The cybersecurity industry has embraced MITRE ATT&CK for good reason: it provides security leaders and practitioners an objective, third-party standard with which to evaluate their own detection coverage and EDR solutions. But even while they recognize the value, many organizations are unsure about what specific steps they should take to fully benefit from MITRE ATT&CK.
First, we should cover a few basics about the MITRE ATT&CK framework. Introduced in 2015, MITRE ATT&CK provides a structure for understanding attacker behavior. ATT&CK stands for Adversarial Tactics, Techniques, and Common Knowledge—it standardizes descriptions of attacker behavior. MITRE maintains separate ATT&CK matrices for enterprise, cloud, and industrial control system (ICS) environments. According to a September 2020 study by UC Berkeley, 81% of surveyed organizations use at least one of the ATT&CK matrices.
ATT&CK went beyond the Cyber Kill Chain trademarked by Lockheed Martin in 2011. The key advantage of ATT&CK is that it describes the techniques used by attackers as they progress through an attack, enabling red teams to reproduce attack behavior seen by various threat groups and enabling blue teams to test their detection coverage for these behaviors.
Another key difference between ATT&CK and the Cyber Kill Chain is that ATT&CK focuses more on the post-compromise lateral movement of an attacker who has successfully penetrated perimeter defenses. This makes ATT&CK more suitable for designing defenses against outside attackers that have succeeded in stealing legitimate credentials and insider threats.
Here are the best practices in applying ATT&CK to your organizational security.
1. Use ATT&CK to better understand your threat model, specifically how specific threat groups are likely to go about penetrating your organization. ATT&CK documents how various threat groups go about their operations, cataloging the specific techniques they’ve been observed using in the field. This information is driven by community contributions and allows users to understand how these techniques are executed by various malware and exploits.
Based on your unique organizational profile, you can prioritize your detection efforts. Prioritization is important because organizations have limited resources and need to know where to focus. Each organization’s risk profile will be different based on their environment, the data they must protect, the industry regulations they are subject to, and the threat groups that are targeting them. For example, a financial services group would be able to see which threat groups target businesses like them, and then understand the techniques they need to prioritize for detection.
2. Use ATT&CK to evaluate vendor capabilities. After you’ve built your threat model, you can then use the ATT&CK framework to compare your organization’s detection requirements against the capabilities of various vendors. MITRE facilitates this comparison with its ATT&CK evaluations.
For each of the past three years, MITRE has invited security vendors to participate in an evaluation to see what attack behaviors they can detect, and at what level of detail. Each year, MITRE uses the techniques favored by different attack groups. For the 2020 evaluations, MITRE is comparing vendor detection capabilities for the FIN7 and Carbanak threat groups, which primarily target retail and financial services providers.
You can measure the efficacy of any EDR solution you’re considering with these evaluations. They put vendors on an even playing field, and give decision makers a quantitative alternative to complement the more qualitative analyst reports.
One vendor’s capabilities may not provide sufficient detection coverage for your organization’s risk profile. In that case, you will need to decide whether to purchase complementary solutions or develop other compensating controls.
3. Use ATT&CK to make your security analysts’ jobs easier. By incorporating ATT&CK into your detection workflow, you can give your security analysts more context around detections. If your detection product maps alerts to the ATT&CK framework, analysts can easily understand the progression and potential severity of an attack. This is incredibly important because time is an analyst’s most valuable commodity. More context saves them time in deciding whether an alert is legitimate, and if deemed legitimate, context also helps the analyst understand the severity and scope of the attack.
MITRE ATT&CK represents an important step forward in transparency for the cybersecurity industry. Security leaders and practitioners should take advantage of this trusted standard to understand their threat profile, evaluate EDR solutions, and equip analysts with the context needed to make faster, more accurate decisions.