The MITRE ATT&CK framework is a knowledge base of adversary tactics, techniques, and procedures (TTPs). These TTP’s are based on real-world observations, used by various threat actors, which have been made globally accessible to be used as the foundation for threat models and methodologies. Since its official release in May 2015, the framework has been talked about intensively in all industries. However, its use is often still underestimated, and many security teams are still playing catch up in updating their defenses.
The framework offers an opportunity to stay current and informed on the latest tactics used by adversaries during cyber-attacks. The MITRE ATT&CK framework is industry agnostic, and the matrix contains information for the following platforms: Windows, macOS, Linux, PRE, Azure AD, Office 365, Google Workspace, SaaS, IaaS, Network and Containers.
According to the MITRE website, the framework has a “mission to solve problems for a safer world, by bringing communities together to develop more effective security.” It has shifted the balance with regards to cyber warfare and created a means of allowing security teams in all sectors, from anywhere around the world, to see the different stages of adversarial attack, and help raise awareness of the mechanisms which can be used by attackers to launch attacks.
Since the framework offers a more focused approach by listing the TTP’s throughout the kill chain lifecycle, this has allowed security teams to formulate a more targeted response. This, in turn, means that teams are working more collaboratively, to ensure that the security posture is as it should be. For instance, with this intel, teams can perform penetration testing exercises, consisting of red, blue and purple teams, to strengthen security by exposing weaknesses. These kinds of exercises help security teams protect their companies the right way, so that they are alert and resilient in ensuring no stone is unturned.
“Traditionally, our Security Operation Centers (SOCs) work on alert investigations, which are typically one-to-one, derived from different security tools, and are mapped against MITRE. To truly leverage the MITRE Framework, we must constantly add custom anomaly-based use cases, which are then tagged and aligned with MITRE Tactics and Techniques, to improve the overall detection coverage. From the client’s perspective, the MITRE framework is used to demonstrate the detection coverage. This helps identify the security gaps and work on the necessary areas to initiate discussions to onboard a security technology to cover the gaps for better detection,” Deodatta Wandhekar, Manager of Global SOC at SecurityHQ explains.
The following graph highlights the coverage of different use cases which are currently active at SecurityHQ, which is constantly evolving.
You might be interested in the snapshot below as well that shows a real-world security breach ticket, which demonstrates actual mapping of the different MITRE techniques seen over a given timeline. This provides the clients, and IR leads, with a very powerful picture of the security incident.
The snapshot shows the collection of all related incidents and individual alerts. These may go as separate alerts, but essentially are artefacts from the same adversary, which are then grouped to provide a summarized timeline, with a view of attack events. This shows events that may have happened before the trigger point, or even after the trigger point.
We are living in the age of digital transformation; therefore, it has never been more important to have cyber vigilance. Threats are lurking round every corner; the perimeter now extends beyond infrastructure to the user. Emphasizing the importance on cyber vigilance.
There are other frameworks and models still in use today, such as the cyber kill chain, created by Lockheed Martin to help organizations trace the stages of a cyber-attack, starting with reconnaissance, and travelling all the way though to final actions, via weaponization, delivery, exploitation, installation, command, and control and actions on objective.
Another model commonly used is the Diamond Model for intrusion analysis. This model covers four elements, including Adversary, Capability, Infrastructure and Victim, to portray every incident as a diamond, with each element linked.
However, the MITRE ATT&CK framework is the most widely adopted in the industry and used by industry experts, such as SentinelOne, across the globe. What’s more, it is free, and provides businesses with a fantastic source of information to strengthen their security posture.
By Zee Sayi, Eleanor Barlow, Aaron Hambleton, Deodatta Wandhekar from SecurityHQ