Organizations are adopting the MITRE ATT&CK framework to map their cybersecurity threat detection, prevention and response capabilities to attack scenarios. MITRE, a nonprofit organization that has worked closely with the U.S. government to strengthen its cyberdefenses for more than four decades, developed the model after years of observing how real-world adversary groups operate.

ATT&CK stands for adversarial tactics, techniques and common knowledge. The first MITRE ATT&CK model was created in September 2013 and focused primarily on Windows. In May 2015, MITRE released the framework with 96 techniques organized under nine tactics. This evolved to 12 tactics, each of which has numerous techniques. The framework is displayed in matrices that are arranged by attack stages, from initial system access to exfiltration or impact, and covers the entire attack life cycle. Since the framework is based on actual adversary behavior, it helps identify the common behaviors that bad actors are most likely to perform during an attack.

Figure 1: A section of the MITRE ATT&CK Framework

The objective of MITRE ATT&CK is to create a comprehensive matrix of known adversary tactics and techniques used during cyberattacks. The framework is community-driven and updated regularly.

What Is the Value of MITRE ATT&CK?

Security operations center (SOC) analysts face myriad challenges every day. Below are some of the most common:

  1. Security posture: Do we have adequate and effective security defenses?
  2. Threat detection: Can we detect the threat flavor of the day? Is all the data we collect useful in fulfilling our mission?
  3. Security tools: Do we have overlapping tool coverage? Are there any gaps?
  4. Improving security defenses: Will adding more advanced technology/tools improve the organization’s security posture?

Here’s where the MITRE ATT&CK framework comes into play. When applied to an enterprise IT environment, the model enables SOC analysts to better understand the organization’s security posture. It also provides a visual reference in real time, allowing customers to act faster when investigating threats and proactively fortify their security posture in areas where they may have gaps.

Register for the on-demand webinar to learn more about how the MITRE ATT&CK framework can help in your SOC

Put simply, MITRE ATT&CK enables you to better understand your security posture. That’s why an increasing number of security vendors are incorporating the framework into their security offerings to better protect and secure their customers’ environments. It provides a visual reference in real time, allowing customers to act faster when investigating threats, develop incident response plans and fortify their security posture by identifying specific areas where they may have gaps or inadequate security measures.

Where to Apply the MITRE ATT&CK Framework

Let’s take a closer look at three specific areas in which organizations can apply the MITRE ATT&CK framework.

1. Threat Investigation

Since the MITRE ATT&CK framework is based on real-world adversary behavior, it enriches security events and alerts by correlating them to specific adversary tactics and techniques. These added insights save a significant amount of time, allowing analysts to visualize the actual tactics and techniques an adversary is using to infiltrate their organization.

2. Security Orchestration, Automation and Response

The framework can guide incident response strategy by identifying and mapping security events against MITRE ATT&CK tactics and techniques. Mapping to the framework enriches incident response strategy based on specific adversary behaviors detected within the organization. The incident response process can be adjusted based on the stage of attack or specific techniques that have already been identified.

3. Assessing Organizational Security Posture

By aligning security information and event management (SIEM) use cases to the MITRE ATT&CK framework, analysts can see a visual representation of the stage of attack, specific tactics and techniques being used, and corresponding confidence levels. This gives them the ability to map the MITRE ATT&CK framework to their current defenses to identify their current level of coverage for specific tactics and techniques, as well as the organization’s overall security posture.

To learn more about leveraging MITRE ATT&CK to secure endpoints for your remote workforce, register for this webinar: Endpoint Security for Your Remote Workforce Using AI & MITRE, at 12 pm (EST), Thursday, August 13, 2020.

More from Advanced Threats

Phishing kit trends and the top 10 spoofed brands of 2023

4 min read -  The 2024 IBM X-Force Threat Intelligence Index reported that phishing was one of the top initial access vectors observed last year, accounting for 30% of incidents. To carry out their phishing campaigns, attackers often use phishing kits: a collection of tools, resources and scripts that are designed and assembled to ease deployment. Each phishing kit deployment corresponds to a single phishing attack, and a kit could be redeployed many times during a phishing campaign. IBM X-Force has analyzed thousands of…

Grandoreiro banking trojan unleashed: X-Force observing emerging global campaigns

16 min read - Since March 2024, IBM X-Force has been tracking several large-scale phishing campaigns distributing the Grandoreiro banking trojan, which is likely operated as a Malware-as-a-Service (MaaS). Analysis of the malware revealed major updates within the string decryption and domain generating algorithm (DGA), as well as the ability to use Microsoft Outlook clients on infected hosts to spread further phishing emails. The latest malware variant also specifically targets over 1500 global banks, enabling attackers to perform banking fraud in over 60 countries…

A spotlight on Akira ransomware from X-Force Incident Response and Threat Intelligence

7 min read - This article was made possible thanks to contributions from Aaron Gdanski.IBM X-Force Incident Response and Threat Intelligence teams have investigated several Akira ransomware attacks since this threat actor group emerged in March 2023. This blog will share X-Force’s unique perspective on Akira gained while observing the threat actors behind this ransomware, including commands used to deploy the ransomware, active exploitation of CVE-2023-20269 and analysis of the ransomware binary.The Akira ransomware group has gained notoriety in the current cybersecurity landscape, underscored…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today