Those who used to watch old police detective TV shows will recall the classic scenes in which a crime victim or witness is asked to look through large binders of mug shots while sitting at a police station desk. This is because police detectives know that certain types of crimes continue to be committed by the same criminals. Movies often show the FBI or Interpol researching their criminal’s database after a large jewelry or bank heist to find other thefts that involve the same tactics as criminals tend to use the same methodologies repeatedly once they prove successful. This is the principle behind the MITRE ATT&CK Framework that is popularly used by security teams, threat hunters and security operations centers (SOCs).
What is the MITRE ATT&CK Framework?
Like the criminal database analogy, the framework is essentially a giant categorized list of all the known attack methods that a threat actor might use to breach your network systems. For instance, known ransomware organizations tend to use the same attack maneuvers when launching a ransomware attack. Security teams use it to understand how attackers might try to infiltrate their network and counter strategies to combat them. It should not be considered a replacement for NIST or similar security frameworks, nor does it serve as any type of incident response plan.
The acronym ATT&CK stands for Adversarial Tactics, Techniques & Common Knowledge. This globally accessible knowledge base of threat attack techniques is based on real-world observations and provides a standardized and structured approach for describing and categorizing different attack methodologies used by hackers and criminal organizations. Imagine the confidence that a general would have going into battle after previewing the attack plans of the enemy that lies before him.
Who Manages the Database?
The MITRE Corporation is a non-profit organization that operates federally-funded research and development centers in the United States. It was established back in 1958. MITRE initiated ATT&CK in 2013 as a way to document common tactics, techniques and procedures (TTPs) that were used against Windows enterprise networks. You can find out the latest TTPs used on Windows devices today with their published Windows matrix. Today the framework also includes other operating systems and technologies such as the Mobile matrix, which covers techniques used by adversaries against mobile devices running the Android or iOS platforms. MITRE keeps all their attack categories up to date thanks to internal research, community engagement, industry collaboration and integration with other frameworks.
How MITRE Is Different From Other Well-Known Frameworks
While the MITRE ATT&CK and NIST frameworks share the goal of empowering organizations to defend themselves against cyber threats, they use different approaches. The NIST cybersecurity framework is designed to help organizations identify, assess, and manage cybersecurity risks across their IT estate. MITRE ATT&CK focuses specifically on identifying and categorizing the tactics and techniques used by cyber attackers. While NIST is centered around the assessment and management of risk, ATT&CK is fixed around attack methodologies. The two work hand-hand to augment each other.
While some may compare ATT&CK with the Lockheed Martin Kill Chain, the two are quite different. While the matrix categorical approach of MITRE’s framework outlines the tactics that an attacker may use throughout the various stages of an attack, the Lockheed Martin Kill Chain is a linear model that describes the chronological progression of the different stages employed by an attack that provides insights that can be used to detect and combat each stage. While valuable to professional security teams, this framework outlining the perspective of an attacker throughout an attack is considered too high-level for most organizations and is considered somewhat dated.
Benefits of the MITRE ATT&CK Framework
While the MITRE ATT&CK Framework is of benefit to any security-minded organization, it is often referred to as a force multiplier for small businesses. Small businesses and organizations that do not have the time or resources necessary to develop their own frameworks can leverage the existing knowledge base of MITRE’s framework to learn about the tactics an attacker might take against their network, thus increasing their awareness of how vulnerable they might be. In addition to increased awareness, the framework also aids in three other areas.
- Risk Assessment: Because MITRE keeps their matrixes current and up to date, they can be used to assess the security posture of an organization and identify the weaknesses that an attacker might exploit. This can help an organization prioritize its security investment and resource allocation as well as determine its obligated duty of care.
- Defensive Strategy: By knowing the tactics of your possible enemy, you know how to defend against their probable tactics. This helps organizations determine the right set of security controls and how to best utilize them to reduce the risk of a successful attack.
- Compliance: Any organization that must comply with designated regulatory requirements or security standards can benefit from the insight guidance that the MITRE framework provides.
Why CYREBRO Uses the MITRE ATT&CK Framework
Because we serve customers from so many industry verticals, we only consider security frameworks that are applicable to all enterprises and are robust enough to ensure that all our customers remain secure. Regardless of where your business might be located, cyberattacks can initiate from anywhere within the world and the vast size of the MITRE ATT&CK community gives us confidence in the relevancy of its guidance. We value the commitment of MITRE to keep the ATT&CK Framework as current as possible because we know all too well how fast things change in cybersecurity as threat actors are always seeking a new exploitable attack avenue. We also agree with MITRE’s focus on adversaries because they are the ones creating the attack strategies. Yes, it can be as easy as keeping abreast of what the bad guys are up to.
Due to the exponential growth of the threat landscape in recent years, the MITRE ATT&CK Framework is a great resource that helps improve the odds of the defender in the event of a cyberattack. A sports team cannot win against their rivals without a strategy in place and a business cannot properly defend against its unknown adversaries that lie silently in the dark web and other sinister areas of the world without a battle plan in place. Cybersecurity is a game of cat and mouse and you do not want to be the mouse. With the guidance of the MITRE ATT&CK Framework in hand, you can ensure that you have the intelligence to anticipate the next chess move before it can be implemented.