The MITRE ATT&CK Framework has gained a lot of popularity in the security industry over the past year.
I have spent a lot of time researching the hundreds of techniques, writing content to support the techniques, and talking about the value to anyone who will listen.
For those who are not familiar, ATT&CK is the Adversarial Tactics Techniques and Common Knowledge framework available from MITRE. It is a curated knowledge base of 11 tactics and hundreds of techniques that attackers can leverage when compromising enterprises.
There are five things I love about the various techniques.
First is the description that each provides. Even though I have been in the security industry for what seems like a long time now, there’s always something new to learn. For all of the techniques with which I was not familiar, there were descriptions breaking down how the technique is leveraged and why it may be important for defenders to take a look.
From a practitioner standpoint, the platform and data sources sections are incredibly valuable because they tell me what systems I need to be monitoring and what I need to be collecting from them to mitigate and/or detect abuse of the technique. In some cases, there is detailed guidance on how to specifically mitigate or what to specifically monitor for the technique. However, many of the techniques lack prescriptive guidance.
That’s where the examples come in handy. Every technique is based on real-world examples of how it has been leveraged by a piece of malware or campaign by a threat actor group. Each example and many of the other sources are cited Wikipedia style to published articles from various blogs and security research teams.
If there isn’t guidance directly in ATT&CK, then it’s usually found within one of these linked articles. However, the value of the examples comes from having assurance that anything you are doing to leverage ATT&CK in your organization is linked to a direct risk to your business.
The final two valuable items of ATT&CK are the Mitigation and Detection sections within each technique. While hardening benchmarks and compliance frameworks are excellent at providing some mitigating factors, none provide the level of guidance around detection strategies that ATT&CK does. Many of the techniques explicitly state what should be monitored in your environment. The knowledge provided here can increase the maturity of a security organization overnight.
The tactics from ATT&CK aren’t followed in any linear order, such as the case with the Lockheed Martin Cyber Kill Chain. Instead, an attacker can bounce between tactics to ultimately achieve their goal.
There’s not one tactic that is more important to leverage than the others; your organization is going to have to obtain an analysis of what your current coverage is, assess the risks faced by the organization, and address the gaps in a fashion which makes sense for you.
When going through this process, there are two ways I typically see organizations take this on. The first is to take an inventory of their security tools and request a coverage mapping from the vendors themselves. While this is the easiest and quickest method, the coverage provided may not match how you’ve deployed their tools.
Instead, I see organizations assess on a tactic-by-tactic basis. Start with a single tactic, such as Persistence, and address your coverage. It’s useful here to address the coverage for mitigation and detection separately. These techniques can be incredibly complex, and just because one portion of the technique may be mitigated doesn’t mean that an attacker can’t abuse it in a different way.
If you don’t have a dedicated red team to sit down and exploit various techniques in person with you, take a look at the adversarial emulation plans from MITRE. These provide step-by-step guidance on how to exploit various techniques based on APT groups seen in the wild.
Over the next few weeks, I am going to dig into each of the eleven tactics in the ATT&CK framework. These are just my high-level thoughts on the spirit of each tactic and tips on how to go about addressing the mitigation and detection aspects of some of the techniques within them. If you are also interested, I ran through a similar exercise with the CIS Critical Security Controls.
There is also a mapping of CIS controls to the ATT&CK framework available. This can be helpful if you’re already adopting the CIS Controls and are starting down the path of adopting ATT&CK.