Better Threat Intelligence - MITRE ATT&CK Framework
MITRE is a government-funded research organization based in Bedford, MA, and McLean, VA. The Mitre Corporation (known as The MITRE Corporation and MITRE) is an American not-for-profit organization based in Bedford, Massachusetts, and McLean, Virginia.
In 2013, the MITRE ATT&CK Framework was created to document attacker tactics and techniques based on real-world observations. ATT&CK, is expanded to mean Adversarial Tactics, Techniques, and Common Knowledge, is a knowledge base of adversary tactics and techniques.
The techniques are indexed and broken down into detail the exact steps and methods that hackers use, making it easy for teams to understand the actions that may be used against a particular platform. MITRE incorporates cyber-threat intelligence and documentation of adversary group behaviour profiles to document which attack groups use which techniques.
The framework supports governance, risk management, understanding of attacker behaviour, understanding how to classify and mitigate threats, and ultimately can help you understand your adversaries and the methods to use in order to compromise the organization.
The ATT&CK Framework not only removes ambiguity and provides a common vocabulary for industry professionals to discuss and collaborate on combating these adversary methods.
Why Use MITRE ATT&CK™
ATT&CK was created to help protect Microsoft Windows, Linux, and MacOS systems from adversary TTPs, and then expanded to also include mobile devices. However, ATT&CK is a framework that also offers practical ways for enterprises to assess and improve their security posture. For instance, the framework can be used to understand the effectiveness of defensive measures including intrusion detection, threat hunting, security engineering, threat intelligence, red teaming, and risk management.
Adversary Emulation Adversary emulation is a process used by defenders and threat hunting teams to imitate a security threat to understand how specific adversaries operate against a technology domain. ATT&CK can be used by security teams to help them create these adversary emulation scenarios at all stages of the threat lifecycle, which greatly improves their defensive measures. Red Teaming Red Teaming is an attack simulation designed to measure how well an organization can withstand a threat from a real-life adversary. The result is to understand what type of impact a breach can have on an organization and its systems. ATT&CK can be used to create red team plans and organize operations to avoid certain defensive measures that may be in place within a network. Defensive Gap Assessment A defensive gap assessment is carried out by organizations to uncover gaps within their security posture that can potentially leave them susceptible to cyber risks. ATT&CK can be used to assess an organization’s security tools to identify their security shortfalls. This enables an organization to understand which parts of the matrix they should focus their security investments so that they can ensure they’re purchasing only the right security product(s) for their specific needs. SOC Maturity Assessment A Security Operations Center (SOC) continuously monitors for threats against an organization’s network. Understanding the maturity of a SOC enables an organization to know the effectiveness of its defensive measures. ATT&CK can be used as one measurement to determine how effective a SOC is at detecting, analyzing and responding to particular attack types of even parts of the attack lifecycle.
How do I get started using the MITRE ATT&CK framework?
ATT&CK can be useful for any organization that wants to elevate threat knowledge and build a more informed defense posture, regardless of how big or sophisticated the security team. While MITRE provides its materials at no cost for use, organizations can employ a myriad of MITRE consultants or other vendors who could help apply the framework to meet the specific needs of the organization.
If you’re an organization with a small security team and want to expand your threat intelligence capabilities, you can focus in on a relevant group — organized sets of intrusion activity — and look at the related attack behaviours as defined in ATT&CK relevant to your organization.
If you’re an organisation that has a team of dedicated security professionals that regularly analyse threat information, you can get started by mapping intelligence to the ATT&CK framework yourself, as opposed to relying on what others have previously mapped.
If your team is more advanced, you can increasingly map more information to ATT&CK, using it to guide how you build out your cyber defence. You can map both internal and external information to ATT&CK, including incident response, real-time alerts and your company’s historic data. Once this data is mapped, you can do things like compare groups and prioritise commonly used techniques.
The bottom line
Build a more threat-informed security strategy
Many organizations rely on traditional defence, which include an arsenal of security products, designed to block malware and other threats, and alert you to vulnerabilities that can be exploited by hackers. Although effective in some areas, these approaches are limited — and perhaps most importantly, don’t give you insight into how malicious attackers are executing their cyber assaults once they’re inside your network. Cyber threat intelligence outlined with a comprehensive framework like ATT&CK will give you a window into adversaries’ methods so you can start thinking like an attacker, and make better-informed decisions that prevent destructive, targeted attacks before they ever occur.
In the next part of the series, we will just see HOW ServiceNow's Security Incident Response can make use of the MITRE ATT&CK framework.
Happy holidays & Merry Christmas :-)