October 25, 2019 By Lolita Chandra 3 min read

Organizations are adopting the MITRE ATT&CK framework to map their cybersecurity threat detection, prevention and response capabilities to attack scenarios. MITRE, a nonprofit organization that has worked closely with the U.S. government to strengthen its cyberdefenses for more than four decades, developed the model after years of observing how real-world adversary groups operate.

ATT&CK stands for adversarial tactics, techniques and common knowledge. The first MITRE ATT&CK model was created in September 2013 and focused primarily on Windows. In May 2015, MITRE released the framework with 96 techniques organized under nine tactics. This evolved to 12 tactics, each of which has numerous techniques. The framework is displayed in matrices that are arranged by attack stages, from initial system access to exfiltration or impact, and covers the entire attack life cycle. Since the framework is based on actual adversary behavior, it helps identify the common behaviors that bad actors are most likely to perform during an attack.

Figure 1: A section of the MITRE ATT&CK Framework

The objective of MITRE ATT&CK is to create a comprehensive matrix of known adversary tactics and techniques used during cyberattacks. The framework is community-driven and updated regularly.

What Is the Value of MITRE ATT&CK?

Security operations center (SOC) analysts face myriad challenges every day. Below are some of the most common:

  1. Security posture: Do we have adequate and effective security defenses?
  2. Threat detection: Can we detect the threat flavor of the day? Is all the data we collect useful in fulfilling our mission?
  3. Security tools: Do we have overlapping tool coverage? Are there any gaps?
  4. Improving security defenses: Will adding more advanced technology/tools improve the organization’s security posture?

Here’s where the MITRE ATT&CK framework comes into play. When applied to an enterprise IT environment, the model enables SOC analysts to better understand the organization’s security posture. It also provides a visual reference in real time, allowing customers to act faster when investigating threats and proactively fortify their security posture in areas where they may have gaps.

Register for the on-demand webinar to learn more about how the MITRE ATT&CK framework can help in your SOC

Put simply, MITRE ATT&CK enables you to better understand your security posture. That’s why an increasing number of security vendors are incorporating the framework into their security offerings to better protect and secure their customers’ environments. It provides a visual reference in real time, allowing customers to act faster when investigating threats, develop incident response plans and fortify their security posture by identifying specific areas where they may have gaps or inadequate security measures.

Where to Apply the MITRE ATT&CK Framework

Let’s take a closer look at three specific areas in which organizations can apply the MITRE ATT&CK framework.

1. Threat Investigation

Since the MITRE ATT&CK framework is based on real-world adversary behavior, it enriches security events and alerts by correlating them to specific adversary tactics and techniques. These added insights save a significant amount of time, allowing analysts to visualize the actual tactics and techniques an adversary is using to infiltrate their organization.

2. Security Orchestration, Automation and Response

The framework can guide incident response strategy by identifying and mapping security events against MITRE ATT&CK tactics and techniques. Mapping to the framework enriches incident response strategy based on specific adversary behaviors detected within the organization. The incident response process can be adjusted based on the stage of attack or specific techniques that have already been identified.

3. Assessing Organizational Security Posture

By aligning security information and event management (SIEM) use cases to the MITRE ATT&CK framework, analysts can see a visual representation of the stage of attack, specific tactics and techniques being used, and corresponding confidence levels. This gives them the ability to map the MITRE ATT&CK framework to their current defenses to identify their current level of coverage for specific tactics and techniques, as well as the organization’s overall security posture.

To learn more about leveraging MITRE ATT&CK to secure endpoints for your remote workforce, register for this webinar: Endpoint Security for Your Remote Workforce Using AI & MITRE, at 12 pm (EST), Thursday, August 13, 2020.

More from Advanced Threats

GootBot – Gootloader’s new approach to post-exploitation

8 min read - IBM X-Force discovered a new variant of Gootloader — the "GootBot" implant — which facilitates stealthy lateral movement and makes detection and blocking of Gootloader campaigns more difficult within enterprise environments. X-Force observed these campaigns leveraging SEO poisoning, wagering on unsuspecting victims' search activity, which we analyze further in the blog. The Gootloader group’s introduction of their own custom bot into the late stages of their attack chain is an attempt to avoid detections when using off-the-shelf tools for C2…

Black Hat 2022 Sneak Peek: How to Build a Threat Hunting Program

4 min read - You may recall my previous blog post about how our X-Force veteran threat hunter Neil Wyler (a.k.a “Grifter”) discovered nation-state attackers exfiltrating unencrypted, personally identifiable information (PII) from a company’s network, unbeknownst to the security team. The post highlighted why threat hunting should be a baseline activity in any environment. Before you can embark on a threat hunting exercise, however, it’s important to understand how to build, implement and mature a repeatable, internal threat hunting program. What are the components…

Top-Ranking Banking Trojan Ramnit Out to Steal Payment Card Data

4 min read - Shopping online is an increasingly popular endeavor, and it has accelerated since the COVID-19 pandemic. Online sales during the 2021 holiday season rose nearly 9% to a record $204.5 billion. Mastercard says that shopping jumped 8.5% this year compared to 2020 and 61.4% compared to pre-pandemic levels. Cyber criminals are not missing this trend. The Ramnit Trojan, in particular, is out for a shopping spree that’s designed to take over people’s online accounts and steal their payment card data. IBM…

Detections That Can Help You Identify Ransomware

12 min read - One of the benefits of being part of a global research-driven incident response firm like X-Force Incidence Response (IR) is that the team has the ability to take a step back and analyze incidents, identifying trends and commonalities that span geographies, industries and affiliations. Leveraging that access and knowledge against the ransomware threat has revealed tools, techniques and procedures that can often be detected through the default Windows event logs (WELs). In particular, the X-Force IR team has identified several…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today