If you have to fight a formidable and persistent foe, what do you do?
First, you identify the enemy and then try to understand the enemy. You figure out what the enemy is doing, what is their thinking, what is their behavior looking like, what tactics they use, how they mount their attacks, etc. Then you develop a plan to defend yourself against such enemies.
It is the same with cybersecurity. And this is where MITRE ATT&CK comes into the picture.
It gives you more and better information about the ways, means, and methods used by cyber attackers to better defend your organization far more successfully against them.
First developed by MITRE, a government-funded organization, in 2013, MITRE ATT&CK is a ”globally accessible knowledge base of adversary tactics and techniques based on real-world observations.”
ATT&CK stands for Adversarial Tactics, Techniques, and Common Knowledge. It includes detailed descriptions of the following:
The MITRE ATT&CK framework also gives you detailed information about the following:
It provides a common language for the defenders to describe and understand the behavior and activities of the threat actors.
Unlike other threat models like STRIDE, PASTA, OCTAVE, and Lockheed Martin’s Cyber Kill Chain, MITRE ATT&CK is different in the sense that it looks at cyber defense from the perspective of an attacker. By deliberately taking the attacker’s viewpoint, it helps organizations to understand how threat actors think, prepare for and execute the attacks.
As the Chinese philosopher and military strategist Sun Tzu said, “To know your enemy, you must become your enemy”.
All the information contained in the ATT&CK is collected from publicly available data sources and from professionals who are dealing with cyber attacks every day.
It is a free tool available to organizations of all sizes in the private sector, public sector, and the government and is widely used by cybersecurity professionals, penetration testers, Red Teams as a foundation for developing their own threat models and defense plans.
Managing cybersecurity is a difficult task. After all, the attackers have to just exploit that one vulnerability to breach your network. But, as defenders, you need to secure everything.
So, detection of threats and responding to them becomes vital.
MITRE ATT&CK framework provides a common language and a tool for different groups within an organization to share information, work together, and put in place the necessary detection and response systems.
Cyber attackers set out to achieve specific goals and use various ways and means to achieve them.
These are collectively known as Tactics, Techniques, and Procedures or Common Knowledge. In short, TTPs.
Attackers use several tactics to mount an attack successfully.
The MITRE ATT&CK framework is built around this knowledge base of known tactics, techniques, and procedures and is organized in the form of a matrix.
It visually arranges them in a format that can be easily understood. The tactics are arranged in rows and techniques in columns.
Attackers may approach each of their targets differently. For instance, they may use different TTPs to attack corporations or enterprises than for attacking mobile devices or industrial control systems.
The MITRE ATT&CK framework provides three separate matrices for dealing with each of these contexts.
|Enterprise ATT&CK||Mobile ATT&CK||Pre-ATT&CK|
|It addresses adversarial behavior on platforms like Windows, macOS, Linux, cloud, and network environments.||Describes the tactics, techniques, and procedures used to infiltrate mobile devices based on the NIST Mobile Threat Catalogue. It addresses both iOS and Android.||This matrix focuses on activities performed before an attack. It helps security professionals to understand how attackers perform Reconnaissance and plan their attacks.|
The latest version of the Enterprise ATT&CK matrix has 14 tactics listed in a logical sequence indicating the different phases of an attack. They are:
Impact: Making data, system, or networks inaccessible to the victim through damage, destruction, or denial.
There are about 205 techniques and 379 sub techniques listed in this matrix.
The matrices provide a wealth of information with regard to the attacker’s tactics, techniques, and procedures.
Tactics like Reconnaissance, Resources Development, or Initial Access (there are 14 of them) are named at the top and below each of them are listed the various techniques and sub techniques.
Each technique is given an ID number and a description as well.
When you click on the tactic name, a detail page opens up giving you a general description of the tactic and a list of all the techniques and sub techniques used for that tactic.
When you click on the technique name, a similar details page opens up giving you a description of the technique and listing the sub techniques.
The tactics to which this technique belongs, the platforms for which this technique is applied, data sources that can be used to identify the activity, etc.
Below the description, a list of procedures, and how different APT groups have used this particular technique, ways to detect their use, and mitigations available are also given.
Sub techniques can also be explored in a similar way.
The ATT&CK matrix does not stop at just providing detailed information about the tactics, techniques, and procedures.
It provides you with additional information and resources on:
These are information that can be collected by sensors/logs that are important for detecting a given attack technique or a sub technique.
The matrix lists 38 data sources.
ATT&CK is considered to be one of the most comprehensive and reliable sources of information on threat groups in the public domain.
It provides detailed information about the groups, both known as well as suspected ones and the specific tactics, techniques, and procedures used by particular groups.
The latest version of the MITRE ATT&CK matrix lists 129 APT groups.
It is a commercial or custom code, open-source software, or other tools used by threat actors.
It includes techniques that are mapped to various groups who have used such software.
The matrix lists 637 software with brief information about each of them.
The ATT&CK matrix is not just about the tools of the trade used by the attackers. It also equips you with information on how to mitigate these attacks.
They are the security concepts, tools, and technologies that can be used to prevent a technique or a sub technique from being employed successfully against your enterprise.
There are 43 enterprise att&ck and 13 mobile att&ck mitigations listed in the matrix.
Here is how organizations benefit from implementing the MITRE ATT&CK.
SOC Maturity Assessment: It can be used to measure how good the SCO (Security Operations Center) is at detecting, analyzing, and responding to an attack.
Here are a few resources that help you utilize the ATT&CK framework and derive maximum advantage from it.
It provides an automated Red team that can reduce the resources needed for routine testing and thereby utilize those resources for addressing more critical issues.
The benefits of the MITRE ATT&CK frameworks are obvious. But, according to a study by the Center for Longterm cybersecurity at the University of California, Berkely-
Staying one step ahead is for amateurs; staying two leaps ahead is for pros. Adopting MITRE ATT&CK Framework is the first step toward that direction.
With Cyvatar’s managed cybersecurity solutions, you are always a message away from being a cyber-pro organization. Be the PRO with Cyvatar, contact our cyber expert now, and get to know how we fully manage cybersecurity for SMBs and enterprises.
|Learn how you can reduce the burden of hiring cybersecurity professionals with Cyvatar’s managed cybersecurity services.|
GET IN TOUCH
Circa Las Vegas
Thurs. Aug 5th
Cybersecurity Reunion Pool Party at BlackHat 2021