MITRE ATT&CK stands for MITRE Adversarial Tactics, Techniques and Common Knowledge. It’s a curated knowledge base of adversarial behavior based on real-world observation of APT campaigns.
The original impetus for the project was to answer the question, “How are we doing at detecting documented adversary behavior?” MITRE ATT&CK v1 was released in 2015, and since then, it has seen rapid growth and adoption across multiple domains such as risk management, threat intelligence, incident response and threat hunting, secure configuration and security engineering, among others.
The main components of ATT&CK, adversarial behaviors, are structured as a taxonomy of tactics, techniques and sub-techniques with other components such as software, APT groups and mitigations standing in various relations between each other and the behaviors. Techniques and sub-techniques are abstracted from actual procedures used by adversaries, while tactics represent a classification of adversary objectives similar to a kill chain but nonlinear. These provide a common vocabulary to categorize specific attacking or defending behavior.
However, because ATT&CK is abstracted from specific procedures, it may not be immediately clear how to use the framework in a practical way. This is an issue that affects all taxonomies, classifications and ontologies. On their own, they don’t do much.
So, here are five things you can do with ATT&CK.
Map defensive controls to ATT&CK.
A mapping between defensive controls and ATT&CK—for example, the Center for Threat Informed Defense’s mapping of NIST SP 800-53 to ATT&CK—provides a foundation for organizations to assess their security controls against classes of adversarial behavior.
Drive Threat Intelligence
According to Sergio Caltagirone, threat intelligence is “actionable knowledge and insight on adversaries and their malicious activities enabling defenders and their organizations to reduce harm through better security decision-making.” The practice of producing threat intelligence is answering the who, what, when, where, why and how questions of adversaries that may be targeting your organization. The ATT&CK framework nicely organizes answers to the “how” question.
Threat Hunting & Incident Response
Threat hunting and incident response are both active defense activities that involve identifying and containing incidents (or hypothetical incidents). However, they can be ineffective without proper preparation, planning and tools. The ATT&CK framework supports these activities by providing a library of structured information, giving defenders a map to understand the space of adversarial behavior and what to look for in their systems.
A playbook is an attempt to capture all the tools, tactics and procedures an adversary uses in a logical sequence or structure. They can be used, for example, by blue, red and purple teams to emulate steps of an adversarial attack. And while a singular playbook can be useful to testing an organization’s defenses, their real value shines as a data sharing mechanism. So, ideally, we’d like playbooks to be written in an interoperable format, and the ATT&CK framework supports this goal with structured data, a controlled vocabulary and a high adoption rate.
Of course, any library of structured information is useful for teaching. The ATT&CK framework and its structured information can be used to train internal employees, cybersecurity students and anyone else interested about the tactics and techniques that cyber adversaries use as well as mitigation strategies.
Tripwire Tips and Tricks
Join me for the Tripwire Tips and Tricks webinar series where we will look at the MITRE ATT&CK framework and discuss what you can do with it. Register here: https://info.tripwire.com/register-tripwire-tips-and-tricks-mitre-attck/.