Organizations are adopting the MITRE ATT&CK framework to map their cybersecurity threat detection, prevention and response capabilities to attack scenarios. MITRE, a nonprofit organization that has worked closely with the U.S. government to strengthen its cyberdefenses for more than four decades, developed the model after years of observing how real-world adversary groups operate.
ATT&CK stands for adversarial tactics, techniques and common knowledge. The first MITRE ATT&CK model was created in September 2013 and focused primarily on Windows. In May 2015, MITRE released the framework with 96 techniques organized under nine tactics. This evolved to 12 tactics, each of which has numerous techniques. The framework is displayed in matrices that are arranged by attack stages, from initial system access to exfiltration or impact, and covers the entire attack life cycle. Since the framework is based on actual adversary behavior, it helps identify the common behaviors that bad actors are most likely to perform during an attack.
Figure 1: A section of the MITRE ATT&CK Framework
The objective of MITRE ATT&CK is to create a comprehensive matrix of known adversary tactics and techniques used during cyberattacks. The framework is community-driven and updated regularly.
What Is the Value of MITRE ATT&CK?
Security operations center (SOC) analysts face myriad challenges every day. Below are some of the most common:
- Security posture: Do we have adequate and effective security defenses?
- Threat detection: Can we detect the threat flavor of the day? Is all the data we collect useful in fulfilling our mission?
- Security tools: Do we have overlapping tool coverage? Are there any gaps?
- Improving security defenses: Will adding more advanced technology/tools improve the organization’s security posture?
Here’s where the MITRE ATT&CK framework comes into play. When applied to an enterprise IT environment, the model enables SOC analysts to better understand the organization’s security posture. It also provides a visual reference in real time, allowing customers to act faster when investigating threats and proactively fortify their security posture in areas where they may have gaps.
Put simply, MITRE ATT&CK enables you to better understand your security posture. That’s why an increasing number of security vendors are incorporating the framework into their security offerings to better protect and secure their customers’ environments. It provides a visual reference in real time, allowing customers to act faster when investigating threats, develop incident response plans and fortify their security posture by identifying specific areas where they may have gaps or inadequate security measures.
Where to Apply the MITRE ATT&CK Framework
Let’s take a closer look at three specific areas in which organizations can apply the MITRE ATT&CK framework.
1. Threat Investigation
Since the MITRE ATT&CK framework is based on real-world adversary behavior, it enriches security events and alerts by correlating them to specific adversary tactics and techniques. These added insights save a significant amount of time, allowing analysts to visualize the actual tactics and techniques an adversary is using to infiltrate their organization.
2. Security Orchestration, Automation and Response
The framework can guide incident response strategy by identifying and mapping security events against MITRE ATT&CK tactics and techniques. Mapping to the framework enriches incident response strategy based on specific adversary behaviors detected within the organization. The incident response process can be adjusted based on the stage of attack or specific techniques that have already been identified.
3. Assessing Organizational Security Posture
By aligning security information and event management (SIEM) use cases to the MITRE ATT&CK framework, analysts can see a visual representation of the stage of attack, specific tactics and techniques being used, and corresponding confidence levels. This gives them the ability to map the MITRE ATT&CK framework to their current defenses to identify their current level of coverage for specific tactics and techniques, as well as the organization’s overall security posture.
To learn more about how the MITRE ATT&CK framework can help in your SOC, register for the on-demand webinar, “MITRE ATT&CK: What You Need to Know to Keep Threat Adversaries at Bay.”