MITRE ATT&CK™

Use Cases for Implementing the MITRE ATT&CK® Framework

November 11, 2020 by Howard Poston

Introduction

The MITRE ATT&CK ® framework is a vast repository of cybersecurity knowledge.  Each of the MITRE ATT&CK framework outlines a number of goals that an attacker may need to achieve while performing a cyberattack (Tactics), the methods used to achieve these goals (Techniques), particular tools and threat actors known to use these methods (Procedures), and methods for detecting and responding to each method.  All of this information is organized into a set of matrices based upon the target environment in question (Enterprise vs. Mobile vs. ICS) and the stage in the cyberattack lifecycle (PRE-ATT&CK vs. Enterprise, etc.).

This wealth of information can be used in a number of different ways.  MITRE ATT&CK provides six sample use cases for the information contained within its framework.

1. Adversary Emulation

When performing a penetration test of an organization, the goal is to test its resiliency against realistic cyber threats.  As part of this, the ability to realistically simulate the operations of particular threat actors can be a significant asset.  Additionally, it is essential that an organization have defenses in place against the most commonly-used tactics of cybercriminals and other threat actors.

MITRE ATT&CK can be used to help verify that an organization’s defenses provide adequate protection against real-world threats.  MITRE ATT&CK provides information about both potential attack vectors and the adversaries known to use them.

2. Red Teaming

A red team assessment is designed to identify potential weaknesses in an organization’s defenses.  Typically, these assessments are performed with no knowledge of the target’s internal environment.

MITRE ATT&CK can be used for a variety of purposes in a red team assessment including:

  • Comprehensive Coverage: Mapping a red team assessment to the MITRE ATT&CK framework helps a red team to ensure that nothing is accidentally overlooked.
  • Clearer Communications: MITRE ATT&CK standardizes cybersecurity terminology and the potential attack vectors, which can be useful for communicating results to the client.
  • Avoiding Certain Attack Vectors: MITRE ATT&CK can be used to identify attack vectors that may be out of scope for an assessment.
  • Identifying Opportunities: MITRE ATT&CK outlines different methods for achieving certain goals, which can be used to identify ways to bypass defenses.

3. Behavioral Analytics Development

Traditional indicators of compromise (IoCs) and malware signatures are rapidly losing effectiveness.  Cyber threat actors can easily make minor modifications to their malware and tools that renders past IoCs and signatures obsolete.  As a result, only about half of malware is caught by signature AV.

The methods by which an attacker carries out an attack (their behaviors) is more difficult and expensive to change.  This makes behavioral analytics a better way to detect attacks and perform attribution.

MITRE ATT&CK Techniques describe *how* a particular goal can be achieved without specifying a particular tool (though tools are referenced in the Procedures sections of each Technique).  Defenders can identify attacks based upon this tool and can potentially perform attribution based upon the list of threat actors known to use that particular technique (also listed under Procedures).

4. Defensive Gap Assessment

A defensive gap assessment is designed to identify the holes in an organization’s cyber defenses that an adversary may attempt to exploit during an attack.  These holes can be difficult to discover in some cases because they require looking for what isn’t there.

MITRE ATT&CK provides a listing of methods by which an attacker could achieve their objectives at each stage of the cyberattack lifecycle, including a list of methods to detect and defend against these techniques.  MITRE ATT&CK can be used as a framework for a defensive gap assessment, with analysts checking if each potential attack vector applies to an organization and, if so, if solutions are in place to detect and/or protect against it.

5. SOC Maturity Assessment

An organization’s security operations center (SOC) is responsible for detecting and responding to cyberattacks against the organization.  If an organization’s SOC cannot detect and appropriately respond to a certain type of an attack, then the organization is vulnerable to an adversary using this particular technique.

The MITRE ATT&CK framework can be used to measure the maturity and effectiveness of an organization’s SOC.  By performing tests against each of the techniques outlined within the MITRE ATT&CK framework, an organization can test the effectiveness of their SOC and defenses against the cyber threats that it is likely to face.

6. Cyber Threat Intelligence Enrichment

Cyber threat intelligence is essential to an organization’s ability to protect itself against modern threats.  It includes information about the tools, techniques, and procedures used by each of the active threat actor groups.

The MITRE ATT&CK framework can help an organization to make its threat intelligence actionable.  Using the information provided within the framework, an organization can identify behaviors common to particular threat actors and determine whether their existing defenses are capable of detecting and responding to attacks by these adversaries.

Sources

  1. https://www.darkreading.com/threat-intelligence/only-half-of-malware-caught-by-signature-av/d/d-id/1336577
  2. https://attack.mitre.org/resources/faq/
  3. https://attack.mitre.org/docs/ATTACK_Design_and_Philosophy_March_2020.pdf
Posted: November 11, 2020
Articles Author
Howard Poston
View Profile

Howard Poston is a cybersecurity researcher with a background in cryptography and malware analysis. He has a Master’s degree in Cyber Operations from the Air Force Institute of Technology and two years of experience in cybersecurity R&D at Sandia National Labs. He currently provides consulting and technical content writing for cybersecurity, cryptocurrency, and blockchain.


Notice: Undefined index: visitor_id12882 in /www/resourcesinfosecinstitute_601/public/wp-content/plugins/infosec-user-info/infosec-user-info.php on line 117