The MITRE ATT&CK Framework is an excellent resource when it comes to defining threat intelligence. The hundreds of techniques mapped across various tactics help define an adversary’s behaviors in enterprise networks. What’s better is that it provides prescriptive level guidance on how to both mitigate and detect the techniques.
While it is not complete, the framework is updated quite regularly. It is only April, and ATT&CK has already released two updates this year alone.
The first update in January was a major effort in consolidating and clarifying wording across the board. Last week, the April update was released with not only new techniques but also a new tactic.
When I talk to folks about ATT&CK, I am referring to Enterprise ATT&CK. There is also the PRE-ATT&CK which discusses what an adversary is going to do in the planning to delivery stages of their campaign. In mapping this to the Cyber Kill Chain, PRE-ATT&CK covers recon, weaponization, and delivery.
On the other hand, ATT*CK Enterprise covers exploit, control, execute, and maintain. The gap between delivery and exploit is the initial access gained on a machine.
In the April 2018 release, Initial Access is a new tactic which defines the attack vector which allowed the attacker into the environment. Previously, ATT&CK was all about what happens on the endpoints after the attacker is already in the environment but didn’t cover how to block or detect the attacker gaining that access in the first place.
This is a great addition to the framework that is going to provide a lot of value to organizations leveraging ATT&CK.
Beyond the nine new techniques in the Initial Access tactic, 23 new techniques were also added across the framework. Having so much knowledge added to this repository is a huge step forward to enabling defenders. Much of what is being added to ATT&CK is provided by the public, while MITRE is curating what is getting added to make sure it is accurate, unique, and valuable to the framework.
I contributed to the January update and can attest to the level of scrutiny that ATT&CK provides.
If you haven’t already, go take a look at the Framework and begin to look at how it can be leveraged in your environment. If you want to start mapping your coverage, take a look at the ATT&CK Navigator. This tool, which you can also run on premise, makes mapping ATT&CK techniques much easier than the old way of doing things in Excel.