Providing effective enterprise cybersecurity is a complicated and challenging undertaking. As such, business executives and cybersecurity teams need to utilize all their available resources to protect their IT systems from complex attacks.
Fortunately, the MITRE ATT&CK framework offers companies a free resource that can be used to develop stronger cybersecurity defenses. The framework is a valuable tool that helps cybersecurity teams secure business-critical systems and sensitive data assets.
This guide will provide an in-depth look at the MITRE ATT&CK framework and discuss how it can strengthen an organization’s cyber defenses.
|
The MITRE ATT&CK framework is a free and globally accessible knowledge base designed to assist cybersecurity personnel in tracking the tactics and techniques employed by threat actors.
By storing the methods used throughout the entire attack lifecycle, it’s not only an invaluable data repository but also an effective instrument for improving an organization’s security posture.
This adversarial perspective allows security professionals to understand better the actions taken and which type of defenses these actions try to subvert.
In turn, this enables security teams to develop more effective defenses against potentially threatening actions.
Check out the video below to learn more about the MITRE ATT&CK framework from MITRE itself:
MITRE is a chartered, nonprofit company founded in 1958 to provide engineering and technical guidance to the United States Air Force.
One of the first projects MITRE engaged in was working with the Federal Aviation Administration (FAA) to develop a means of managing air traffic control, creating the National Airspace System. MITRE has since been involved in numerous other projects related to air traffic safety.
In 1999, MITRE and other security organizations created the Common Vulnerabilities and Exposures (CVE) directory to help improve cyber defense.
This early work was a precursor to MITRE ATT&CK, developed in 2013. The MITRE ATT&CK knowledge base uses real-world observations to obtain information on the tactics and techniques used by threat actors.
The framework’s name is an acronym for the data it collects. The Adversarial Tactics, Techniques and Common Knowledge (ATT&CK) framework was first released to the public in 2015 and is widely used today by many security teams to help safeguard against known and emerging threats.
MITRE ATT&CK initially focused on protecting Windows enterprise systems. Its scope has since been expanded, and the framework now addresses threats against Windows, macOS, Linux, mobile operating systems, and industrial control systems.
Three distinct versions of the MITRE ATT&CK framework are available to provide threat information and guidance for different IT environments. Each framework focuses on a specific IT system and its related devices.
|
The MITRE ATT&CK matrices are the framework’s central artifacts, and separate matrices exist for each version. The matrices present information on threat actors' tactics and techniques when attempting to exploit a particular IT environment or device.
Each matrix is organized similarly, with a column for each tactic identified as an environmental threat. Columns have a variable number of rows containing a technique used to implement a threat tactic.
Clicking on a tactic or procedure described in the matrix opens a page providing more detailed information about the item.
Next, we’ll examine all three matrices, focusing on the enterprise matrix. The threat information within this matrix affects the IT environment of virtually all organizations.
The enterprise MITRE ATT&CK matrix
The enterprise matrix describes the following 14 tactics and associated techniques used by threat actors attempting to exploit on-premises and cloud computing environments. In many cases, methods are used to multiply tactics further.
The mobile MITRE ATT&CK matrix
The mobile matrix defines 12 tactics used to threaten the security of mobile devices. Each tactic has associated techniques that threat actors use to attack mobile devices and operating systems.
Except for reconnaissance and resource development, all tactics in the enterprise matrix also exist in the mobile matrix. Techniques may be modified to address the differences in attacking a mobile or enterprise IT environment.
The ICS MITRE ATT&CK matrix contains 12 tactics that threaten the industrial control systems responsible for the safe operation of essential infrastructure facilities. As with the other matrices, it details the techniques used by threat actors when employing these tactics. Three tactics deemed specific to ICS environments are included in the matrix.
|
Each of the three MITRE ATT&CK frameworks has associated data sources representing subjects or topics of information that logs or sensors can collect. A data source can also be a data component that identifies properties of a data source used to detect an ATT&CK technique.
MITRE ATT&CK defines 41 total data sources for the three frameworks. Some sources, such as application logs, are part of more than one framework. The following are examples of data sources related to each framework.
Data sources provide the raw information to identify the threats defined in the ATT&CK matrices. Optimal use of data sources can help identify threats before they can cause damage to the environment.
Insider threats are one of the most pressing cybersecurity risks facing organizations today. Insider threats involve sophisticated tactics that are challenging to detect and prevent. SOCs and insider threat analysts must understand the technical mechanisms utilized by insiders and the controls that can mitigate these risks.
MITRE's Center for Threat-Informed Defense published the Insider Threat Tactics, Techniques, and Procedures (TTP) Knowledge Base to address this need. This comprehensive resource provides a central repository for aggregating and disseminating the tactics, techniques, and procedures insiders use across various organizations and sectors.
This knowledge is critical for insider threat analysts and SOCs in detecting, mitigating, and emulating insider actions on IT systems to prevent insider threats.
Contributors to this knowledge base are instrumental in establishing the first community-sourced, cross-sector, multi-organizational body of insider threat data inspired by MITRE ATT&CK®.
The Reveal Platform by Next aligns with the MITRE Insider Threat Knowledge Base in several important ways to provide an integrated solution to defend against insider threats.
Learn more about how Next aligns with the MITRE Insider Threat Knowledge Base in our recent article.
MITRE ATT&CK frameworks provide comprehensive mitigation sets that address specific techniques defined in the matrices. The frameworks also guide detecting the techniques and tactics used by threat actors.
Mitigation and detection information is readily available directly from a matrix by clicking on a technique.
We will use the Enterprise Matrix and its Persistence tactic as an example of the information available from the framework. Clicking on Account Manipulation provides the following information.
After this preliminary information, the page provides examples of procedures that demonstrate the technique in action. These examples show the variety of ways a particular technique can be used to initiate a cyberattack. The general concepts displayed by these examples can help security teams identify similar issues in their environment.
The mitigations section follows procedure examples. Multiple mitigation strategies with links to detailed information are available as guidance for security teams or personnel. Mitigations for account manipulation include implementing multi-factor authentication and user account management.
Detection strategies follow mitigations and identify data sources and components helpful in detecting a malicious technique. In this case, specific log messages and Windows event IDs are provided as starting points for investigations by security teams.
|
Organizations can use the MITRE ATT&CK framework to assess and test their cybersecurity defenses. The following are ways a company can use the framework to improve cybersecurity.
Organizations should consider the following benefits and potential drawbacks when deciding to use the MITRE ATT&CK framework to improve their cybersecurity posture. Using the framework provides benefits that include:
Several issues can impact the ability of an organization to use the MITRE ATT&CK framework effectively.
A data loss prevention (DLP) software solution is a critical component of a comprehensive cybersecurity posture. A DLP platform can be instrumental in preventing the methods described in the MITRE ATT&CK framework that put valuable enterprise data resources at risk.
The Reveal Platform by Next protects a company from deliberate or accidental data breaches by automatically enforcing an organization’s data handling policy, and ensuring that threat actors cannot cause damage by misusing sensitive enterprise data.
To see how Reveal can help protect your organization’s sensitive data resources, talk to the data loss prevention experts at Next DLP, and book a demo to learn more.
The MITRE ATT&CK framework offers organizations a practical tool for understanding the risks threat actors pose to their IT environments. The MITRE ATT&CK matrices consolidate threat intelligence and present it in an organized way that can be used efficiently by cybersecurity teams and personnel.
Companies that want to enhance their cybersecurity posture should learn how to use the MITRE ATT&CK framework to address the wide range of threats that can impact their businesses.
|
The MITRE Corporation offers free training materials to help cybersecurity professionals understand the ATT&CK framework and use it effectively. Five training modules are available that consist of videos and associated exercises.
The training regimen takes approximately four hours to complete, and provides users with an overview of the framework, along with examples of how to improve a company’s cybersecurity.
The following steps enable the data available from the MITRE ATT&CK framework to be used in CTI reports.
The diversity of threat actor tactics and techniques consolidated in the framework provides security teams with an excellent foundation for addressing future attacks and understanding how successful attacks have been conducted.
Efficient use of this foundation allows an organization to strengthen cyber defenses and address vulnerabilities that have been exploited before they can cause further damage to the IT environment.