MITRE ATT&CK™

Using MITRE ATT&CK with cyber threat intelligence

February 9, 2021 by Howard Poston

Cyber Threat Intelligence

MITRE ATT&CK® is a framework. It’s designed as a store of knowledge about the possible ways that cyber attackers might create a plan or execute that plan. It’s set up taking the cyber attack from beginning to the end. It includes many various ways in which an actor might perform an attack. 

MITRE created and maintains the ATT&CK framework. The US government has a vested interest in funding MITRE for the development and research of cybersecurity methods. 

The MITRE framework is used by multiple industries and is standardized in areas of vocabulary  and understanding of threats, figuring out penetration testing protocols, and maximizing solutions for cybersecurity coverage. The contexts where MITRE is being used is growing. Cybersecurity companies frequently include mappings of tools that use the MITRE ATT&CK framework. Penetration testers use MITRE ATT&CK. Company security teams use MITRE ATT&CK. Defending and engaging is aided by the use of the framework. 

There is a hierarchy to the MITRE ATT&CK framework. Information about attack vectors and malicious actors are organized within the hierarchy. Further down in the hierarchy there are subdivided matrices that have corresponding data that pairs tactics with mitigations.

Weaponized and Reconnaissance Stages

The ATT&CK matrices are collected. The four matrices include: PRE-ATT&CK, Enterprise, Mobile, and ICS. PRE-ATT&CK focuses on the areas of weaponized and reconnaissance stages of a cyberattack. It gives cybersecurity professionals the signs that actors are targeting the entity. It includes the ways that actors might carry out an attack. Enterprise matrix is meant to focus on everything else that PRE-ATT&CK doesn’t cover. It focuses heavily on how actors get into and operate in an enterprise network. The Mobile matrix is a mirror of the enterprise matrix except that it focuses on mobile devices and the potential attack vectors and threats. The ICS matrix outlines how industrial Control Systems (ICS) devices and systems can and might be attacked. 

Further down the hierarchy of MITRE ATT&CK tactics break down into three levels, Technique, Sub-techniques, and Procedures. Technique is a set method to achieve the goal of a certain tactic. Sub-techniques is a mix of methods rather than one method to achieve a tactic goal. Procedures is the method by which techniques and sub-techniques accomplish the aim of a tactic. This group of tactics has tools. These tools are specific to threat actors and malware. The hierarchy also offers information that isn’t organized in other matrices, including affected platforms and techniques. 

Education is MITRE ATT&CK’s primary aim. Cybersecurity defense and attack learning is critical to understanding and predicting cyberattacks. In addition to education on attack vectors, the MITRE ATT&CK framework also offers mitigations. Mitigations reduce and sometime eliminate the effectiveness of techniques by outlining methods, tools, and policies. Mitigations aid the success of techniques by complementing information on detections. 

Defensive Gap Assessment

MITRE ATT&CK also offers six ways information can be contained within the framework, including, Adversary Emulation, Red Teaming, Behavioral Analytics Development, Defensive Gap Assessment, SOC Maturity Assessment, and Cyber Threat Intelligence Enrichment. Adversary emulation involves making pen testing more realistic when predicting cyber threats. Adversary emulation simulates operations threat actors might actually use. It keeps the pen tester organized so they can test frequently used tactics by malicious actors. Red teaming works to pinpoint an organization’s weak points without knowledge of the internal details of a target. MITRE ATT&CK may be used for multiple red team purposes. These purposes include, Comprehensive Coverage, Clearer Communications, Avoiding Attack Vectors, and Identifying Opportunities. Behavioral analytics development calls attention to the fact that Indicators of Compromise (IoCs) aren’t as effective as it once was. Cyberattackers don’t need nearly as much skill to modify malware to make IoCs useless. Even signature AV is ineffective in catching malware. Attackers are using more damaging methods that are hard to change and fix. This makes it very important to analyze behavior for potential threats. Defensive gap assessment finds the spaces in cyber defense strategies that organizations use. Typically these are the spaces that actors take advantage of in an attack. The thing is, it’s hard to find something that isn’t something, just a void. SOC maturity assessment starts with the security operations center (SOC) of an organization. The SOC is responsible to find and deal with attacks. If the SOC isn’t current, it becomes vulnerable to attack. The SOC maturity assessment routes out the old and vulnerable parts of the SOC, to keep it current and safe. Cyber threat intelligence enrichment helps an organization respond to monder threats. It provides information that describes active threat groups and the procedures, techniques, and tools they use. 

Conclusion

MITRE ATT&CK gives cybersecurity professions the knowledge and tools they need to keep their organizations safe. The framework outlines just as much of what is being done as what is going to happen and who the threat actors might be. 

 

Sources

  1. /topic/mitre-attck-framework-tactics-an-overview/
  2. /topic/the-ultimate-guide-to-the-mitre-attck-framework/
  3. /topic/mitre-attck-framework-matrices-an-overview/
  4. /topic/use-cases-for-implementing-the-mitre-attck-framework/
  5. /topic/how-to-use-mitre-attck-to-map-defenses-and-understand-gaps/
  6. /topic/how-to-use-the-mitre-attck-framework-and-diamond-model-of-intrusion-analysis-together/
Posted: February 9, 2021

Uh-oh!

We've encountered a new and totally unexpected error.

Get instant boot camp pricing

Thank you!

A new tab for your requested boot camp pricing will open in 5 seconds. If it doesn't open, click here.

Articles Author
Howard Poston
View Profile

Howard Poston is a cybersecurity researcher with a background in cryptography and malware analysis. He has a Master’s degree in Cyber Operations from the Air Force Institute of Technology and two years of experience in cybersecurity R&D at Sandia National Labs. He currently provides consulting and technical content writing for cybersecurity, cryptocurrency, and blockchain.