Adopting the MITRE ATT&CK Framework to Strengthen IT Security
What is MITRE ATT&CK?
MITRE ATT&CK™ is a globally accessible knowledge base of adversary tactics and techniques based on events that have happened in the real world. It provides a complex framework of more than 200 techniques that adversaries have used during an attack. These include specific and general techniques, as well as concepts and background information on well-known adversary groups and their campaigns.
MITRE started ATT&CK™ in 2013 to document common Tactics, Techniques, and Procedures (TTPs) that advanced persistent threats use against Windows enterprise networks. The ATT&CK framework addresses four main issues:
- Adversary behaviours. Focusing on adversary tactics and techniques allowed MITRE to develop analytics to detect possible adversary behaviours. Typical indicators such as domains, IP addresses, file hashes, registry keys, etc. were easily changed by adversaries and were only useful for point in time detection — they didn’t represent how adversaries interact with systems, only that they likely interacted at some time.
- Lifecycle models that didn’t fit. Existing adversary lifecycle and Cyber Kill Chain concepts were too high-level to relate behaviours to defences — the level of abstraction wasn’t useful to map TTPs to new types of sensors.
- Applicability to real environments. TTPs need to be based on observed incidents to show the work is applicable to real environments.
- Common taxonomy. TTPs need to be comparable across different types of adversary groups using the same terminology.
The acronym ATT&CK stands for Adversarial Tactics, Techniques & Common Knowledge.
Adversarial Tactics represent the “why” of an ATT&CK technique. The tactic is the adversary’s tactical objective for performing an action. Tactics offer contextual categories for individual techniques and cover standard, higher-level notations for activities adversaries carry out during an operation such as persist, discover information, move laterally, execute files, and exfiltrate data.
Techniques represent “how” an adversary achieves a tactical objective by performing an action. For example, an adversary may dump credentials to gain access to useful credentials within a network that can be used later for lateral movement. Techniques may also represent “what” an adversary gains by performing an action. This is a useful distinction for the ‘discover’ tactic since the techniques highlight what type of information an adversary going after based on a particular action.
Here is a short explainer video about MITRE ATT&CK:
MITRE ATT&CK Matrix for Enterprise
IT teams are struggling to find security gaps, but due to lack of visibility, they don’t know where those gaps are. The ATT&CK for Enterprise matrix provides a view of the relationship between tactics and techniques so that security analysts can see what techniques an adversary might apply to infiltrate their organization and get answers to questions like: Who is this adversary? What techniques and tactics are they using? What mitigations can I apply?
The 14 categories within ATT&CK for Enterprise matrix were derived from the later stages (exploit, control, maintain, and execute) of a seven-stage Cyber Attack Lifecycle (first articulated by Lockheed Martin as the Cyber Kill Chain®). This matrix is commonly used to show things like defensive coverage of an environment, detection capabilities in security products, and results of an incident or red team engagement.
Adopting the MITRE ATT&CK Framework
“Know thy self, know thy enemy. A hundred battles, a hundred victories.”
– from ‘The Art of War’ by Sun Tzu, ancient Chinese master strategist
Many organizations can benefit from using the MITRE ATT&CK framework. IT teams can use the data from the framework as a detailed source of reference to manually enrich their analysis of events and alerts, inform their investigations and determine the best actions to take depending on relevance and sightings within their environment. ATT&CK for Enterprise focuses on TTPs adversaries use to make decisions, expand access, and execute their objectives at a high enough level, widely across platforms with enough details to be technically useful.
Our NetGain SIEM solution adopts and aligns with the MITRE ATT&CK framework and provides more than 400+ detection rules that has specific MITRE references on how to mitigate the threat. We believe that adopting and aligning our solution to the MITRE ATT&CK framework will allow IT security personnel to pinpoint suspicious activity identifying known tactics and threat groups in real time.
To find out more about the benefits of NetGain SIEM, you can visit our product page here: https://www.netgain-systems.com/netgain-siem/
For a more technical view of the solution, you can view our datasheet here: https://www.netgain-systems.com/wp-content/uploads/2021/07/NetGain-SIEM-Brochure.pdf
About MITRE Corporation
The Mitre Corporation (stylized as The MITRE Corporation and MITRE) is an American not-for-profit organization with dual headquarters in Bedford, Massachusetts, and McLean, Virginia. As a not-for-profit organization, MITRE works in the public interest across federal, state and local governments, as well as industry and academia. We bring innovative ideas into existence in areas as varied as artificial intelligence, intuitive data science, quantum information science, health informatics, space security, policy and economic expertise, trustworthy autonomy, cyber threat sharing, and cyber resilience.
MITRE ATT&CK® and ATT&CK® are registered trademarks of The MITRE Corporation.