Saryu Nayyar | Forbes.com »
MITRE developed ATT&CK (Adversarial Tactics, Techniques & Common Knowledge) to provide the cybersecurity industry with “a globally accessible knowledge base of adversary tactics and techniques based on real-world observations.” It serves as “a foundation for the development of specific threat models and methodologies in the private sector, in government and in the cybersecurity product and service community.”
In today’s cybersecurity environments, most organizations don’t have clear visibility into all their vulnerabilities. This provides attackers with an unfair advantage since they merely need to find one weakness to compromise the network, while defenders must secure the entire IT environment. The MITRE ATT&CK framework can help even the playing field by documenting adversaries and their tactics, techniques and procedures based on observations from millions of attacks on enterprises.
In many cases, the MITRE ATT&CK framework is used to identify holes in defenses and to prioritize them based on risk. Let’s consider how MITRE ATT&CK can be applied to achieve better visibility into threats, increase security coverage and automate controls.
The MITRE ATT&CK framework focuses on the techniques an attacker uses at each stage of an attack, from reconnaissance, to initial access and privilege escalation, to lateral movement and exfiltration. Security analysts can use the segments outlined in ATT&CK to uncover patterns, letting them investigate how tools have evolved over time and who was behind them.
For example, during an investigation into a security incident, an analyst might identify a spear-phishing email as the initial attack vector. From there, they could fingerprint the specific strain of malware the attacker used to compromise the account, which scanning tools were used in the reconnaissance phase and how the attacker moved laterally within the network onto another host. In this situation, comparing the techniques discovered in the forensic investigation against the ATT&CK framework would enable the analyst to pinpoint the location of the attacker and predict which assets were being targeted as well as what they were likely to do next.
Improve Security Coverage
Organizations can take a proactive approach based on this knowledge, hardening their defenses after analyzing the specific threats, tools and techniques associated with the risks they’ve identified.
In situations where an organization is concerned with specific threat actors, either because they are in a targeted industry or have already been attacked, the ATT&CK framework can be used to understand the most common tools and techniques likely to be involved in a future attack. This intelligence makes it possible to assess existing security infrastructures to detect any gaps and ensure response playbooks will be capable of mitigating threats when they happen.
It also enables red teams to better emulate attackers’ techniques, tactics and procedures (TTP) during penetration tests and helps them share knowledge with blue teams responsible for evolving the company’s defenses based adversaries’ TTP.
Enhance Response Mechanisms
Finally, the MITRE ATT&CK framework can be used to measure, test and automate threat detection and response capabilities. For example, with knowledge of an attacker’s common tactics, an organization can design specific responses to effectively mitigate them. This enables security teams to work smarter and implement automation in the attack identification and mitigation stages. Red teams can perform threat emulation based on the profiles of high-priority threat actors to test the limitations of existing defenses so they can be supplemented where needed to counter evolving threats.
To get started with MITRE ATT&CK, look for ways to understand what cyber adversaries do, and use that threat intelligence to improve security decision-making. As a starting point, focus on one threat actor group, like APT19, and review its behaviors as structured in ATT&CK. For example, the MITRE ATT&CK search tool can be used to identify groups that have targeted a specific sector, such as pharmaceutical, financial services, health care, etc.
Next, to make this information actionable and defend against a specific threat actor, use ATT&CK resources to identify steps for implementing appropriate detection and mitigation techniques. By looking at one adversary group that is a threat to the organization, the ATT&CK framework provides known behaviors they have used to target other companies. These can inform your security team on how to detect and protect against them.
Given that the MITRE ATT&CK framework is continuously being updated based on real-world threat activity, it can represent a valuable asset for balancing the scales against attackers. Armed with the knowledge of the latest tactics and techniques being used in the wild, an organization can routinely benchmark their defensive measures to identify and plug any holes before they can be exploited.
Saryu Nayyar is CEO of Gurucul, a provider of behavioral security analytics technology and a recognized expert in cyber risk management.
External Link: Three Ways MITRE ATT&CK Can Improve Enterprise Security