Scroll Top

Aligning MITRE ATT&CK with Advanced Analytics

Over the last few years, the MITRE ATT&CK framework has become one of the most popular, and useful, security frameworks.  It is getting a lot of attention from the security community and press as more and more organizations are using it to help guide their security posture.  MITRE has built the framework on experience from multiple similar works that came before, rolling in attacker groups, their techniques, tools, and tactics, with a community that can share what they know as the knowledge evolves.

A quick look at the ATT&CK matrices for PRE-Attack, Enterprise, Mobile, and ICS systems, with specifics included for all the major operating systems, can be a bit overwhelming.  There is a lot to take in, but there are also a lot of resources and guides that can help take a team from just starting out with the framework to being fully engaged and mature.

From our perspective in the AI-based advanced analytics space, the attack vectors, tools, and techniques they point out aligns well with what we do.

Since ATT&CK is focused on the tactics and techniques adversaries use against their targets, it aligns well with security analytics.  The matrix covers a huge amount of ground – not just for the ‘penetrate, expand, and exfiltrate’ phases, but on the pre-attack phases as well.  These phases give organizations the resources to prepare for an attack, rather than just respond.

It’s true that the sheer volume of information available in the ATT&CK matrix can make knowing where to start a challenge, but many of the techniques map directly to threat models included in Gurucul’s Security Analytics and Operations Platform.  That makes leveraging MITRE’s work to protect an organization’s environment with advanced analytics a lot easier.

Is your organization worried about a specific threat group? Retail and financial services organizations are often most concerned with criminal organizations hunting for personal records, financial information, or credit card numbers.  For government institutions and organizations that work with them, state-sponsored actors seeking intellectual property, company assets, or intelligence data could be the biggest threat.  Some threats are target agnostic and are simply trying to gain access to whatever resources they can.  Crypto-miners, for example, don’t care who’s cycles they steal.

In any case, chances are good that the threat group you’re concerned with is already on the matrix.  You can look them up and see what tools and techniques they’re known to use, which gives you the starting point for hunting down any examples of those attacks in your environment.  In fact, Gurucul’s built-in intelligent threat hunting can even automate that process for you.

You can also be proactive about your defenses. You can make sure your analytics platform has models in place that will identify the attacks when they first happen – before they can do damage.  If you know from the matrix that your likely adversary leads with a spear-phishing attack to plant a particular strain of malware, then tries to move laterally using stolen credentials, you can make sure rules are already in place that would identify that specific chain of events.

This works in reverse as well.  Have you already identified attacks in your environment?  Are you wondering who may be behind them?  You can reference the attacks you’ve seen against the matrix and have a good chance of extrapolating who’s trying to breach your defenses.  For example, your analytics has identified a compromised system and isolated the command and control channel, the specific breed of malware in use, and the drive-by browser exploit that got them onto the infected host.  You could compare those tactics and known indicators of compromise against the matrix to identify the one or two most likely threat groups.

None of these are perfect of course, since hostiles are always updating their techniques, adding new tools, and adjusting their tactics to try and get around our defenses.  It’s also a certainty that they are using the ATT&CK framework themselves to see what we know about them.  But by aligning the information compiled in the ATT&CK framework with an advanced analytics platform like Gurucul Unified Security and Risk Analytics, you can get an edge on the attackers.

Watch the Webinar

Would you like to learn more about advanced analytics and the MITRE ATT&CK framework? Watch our webinar replay where we discuss how advanced analytics aligns with the MITRE ATT&CK framework and bolsters an organization’s security infrastructure.

Webinar on Demand: Aligning Security Analytics with MITRE ATT&CK for Threat Detection

Share this page: