How to Use MITRE ATT&CK® to Map Defenses and Understand Gaps

November 11, 2020 by Howard Poston

Developing detection and prevention controls for techniques in the enterprise matrix

The MITRE ATT&CK® framework is a useful way to standardize cybersecurity terminology and provides a framework for organizations to plan and evaluate their cybersecurity defenses.  This is demonstrated by the fact that many cybersecurity tool developers now provide explicit mappings of their tools’ capabilities to the MITRE ATT&CK framework.

Using the techniques and procedures outlined in the MITRE ATT&CK framework, organizations can develop controls specifically to detect and prevent certain attack behaviors.  However, it is important to do so carefully and acknowledge the risks of such an approach.

The risks of mapping defenses to ATT&CK techniques

While the MITRE ATT&CK framework is a very valuable and useful tool, it isn’t perfect.  When mapping defenses to MITRE ATT&CK techniques, two major risks exist:

  • Missing Techniques: The MITRE ATT&CK framework attempts to provide a comprehensive overview of the methods (Techniques) by which an attacker can achieve various operational objectives (Tactics).  However, it is possible that some techniques may not be included in the MITRE ATT&CK matrices.
  • Overlooked Procedures: Most MITRE ATT&CK techniques can be performed in a number of different ways (called Procedures).  The ability to detect one procedure does not guarantee that a tool is capable of detecting all of the ways in which a technique may be performed.

The fact that MITRE ATT&CK isn’t perfect doesn’t mean that it isn’t useful.  If an organization has protected itself against at least one procedure from every technique, then it is much more secure than if it hasn’t.  However, it is important not to fall into a false sense of security and to make an effort to identify and close gaps whenever possible.

How to identify gaps in security tool coverage

The MITRE ATT&CK framework provides a large amount of information about the various ways in which a particular technique can be performed.  This is a good starting point for testing the coverage of security tools.

Within a technique (or sub-technique), MITRE ATT&CK provides a description of how it can be performed (procedures), detected, and mitigated.  If possible, verify that a given security tool is capable of performing some or all of the described detection and mitigation steps.

Then, use a cybersecurity assessment to determine the effectiveness of these tools.  In some cases, a particular technique may be tested using off-the-shelf tools.  In others, a formal penetration test or red team assessment may be necessary to achieve the desired level of realism.  MITRE’s ATT&CK-based analytics development method provides a good framework for accomplishing this.

After testing the controls, verify that they were appropriately detected and mitigated.  If not, iterate until the cybersecurity defenses are capable of detecting that particular procedure.

Benefits of testing defense mapping against the environment

Cyberattackers’ tools and techniques can change, but they are not the only thing that can.  Over time, an organization’s network environment can expand and evolve.  This includes everything from migrating resources to the cloud to connecting new devices to the network to deploying or updating web applications.

These modifications can change an organization’s cybersecurity risk and exposure to potential attacks.  As new procedures are developed and an organization’s environment evolves, it is vital to keep up and periodically retest to see if any new vulnerabilities and attack vectors have been introduced as the organization’s attack surface has evolved.

Improving Cybersecurity with MITRE ATT&CK

The MITRE ATT&CK framework is an invaluable tool for cybersecurity.  The information that it provides gives organizations a wealth of information regarding potential attack vectors and how they can effectively protect themselves against them.

However, MITRE ATT&CK does have gaps, and it is important to recognize and plan for this.  Instead of assuming that ATT&CK-based defenses will work, do research and personally test detection and prevention capabilities against known and novel attacks.


Posted: November 11, 2020
Howard Poston
View Profile

Howard Poston is a cybersecurity researcher with a background in blockchain, cryptography and malware analysis. He has a master's degree in Cyber Operations from the Air Force Institute of Technology and two years of experience in cybersecurity research and development at Sandia National Labs. He currently works as a freelance consultant providing training and content creation for cyber and blockchain security.