Light Dark
October 25, 2019 By Lolita Chandra 3 min read
Advanced Threats
Incident Response
Threat Hunting
Threat Intelligence

Organizations are adopting the MITRE ATT&CK framework to map their cybersecurity threat detection, prevention and response capabilities to attack scenarios. MITRE, a nonprofit organization that has worked closely with the U.S. government to strengthen its cyberdefenses for more than four decades, developed the model after years of observing how real-world adversary groups operate.

ATT&CK stands for adversarial tactics, techniques and common knowledge. The first MITRE ATT&CK model was created in September 2013 and focused primarily on Windows. In May 2015, MITRE released the framework with 96 techniques organized under nine tactics. This evolved to 12 tactics, each of which has numerous techniques. The framework is displayed in matrices that are arranged by attack stages, from initial system access to exfiltration or impact, and covers the entire attack life cycle. Since the framework is based on actual adversary behavior, it helps identify the common behaviors that bad actors are most likely to perform during an attack.

Figure 1: A section of the MITRE ATT&CK Framework

The objective of MITRE ATT&CK is to create a comprehensive matrix of known adversary tactics and techniques used during cyberattacks. The framework is community-driven and updated regularly.

What Is the Value of MITRE ATT&CK?

Security operations center (SOC) analysts face myriad challenges every day. Below are some of the most common:

  1. Security posture: Do we have adequate and effective security defenses?
  2. Threat detection: Can we detect the threat flavor of the day? Is all the data we collect useful in fulfilling our mission?
  3. Security tools: Do we have overlapping tool coverage? Are there any gaps?
  4. Improving security defenses: Will adding more advanced technology/tools improve the organization’s security posture?

Here’s where the MITRE ATT&CK framework comes into play. When applied to an enterprise IT environment, the model enables SOC analysts to better understand the organization’s security posture. It also provides a visual reference in real time, allowing customers to act faster when investigating threats and proactively fortify their security posture in areas where they may have gaps.

Register for the on-demand webinar to learn more about how the MITRE ATT&CK framework can help in your SOC

Put simply, MITRE ATT&CK enables you to better understand your security posture. That’s why an increasing number of security vendors are incorporating the framework into their security offerings to better protect and secure their customers’ environments. It provides a visual reference in real time, allowing customers to act faster when investigating threats, develop incident response plans and fortify their security posture by identifying specific areas where they may have gaps or inadequate security measures.

Where to Apply the MITRE ATT&CK Framework

Let’s take a closer look at three specific areas in which organizations can apply the MITRE ATT&CK framework.

1. Threat Investigation

Since the MITRE ATT&CK framework is based on real-world adversary behavior, it enriches security events and alerts by correlating them to specific adversary tactics and techniques. These added insights save a significant amount of time, allowing analysts to visualize the actual tactics and techniques an adversary is using to infiltrate their organization.

2. Security Orchestration, Automation and Response

The framework can guide incident response strategy by identifying and mapping security events against MITRE ATT&CK tactics and techniques. Mapping to the framework enriches incident response strategy based on specific adversary behaviors detected within the organization. The incident response process can be adjusted based on the stage of attack or specific techniques that have already been identified.

3. Assessing Organizational Security Posture

By aligning security information and event management (SIEM) use cases to the MITRE ATT&CK framework, analysts can see a visual representation of the stage of attack, specific tactics and techniques being used, and corresponding confidence levels. This gives them the ability to map the MITRE ATT&CK framework to their current defenses to identify their current level of coverage for specific tactics and techniques, as well as the organization’s overall security posture.

To learn more about leveraging MITRE ATT&CK to secure endpoints for your remote workforce, register for this webinar: Endpoint Security for Your Remote Workforce Using AI & MITRE, at 12 pm (EST), Thursday, August 13, 2020.

 |  |  |  |  | 
Lolita Chandra
Sr. Product Marketing Manager

More from Advanced Threats
April 9, 2024

Hive0051 goes all in with a triple threat

13 min read - As of April 2024, IBM X-Force is tracking new waves of Russian state-sponsored Hive0051 (aka UAC-0010, Gamaredon) activity featuring new iterations of Gamma malware first observed in November 2023. These discoveries follow late October 2023 findings, detailing Hive0051's use of a novel multi-channel method of rapidly rotating C2 infrastructure (DNS Fluxing) to deliver new Gamma malware variants, facilitating more than a thousand infections in a single day. An examination of a sample of the lures associated with the ongoing activity reveals…

November 6, 2023

GootBot – Gootloader’s new approach to post-exploitation

8 min read - IBM X-Force discovered a new variant of Gootloader — the "GootBot" implant — which facilitates stealthy lateral movement and makes detection and blocking of Gootloader campaigns more difficult within enterprise environments. X-Force observed these campaigns leveraging SEO poisoning, wagering on unsuspecting victims' search activity, which we analyze further in the blog. The Gootloader group’s introduction of their own custom bot into the late stages of their attack chain is an attempt to avoid detections when using off-the-shelf tools for C2…

August 2, 2022

Black Hat 2022 Sneak Peek: How to Build a Threat Hunting Program

4 min read - You may recall my previous blog post about how our X-Force veteran threat hunter Neil Wyler (a.k.a “Grifter”) discovered nation-state attackers exfiltrating unencrypted, personally identifiable information (PII) from a company’s network, unbeknownst to the security team. The post highlighted why threat hunting should be a baseline activity in any environment. Before you can embark on a threat hunting exercise, however, it’s important to understand how to build, implement and mature a repeatable, internal threat hunting program. What are the components…

Topic updates

 Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
© 2024 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature