There’s a good reason everyone’s talking about MITRE ATT&CK: it’s an objective, third-party standard with which organizations can measure their own detection coverage, as well as the coverage provided by EDR solutions. Still, even while you appreciate ATT&CK, it’s not always clear how you can use it to improve your own organizational security. In this article, I’ll lay out how you can use ATT&CK for the greatest effect.
It’s worth going over some basics: ATT&CK stands for Adversarial Tactics, Techniques, and Common Knowledge, and MITRE has developed matrices for enterprise, cloud, and industrial control system (ICS) environments. A September 2020 study by UC Berkeley found that 81% of surveyed organizations employ at least one of the ATT&CK matrices—not a bad level of adoption for a framework introduced in 2015!
MITRE ATT&CK has replaced Lockheed Martin’s Cyber Kill Chain as the favored framework for understanding attacker behavior. Built using real-world observations, ATT&CK provides greater depth when describing attacker techniques, enabling red teams to reproduce the behavior of various threat groups (with tools such as ATT&CK Arsenal).
ATT&CK also encompasses the post-compromise lateral movement left out by the Cyber Kill Chain, making it useful when designing detection capabilities for attackers who have successfully penetrated perimeter defenses and insider threats who are misusing legitimate credentials.
“That’s cool,” you say. “But how can I apply MITRE ATT&CK in my organization?” The best practices described below will help you answer that question.
Hone your threat model with MITRE ATT&CK
You can use the framework to understand the modus operandi of the threat groups most likely to target your organization. ATT&CK is built from community contributions documenting the behavior of specific techniques observed in the field, such as exploits and malware used.
This information can help you to better understand how the threat groups targeting your industry behave and then prioritize your detection efforts accordingly. ATT&CK helps you to map out the detection capabilities you need to prioritize. And prioritization is key – after all, the exploits that are most important aren’t necessarily the ones with the highest CVSS score but the ones that you are most likely to encounter in real life.
Each organization is going to have a different threat profile depending on the data they must protect, the regulations in their industry, and which threat groups target their line of business.
Evaluate vendor capabilities with ATT&CK
Once you understand the techniques that you need detection capabilities for, you can use ATT&CK to evaluate which vendor solutions are most appropriate for your organization. A quick note here: one vendor’s capabilities might not provide all the detection coverage you require. It’s up to you to decide what there are other compensating controls you can put in place or whether you will need to purchase a complementary solution.
MITRE makes mapping vendor capabilities easier with their annual evaluations. For the past three years, MITRE has invited EDR vendors to participate in tests demonstrating their detection capabilities. Each year, the behaviors of a different threat group are used as a test baseline.
- In 2018, the evaluations simulated the behavior of APT3, attributed to China’s Ministry of State Security.
- In 2019, the baseline was APT29, attributed to the offensive cybersecurity arm of the Russian government.
- In 2020, the evaluations looked at the behavior of Carbanak and FIN7, two financially motivated criminal groups that are known for targeting retail and financial services companies.
Thanks to the ATT&CK evaluations, security buyers can now measure the efficacy of EDR solutions using an objective, third-party framework. The evaluations put vendors on an even playing field and provide buyers with quantitative evaluation criteria that complements the more qualitative data that you get in analyst reports.
Map detections to ATT&CK to make analysts’ jobs easier
MITRE ATT&CK can also be used to speed up your analyst workflows, providing richer context around detections. For example, you should look for a platform that maps detection signals to the relevant tactic and technique so that analysts can quickly answer important questions such as “How are these behaviors related?” and “What is the potential severity of this attack?”
Time is an analyst’s most valuable commodity. By providing them with at-a-glance context, analysts can more quickly determine whether an alert is legitimate, and if so, what needs to be done to stop the attack. Speeding up the detection triage workflow is incredibly important because it means that analysts can tackle more detections in their queue faster and with greater confidence. And that’s your best shot at decreasing attacker dwell time.
As MITRE ATT&CK gains more prominence in the cybersecurity industry, it’s important to know how to best put it to use in your organization. In this transparent standard, security leaders have a tool that can help them to better understand their threat profile, create a shortlist of appropriate EDR solutions, and supercharge their analyst workflows.