Microsoft this week described an Azure Threat Research Matrix for documenting tactics, techniques or procedures (TTPs) used against Azure services, including the Azure Active Directory service.
The newly announced Azure Threat Research Matrix is said to be “inspired from MITRE ATT&CK,” a documentation framework that’s used to catalog TTPs for Enterprise IT Systems and Mobile instances. However, Microsoft doesn’t think that the current Mitre ATT&CK approach is specific enough for Azure, as just “some tactics in ATT&CK may pertain.”
The Mitre Corp. has its own characterization of Mitre ATT&CK, as listed in its FAQ document. Its Enterprise IT Systems and Mobile documentation includes a bunch of items, including the Azure Active Directory service.
Here’s Mitre’s TTP documentation list:
- Windows, macOS, Linux, Network infrastructure devices (Network), and Container technologies (Containers);
- Cloud systems covering Infrastructure-as-a-Service (IaaS), Software-as-a-Service (SaaS), Office 365, Azure Active Directory (Azure AD), and Google Workspace;
- Mobile devices covering Android and iOS.
Readers of Microsoft’s announcement had suggested that Microsoft should just stick with Mitre ATT&CK for Azure. In response, Ryan Hausknecht, a Microsoft Tech Community employee, offered some reasons why Microsoft was creating an alternative.
Microsoft doesn’t think Mitre ATT&CK is sufficient for Azure because Mitre prefers to just document TTPs that are used by an advanced persistent threat (APT) groups, Hausknecht explained. He added that Microsoft thinks it is best suited to provide information about potential Azure risks:
We felt as though since we own Azure/AAD, it is our responsibility to inform of the potential risks when using the platform. Nothing out of the box about Azure is inherently vulnerable, but there’s some very easy configuration slip-ups that can have a detrimental impact on a tenant. Thus, we figured there should be no one better than to document on potential defensive suggestions + best practices than us.
Hausknecht also said that “the MITRE matrix for AAD is very high level and does not go into specificities.”
Some Mitre ATT&CK descriptions do apply, Microsoft admitted, such as techniques associated with “hybrid-joined devices” and the Azure Active Directory service. In such cases, Microsoft isn’t including them in its Azure Threat Research Matrix.
“The intent of the ATRM is not to replace MITRE ATT&CK, but to rather be an alternative for pure Azure Resource & Azure AD TTPs,” the announcement clarified.
Microsoft Seeks Community Support
Microsoft wants to get the “greater security community’s input” on the Azure Threat Research Matrix, which “is being released under the MIT license and hosted on GitHub.” The Azure Threat Research Matrix won’t be wholly transparent, though, as Microsoft will obscure parts of the commands used for attacks.
“While the commands are also listed to show how to abuse a given technique, certain parts are omitted or obfuscated to prevent malicious abuse,” the announcement clarified.
On the Windows side, Microsoft currently uses the Mitre ATT&CK framework to describe “update Tuesday” software vulnerabilities in its monthly Security Update Guide documents. Security bulletins in the Security Update Guide sometimes contain detailed explanations, but they mostly lean toward providing short generic descriptions bereft of information.
Mitre Corp. is a U.S. nonprofit organization that provides overall “engineering and technical guidance for the federal government,” according to its history page description. It has military-academic roots from Massachusetts Institute of Technology work during World War II.
About the Author
Kurt Mackie is senior news producer for 1105 Media’s Converge360 group.