The MITRE adversarial tactics, techniques and common knowledge (ATT&CK) framework brings pooled knowledge from across the cyber defense community, including revealing what threat actors are up to and how best you can defend against them. Let’s take a look at what MITRE offers and how this framework goes hand-in-hand with developing a security operations center (SOC) for today.
Many people in the industry are talking about shifting to a next-gen SOC. By expanding capabilities, aligning SOC operations with business operations and selecting the right people, you can definitely make a great start to your SOC 2.0. Meanwhile, you can improve your SOC by unleashing the power of MITRE.
What is MITRE?
MITRE is a not-for-profit organization that works with industry, academia, and federal, state and local governments for the public interest. It doesn’t just focus on defense, but covers areas such as artificial intelligence, data science and health informatics, to name a few. In the area of cybersecurity, we can thank MITRE for a lot of well-known initiatives such as ATT&CK, Common Platform Enumeration (CPE), Common Weakness Enumeration (CWE) and Common Vulnerabilities and Exposures (CVE).
Improving your organization’s cyber maturity is not something you can do in one day — not even when using multiple MITRE frameworks. It will be a process that could take months, maybe even years, depending on where you are on the path to cyber maturity. But it is good to consider the options and take these key findings along with you in your discussions.
MITRE offers many well-known and proven defense frameworks. By using MITRE as a guide, you can cover an end-to-end story, from detection to response. You can obtain more insights on both the left and right side of the ‘boom’ (the actual detection of a threat actor in your network) by using multiple MITRE tools. Finally, MITRE initiatives can be used as a driver of your overall digital roadmap.
MITRE: A Framework for Digital Security
From a security intelligence and operations background, the simplest way to start is for an organization to map to the MITRE ATT&CK framework. By using MITRE ATT&CK, you can standardize the development, rollout and review of your SIEM use cases, while including a threat intelligence and business risk-driven approach. It is a good initial step, as the mapping to MITRE ATT&CK allows for threat modeling exercises, references for tactics, techniques and procedures and inclusion of industry-specific threat information.
So, adding MITRE into your defense program is a good thing. But MITRE isn’t just the ATT&CK framework. Before we go into how you can leverage multiple combined MITRE initiatives, let’s provide some context by discussing several initiatives.
ATT&CK is a curated global knowledge base that contains adversary tactics and techniques based on real-world cases. The ATT&CK knowledge base is used as a foundation for building specific threat models and methodologies in the private sector, governments and the cybersecurity products and services world. Recently, version 8 has been released, which includes adding the PRE-ATT&CK framework into the MITRE ATT&CK matrix, providing a clearer overview of both pre-and post-compromise behaviors and thus allowing it to align more easily with defenses. For most SOCs, mapping to MITRE ATT&CK has become the norm.
MITRE’s CVE is a list of entries for publicly known cybersecurity vulnerabilities, containing per entry an ID number, description and at least one public reference. It feeds into the National Vulnerability Database (NVD), the U.S. government’s list of standards-based vulnerability management data, displayed using the security content automation protocol. This data enables automation of vulnerability management, security measurement and compliance. The NVD includes databases of checklist references, defense-related software flaws, misconfigurations, product names and impact metrics.
The CWE is a community-developed list of software and hardware weakness types that can serve as a common language and as a baseline for weakness detection, fixes and prevention efforts for hardware and software. For example, it might highlight when software shows expected behavior violations, missing cryptographic steps or hardware logic containing race conditions.
The CPE is a structured naming scheme for information technology systems, software and packages. It includes a formal name format, a method for checking names against a system and a description format for binding text and tests to a name. While first created by MITRE, the National Institute for Standards and Technology (NIST) now owns CPE.
The Common Attack Pattern Enumeration and Classification (CAPEC) is key if you are looking into cyber threat intelligence and hunting. The CAPEC provides a public catalog of common attack patterns that can help defense experts understand how threat actors work. It shows how weaknesses in apps and other online touch points can be exploited, such as by using structured query language injection, clickjacking or cross-site scripting. CAPEC details exploits against at-risk systems, including social engineering and supply chain insights, and is often paired with CWE.
SHIELD is an active-defense knowledge base that MITRE is working on to capture and organize what we are learning about active defense and threat engagement. Active defense ranges from basic cyber defense to deception and engaging with threat actors. The mix of these techniques allows you to not only stop current attacks but also to learn more about threat actors and better prepare for future attacks.
Bring It All Together
You can also combine different MITRE tools. An Integrated Defense Model, as shown below, fits each into the larger structure. The model covers three domains: Prevent, Detect and Active Defense.
Integrated Defense Model based on MITRE initiatives
The Detect Domain
Let’s start with a domain that most SOC employees know very well: detect. Keeping our Integrated Defense Model based on MITRE initiatives in mind, this is where we could use MITRE ATT&CK. By looking at the different matrices available (Enterprise, Mobile, Cloud and Industrial Control Systems), as well as the most common tactics and techniques, we can build use cases that allow organizations to have more effective detection, as well as a standardized way of detecting.
The Prevent Domain
The Prevent Domain is where you add risk data to your defensive arsenal. Using CAPEC data, you can include enumeration information on exploits against at-risk systems. By using CWE data, you can gain an insight into weaknesses frequently used or encountered in hardware or software design. This makes it possible to see only what is relevant to your needs.
Once you have this insight, it is possible to drill down with CVE data. By using CVE data, you can analyze whether or not publicly known risks could affect you. Finally, you can standardize this overview of insights by using CPE data, allowing a structured naming scheme for information technology systems, software and packages. By taking this approach and using all vulnerability data that is available, you can gain better insight into threats and risks.
The Active Defense Domain
The third domain of the Integrated Defense Model is active defense. If we know the landscape we are trying to protect (industry, geographical location, etc.), we can develop threat scenarios fully tailored to it and relevant to the threat profile of the group at risk. This is where the final MITRE framework comes into play. By taking advantage of MITRE SHIELD, you can use specific tactics, techniques and procedures for basic cyber defense, deception and engagement, depending on how mature your program is.
MITRE ATT&CK: Starting Point for the Future
The MITRE ATT&CK framework is certainly a hot topic. Other security initiatives have been created in cooperation with MITRE (e.g., CAR, TAXII and STIX ) or using MITRE ATT&CK (e.g., DeTT&CT, RE&CT and AMITT). When thinking about making your defense efforts more mature, MITRE can provide excellent frameworks covering the whole incident life cycle and providing you insights both on the left and the right side of the ‘boom.’