log in using their username and password), the MITRE ATT&CK framework is not effective when mapping business logic attacks.

BLADE: A new kind of framework for business logic attacks

In response to this problem, Netacea has developed BLADE – the Business Logic Attack Definition framework. BLADE draws inspiration from MITRE ATT&CK but is solely built around defining the tactics and techniques used in business logic attacks.

Like ATT&CK, BLADE structures techniques and sub-techniques into tactics based on the stage of the overall attack (or kill chain). Also, similarly to ATT&CK, some attacks will go back and forth within the structure of the framework to adapt or retool as needed – taking one step back to move two steps forward.

By focusing on business logic attacks and leaving technical attacks to the well-established MITRE ATT&CK framework, BLADE captures the attacks that typically go undetected by traditional cybersecurity tools, adding vital threat intelligence.

Commenting on the new BLADE framework to SC Magazine, Adam Pennington, MITRE ATT&CK Director said:

“There’s a wide range of activity that is… out of scope to [MITRE ATT&CK] where others may be able to fill in gaps. We wish them well, and look forward to seeing how this work develops.”

Get involved with BLADE

Netacea recently unveiled the BLADE framework online for all to use. It is a continually changing project, designed to be updated and modified as the evermore complex bot threat landscape evolves.

Investigate the BLADE framework for your own purposes or get involved in contributing alongside cybersecurity experts.