Authors: Zee Sayi, Eleanor Barlow, Aaron Hambleton, Deodatta Wandhekar, SecurityHQ
The MITRE ATT&CK framework is, in essence, a knowledge base of adversary tactics, techniques, and procedures (TTPs). These TTP’s are based on real-world observations, used by various threat actors, that have been made globally accessible to be used as the foundation for threat models and methodologies.
According to the MITRE website, the framework has a ‘mission to solve problems for a safer world, by bringing communities together to develop more effective security.’
It is important to highlight how innovative this framework is. It has shifted the balance with regards to cyber warfare and created a means of allowing security teams in all sectors, from anywhere around the world, to see the different stages of adversarial attack, and help raise awareness of the mechanisms which can be used by attackers to launch attacks.
Since the framework offers a more focused approach by listing the TTP’s throughout the kill chain lifecycle, this has allowed security teams to formulate a more targeted response. This, in turn, means that teams are working more collaboratively, to ensure that the security posture is as it should be. For instance, with this intel, teams can perform Penetration Testing exercises, consisting of Red, Blue and Purple Teams, to strengthen security by exposing weaknesses. These kinds of exercises help security teams protect their companies the right way, so that they are alert and resilient in ensuring no stone is unturned.
An example of the MITRE ATT&CK Framework being used in real life is shown below, where Aaron Hambleton, Security Monitoring & Incident Response Lead for SecurityHQ, used the MITRE ATT&CK navigator during a real world investigation to identify and track the most recent TTPs known to be used by APT34. For more on Advanced Persistent Threats, view this white paper.
How SecurityHQ Uses the MITRE Framework
According to Deodatta Wandhekar, Manager of Global SOC at SecurityHQ, ‘Traditionally, our SecurityOperation Centres (SOCs) work on alert investigations, which are typically one-to-one, derived from different security tools, and are mapped against MITRE. To truly leverage the MITRE Framework, we must constantly add custom anomaly-based use cases, which are then tagged and aligned with MITRE Tactics and Techniques, to improve the overall detection coverage. From the client’s perspective, the MITRE framework is used to demonstrate the detection coverage. This helps identify the security gaps and work on the necessary areas to initiate discussions to onboard a security technology to cover the gaps for better detection.’
The below graph highlights the coverage of different use cases which are currently active at SecurityHQ. This is a constantly evolving graph.
At SecurityHQ, we have further leveraged the MITRE Framework in a way to depict the true impact of a real security incident.
The below Snapshot shows a real-world security breach ticket, which demonstrates actual mapping of the different MITRE techniques seen over a given timeline. This provides the clients, and our IR leads, with a very powerful picture of the security incident.
The snapshot shows the collection of all related incidents and individual alerts. These may go as separate alerts, but essentially are artefacts from the same adversary, which are then grouped to provide a summarised timeline, with a view of attack events. This shows events that may have happened before the trigger point, or even after the trigger point.
How the Repository of Knowledge Can Benefit Business
Since its official release in May 2015, the MITRE ATT&CK framework has been talked about a lot in all industries. However, its use is often still underestimated, and many security teams are still playing catch up in updating their defences.
The framework offers an opportunity to stay current and informed on the latest tactics used by adversaries during cyber-attacks. The MITRE ATT&CK framework is industry agnostic, and the matrix contains information for the following platforms: Windows, macOS, Linux, PRE, Azure AD, Office 365, Google Workspace, SaaS, IaaS, Network and Containers.
We are living in the age of digital transformation, and it has never been more important to have cyber vigilance. Threats are lurking round every corner; the perimeter now extends beyond infrastructure to the user. Emphasising the importance on cyber vigilance.
Other Models and How to Use Them
There are other frameworks and models still in use today, such as the cyber kill chain, created by Lockheed Martin to help organisations trace the stages of a cyber-attack, starting with reconnaissance, and travelling all the way though to final actions, via weaponization, delivery, exploitation, installation, command, and control and actions on objective.
Another model commonly used is the Diamond Model, for intrusion analysis. This model covers four elements, including Adversary, Capability, Infrastructure and Victim, to portray every incident as a diamond, with each element linked.
However, the MITRE ATT&CK framework is the most widely adopted in the industry and used by industry experts, such as SentinelOne, across the globe. What’s more, it is free, and provides businesses with a fantastic source of information to strengthen their security posture.