Organizations are adopting the MITRE ATT&CK framework to map their cybersecurity threat detection, prevention and response capabilities to attack scenarios. MITRE, a nonprofit organization that has worked closely with the U.S. government to strengthen its cyberdefenses for more than four decades, developed the model after years of observing how real-world adversary groups operate.

ATT&CK stands for adversarial tactics, techniques and common knowledge. The first MITRE ATT&CK model was created in September 2013 and focused primarily on Windows. In May 2015, MITRE released the framework with 96 techniques organized under nine tactics. This evolved to 12 tactics, each of which has numerous techniques. The framework is displayed in matrices that are arranged by attack stages, from initial system access to exfiltration or impact, and covers the entire attack life cycle. Since the framework is based on actual adversary behavior, it helps identify the common behaviors that bad actors are most likely to perform during an attack.

Figure 1: A section of the MITRE ATT&CK Framework

The objective of MITRE ATT&CK is to create a comprehensive matrix of known adversary tactics and techniques used during cyberattacks. The framework is community-driven and updated regularly.

What Is the Value of MITRE ATT&CK?

Security operations center (SOC) analysts face myriad challenges every day. Below are some of the most common:

  1. Security posture: Do we have adequate and effective security defenses?
  2. Threat detection: Can we detect the threat flavor of the day? Is all the data we collect useful in fulfilling our mission?
  3. Security tools: Do we have overlapping tool coverage? Are there any gaps?
  4. Improving security defenses: Will adding more advanced technology/tools improve the organization’s security posture?

Here’s where the MITRE ATT&CK framework comes into play. When applied to an enterprise IT environment, the model enables SOC analysts to better understand the organization’s security posture. It also provides a visual reference in real time, allowing customers to act faster when investigating threats and proactively fortify their security posture in areas where they may have gaps.

Register for the on-demand webinar to learn more about how the MITRE ATT&CK framework can help in your SOC

Put simply, MITRE ATT&CK enables you to better understand your security posture. That’s why an increasing number of security vendors are incorporating the framework into their security offerings to better protect and secure their customers’ environments. It provides a visual reference in real time, allowing customers to act faster when investigating threats, develop incident response plans and fortify their security posture by identifying specific areas where they may have gaps or inadequate security measures.

Where to Apply the MITRE ATT&CK Framework

Let’s take a closer look at three specific areas in which organizations can apply the MITRE ATT&CK framework.

1. Threat Investigation

Since the MITRE ATT&CK framework is based on real-world adversary behavior, it enriches security events and alerts by correlating them to specific adversary tactics and techniques. These added insights save a significant amount of time, allowing analysts to visualize the actual tactics and techniques an adversary is using to infiltrate their organization.

2. Security Orchestration, Automation and Response

The framework can guide incident response strategy by identifying and mapping security events against MITRE ATT&CK tactics and techniques. Mapping to the framework enriches incident response strategy based on specific adversary behaviors detected within the organization. The incident response process can be adjusted based on the stage of attack or specific techniques that have already been identified.

3. Assessing Organizational Security Posture

By aligning security information and event management (SIEM) use cases to the MITRE ATT&CK framework, analysts can see a visual representation of the stage of attack, specific tactics and techniques being used, and corresponding confidence levels. This gives them the ability to map the MITRE ATT&CK framework to their current defenses to identify their current level of coverage for specific tactics and techniques, as well as the organization’s overall security posture.

To learn more about leveraging MITRE ATT&CK to secure endpoints for your remote workforce, register for this webinar: Endpoint Security for Your Remote Workforce Using AI & MITRE, at 12 pm (EST), Thursday, August 13, 2020.

more from Advanced Threats

Black Hat 2022 Sneak Peek: How to Build a Threat Hunting Program

You may recall my previous blog post about how our X-Force veteran threat hunter Neil Wyler (a.k.a “Grifter”) discovered nation-state attackers exfiltrating unencrypted, personally identifiable information (PII) from a company’s network, unbeknownst to the security team. The post highlighted why threat hunting should be a baseline activity in any environment. Before you can embark on a threat hunting exercise, however,…

World’s Largest Darknet Market Shut Down, $25 Million in Bitcoin Seized

On April 5, German authorities announced the takedown of the Hydra marketplace, the world’s largest darknet market trading in illicit drugs, cyberattack tools, forged documents and stolen data. The criminal operation, with about 17 million customer accounts, raked in billions in bitcoin before getting shut down. On its website, the Federal Criminal Police Office (BKA) stated it had secured and…