MITRE’s Attacker Tactics, Techniques, and Common Knowledge (ATT&CK) framework is a powerful tool for improving cyber defense by creating a smarter security operations center (SOC).
As outlined in the recent SANS report – Measuring and Improving Cyber Defense Using the MITRE ATT&CK Framework by John Hubbard – the MITRE ATT&CK creates a categorized list of all known attack methods, and marries each attack method with:
- The threat intelligence groups that are known to utilize these attack methods
- Unique methods used by malicious actors in implementing the attacks
- Mitigations and detection methods for preventing or identifying attacker techniques
Why is this so significant to your security operations center? In a nutshell, cyber security teams can now assess their organizations’ cyber defenses against the MITRE ATT&CK’s body of knowledge – and use this information in decision-making related to developing their security operations center strategy.
Fundamentally, by leveraging the information in the MITRE ATT&CK to support agile use case development, organizations can better protect themselves from cyber attacks. Let’s have a look at how this works.
What is the MITRE ATT&CK?
The MITRE ATT&CK provides organizations with a way to develop, organize, and use a threat-informed defensive strategy that can be communicated in a standardized way.
The goal of the MITRE ATT&CK is to be a living dataset that is continuously evolving – updated with new threat information on a continual basis. It is a framework that organizes known cyber threats, and categorizes the activities of malicious actors in terms of their tactics, techniques and procedures (TTPs).
A technique is a unique method identified by MITRE of achieving a specific tactic, which is an intrusion goal. For example: Privilege Escalation is listed as a tactic, while AppCert DLLs is a technique to achieve it.
For each technique listed in the MITRE ATT&CK, the following information is provided:
- An identifier
- Tactic that it’s associated with
- Platform it’s applicable to
- System or permission requirements
- Defense strategies bypassed
- Data sources that identify use of the technique
- Mitigations and detection methods
Note that MITRE recently changed how the framework is organized – introducing sub-techniques. As pointed out in the SANS report, the addition of sub-techniques enables even more granular tracking within vendor tools, use cases, and detection analytics.
How the MITRE ATT&CK Improves Security Operations
Using the MITRE ATT&CK, organizations can perform evaluations that are both external-facing and inward-looking:
- Threat intelligence mapping – This external-facing assessment is the primary use of the ATT&CK framework. Listing attackers’ TTPs in a structured and usable way is a useful resource for threat intelligence teams, enabling threat-informed cyber defense. The assumption is that it is possible to predict an attacker’s future behavior based on past observed TTPs – and having this information listed in a structured way (with supporting details) is useful for both cyber defenders and threat intelligence teams.
- Data source gap identification – The next common use for ATT&CK is an inward-looking assessment: Each technique in the ATT&CK is listed together with information on how to identify, detect, and mitigate that technique. And by programmatically extracting data source information for techniques that are of interest, you can highlight an organization’s visibility gaps. ATT&CK allows you to focus on what data is missing and gain a more measurable understanding of the organization’s ability to defend itself.
How CyberProof Leverages the MITRE ATT&CK
At CyberProof, the MITRE ATT&CK framework provides us with the ability to work closely with our customers in improving their security posture effectively – in several important ways:
- Visibility into what matters – ATT&CK creates a map that makes it very easy to see, visually, where an organization is protected and where the vulnerable areas are. By combining the known threat techniques from the MITRE ATT&CK framework and our own investigations into the clear, deep and dark web for unknown threats, CyberProof is helping security teams discover high risk vulnerabilities and prioritize remediation.
- Collaboration – ATT&CK allows CyberProof to work together collaboratively with the customer. As part of our hybrid engagement model, we work as an extension of our customers’ team to define a target response window that is aligned to their acceptable level of risk, baseline their detection gaps against the MITRE ATT&CK framework, and continuously tune their detection and response controls to measurably reduce risk. Thus, CyberProof ensures that customers’ security capabilities are mapped to ATT&CK and we can understand exactly where the problems are and work effectively to improve their security posture.
- Continuous improvement – ATT&CK provides an extensive knowledgebase of attack information which is continuously being updated. This can make it difficult for security teams update their defenses quickly before a vulnerability is exploited. CyberProof maps its extensive library of uses cases and playbooks (called a Use Case Factory) to the MITRE ATT&CK framework to continuously reduce detection gaps and automate responses to threats. The ATT&CK framework helps CyberProof’s team – together with our customers – identify the security gaps that are most significant from a risk perspective and prioritize which use cases should be developed first.
Thus, by using the MITRE ATT&CK, CyberProof gains greater visibility and ensures that new use cases are aligned accurately with specific threats that are putting the organization at the greatest risk.